Myspace.com is an extremely popular social networking site that has quite a checkered past when it comes to security. In July of 2006, we broke a story about a big time security vulnerability that ended up affecting many thousands of Myspace users. That post became the most read post in our sites six year history, and went on to be featured on the front page of Digg.com, in the Washington Post, and in multiple other sites around the country. It may be that today, roughly two years later, we’ve discovered an even bigger security issue on Myspace. At first blush, this might be one of the most significant security issues in years, or it might simply be an anomaly.
Earlier today, I logged on to check my mostly dormant Myspace account. I had several friend requests, and came to one with a name I recognized, but the face didn’t seem familiar. I opened her page in a tab to view, along with a few other requests. I got distracted for a few moments by my kids, and when I returned, I went to her page, and noticed a typical Automatic Updates dialog box from Microsoft had popped up on screen. (image below). The box looked completely legit, and contained the normal language, as well as one update - the July Malicious software removal tool. I know it isn’t patch Tuesday today, and I was pretty sure that I hadn’t clicked on anything that would have brought up the automatic updates dialog box, so I clicked on the “x” to dismiss the dialog. As soon as I did that, my AVG antivirus popped up to notify me that it had quarantined a Trojan Horse on my system! I am running a fully patched Windows Vista system, with a Firewall, and updated anti virus software. My system has all of the recent Microsoft Updates installed, and I am browsing with Firefox 3.0. For there to be an unpatched security hole this big is remarkable, to say the least!
I’ve done a bit of investigation into this issue, and this is what I’ve found thus far: The Trojan is linked to by a picture that has been inserted into a person’s Myspace profile. In this case, the code looks like this:
The Trojan attempts to install itself into your Firefox Profiles directory, and AVG identifies it as Trojan Horse Downloader.Generic7.VII. The Image is hosted at a site called Betheregood.cn, which appears to be a direct clone of Dailyrotation.com on the surface. The location of the Trojan file itself is Obfuscated by Myspace’s use of msplinks.com - which is a redirect service of sorts, that was designed to protect users against this sort of attack - clearly it is not working here.
In summary, there exists an exploit in the wild right now, on Myspace.com that is able to infect a fully patched system, running a secure browser, and solid security software. Most people confronted with this issue will likely do exactly what I did - click somewhere on the dialog box - either to dismiss it, or possibly even to attempt to install the ersatz Microsoft update. This has the potential to infect a great many systems, depending on how many Myspace profiles are infected in this way. If you encounter this situation, DO NOT click anywhere near the Automatic Updates dialog box. Instead, simply close out the page that you are on, and don’t return to it.
And, Myspace? How about you fix this exploit post haste?
Stay tuned to our site for updates - I’m sure we’ll have a few.
