New Apple QuickTime worm rapidly spreading through MySpace

The fast-spreading attack took hold over the weekend and could be affecting as many as one in three of the social networking site's more than 130 million users, said Chris Boyd, director of malware research at FaceTime Communications.

"It's quite a nasty one," he told SCMagazine.com. "It's all over the place. You've just got to visit a (profile) page with a QuickTime movie on it. It is tempting to advise people to just not use MySpace until they fix it. There's an extremely high probability you will get hijacked by it."

The worm attack is caused by QuickTime files that trigger JavaScript coding, he said. Once users visit profile pages containing the infected QuickTime file, the file also is embedded on their page, which simultaneously is overlaid with a fake navigation bar. Should they click on that navigation bar, they will be asked to re-enter their username and password on a rogue page hosted on a hacked server.

Malicious attackers steal these credentials to send out spam to "friends" of the victim in a section on MySpace pages that permit users to leave comments. The messages say generic things such as "what else is there to do on a Sunday" or "omg did you see this last nite." Below the text is a screenshot of a movie that is "spectacularly pornographic," Boyd said.

Should users click on the screenshot, they will be directed to pornographic site called "Vidchicks" that contains Zango adware, he said. The site's webmaster profits each time someone installs the adware.

"Obviously the reason behind this attack is financial," Boyd said. "They've gone through a lot of time and effort to spam these things across the MySpace network to drive (victims) to this site."

MySpace officials could not be reached today to comment on the attack.

But Hemanshu Nigam, CSO of MySpace, told SCMagazine.com last week that the site often relies on security from third party application providers - in this case Apple. QuickTime now supports JavaScript, which allows users to "query and control QuickTime movies in a webpage," according to Apple's Developer Connection website.

But Boyd said this functionality opens the door for the attack. An Apple spokeswoman did not return a telephone call seeking comment.

Nigam said users also should be weary of logging into a spoofed MySpace site. Members should always check the address bar to ensure they are inserting their credentials on the real login page.

applemyspacenewquicktimerapidlysecurityspreadingthroughworm