Yesterday, a metric ton of MySpace accounts were infected with yet another worm. As I predicted ten days ago, it was accomplished via a QuickTime embed. Visiting the profile of anyone infected would cause the navigation links across the top of your profile (Home   |  Browse  |  Search   |  Invite   |   etc...) to be replaced by fake navigation links which all linked to a spoof MySpace login page via some basic CSS and HTML added to your "About Me" section. And, the QuickTime embed was added to one of your "Interests" sections to further propagate this worm / phishing attack. At a glance, this looked like nothing more than that: a worm being used to phish MySpace passwords.

I downloaded the .mov (QuickTime File) and opened it up in a text editor to see what it was triggering to cause this mess. It was plainly clear that the JavaScript it was executing; from the same domain as the spoof login page, was intended to do more than just inject some code to phish people and spread the worm. It also had code in there to send internal MySpace messages to random people with MySpace friend IDs between 105000000 and 80000000. This attempt fell flat, but the intent was there nonetheless. Why did it fail? Either poor coding or MySpace's spam filter. This ill-fated spam attempt revealed the identity of the guy behind the worm... Well, it made it so that he won't be all that hard to track down anyway.

The intended MySpace message spam would have randomly used one of the following subject lines:

what else is there to do on a Sunday.?.......
You better not forget about this..
Hehe that was so funny..
better see this one last time lol..
omg did you see this last nite..
whos coming to the party tonight.?..

And, the body of the message would have contained a fake YouTube video (pictured below) linked to a site that's.... Pushing Zango installs (nasty adware).



If you're not already familiar with Zango (180solutions) and their scumtastic business practices, read this. The bottom of that write-up has links to a bunch of stories detailing their unrelenting scumbaggery. It's no wonder that the FTC spanked three million dollars out of those idiots recently.

*The web addresses listed in the below paragraph contain adult content*
The url that Fake YouTube video would have been linked to is what gave this douche-bag up: http://google.com/url?q=http://www.vidchicks.com/home.php. That "home.php" simply redirects you to the same url you'd get as a pop-under if you visited any page on Vidchicks.com: http://www.vidchicks.com/popunder.html. And, that popunder.html is simply a landing page being used to get people to install some adware courtesy of Zango. I was able to dig up all kinds of dirt on the webmaster of Vidchicks.com. I'll get to that in a second.

On the landing page he's pushing the Zango installs from, he has visitor tracking being logged by the public version of Extremetracking.com. If you're reading this before they pull his account, those stats can be found here. The visitor stats found there are pretty telling. He has been spamming the hell out of MySpace from those phished accounts via messages, comments, and bulletins.

The below shows unique visits:


Visiting a few of the MySpace profiles he has gotten visitors from recently showed that he has been posting various images as comments from phished accounts to get people to visit that Zango landing page of his. Sometimes he simply posts the same fake YouTube video as above. Other times, he'll post stuff like the below:



So, he's basically just scumming it up in any way that he can. After doing a bit of research on this guy I found that this is his typical behavior.

Here's a taste of the pile of dirt I found on this guy:

1. He goes by a number of different names on webmaster forums because he has a knack for doing shady stuff. If you're doing business with a guy that goes by the name eLogic or Creepah, I highly suggest that you stop. Those are two of his handles for sure. The eLogic name is used on some forums where he does traffic trades and whatnot. And, he tried to sell Vidchicks.com on DNForum (registration required, DNForum sucks like that) a few weeks back under the name Creepah. Oh yeah, Vidchicks.com is registered under the fake business name of eLogic Inc.

2. He was banned from a webmaster forum for creating a fake account to bid on one of his own auctions to drive the price of a site up. *No url included because it's a private forum

3. He was apparently banned from YPN at least once.

4. This has got to be my favorite post by this idiot: [EASY CASH] Digg my site, $1 per digg, takes 30secs. lolz

Here's a screenshot from his Digg.com account:

14 stories Dugg and 20 submitted. *Holds up a Yes, this guy is retarded sign*

5. Who cares? I think all of the above establishes this guy as a typical spammer.

In conclusion:
- MySpace killed off that worm yesterday by adding the domains he was using to their spam filter's list and getting the hosts to pull those files. This is just a temp fix though. They'll need to ban QuickTime files if they want to prevent this kind of stuff from happening on a daily basis.

- The guy behind this is obviously in blatant violation of numerous laws. If any law enforcement or other government agency wants to take action against this idiot: it'll be real easy to nail him down. On all the webmaster forums, he has remained consistent in saying that he's from the UK. This isn't necessarily true, but a subpoena served on any of his income sources (Zango, Adult AdWorld, etc) would turn up a address for sure. ;-)

- I've got the flu and didn't sleep last night, so excuse any typos and/or other retardedness in the above.

* The above is a repost from my Ghettowebmaster.com site.
** If you're a member of Digg.com, Digg this story and me luv you long time.
*** To subscribe to this blog: Click Here
**** Asterisks are fun
_______

Update (12/01/06):

"MySpace killed off that worm yesterday by adding the domains he was using to their spam filter's list and getting the hosts to pull those files. This is just a temp fix though. They'll need to ban QuickTime files if they want to prevent this kind of stuff from happening on a daily basis."

Well, MySpace has apparently decided to try to handle this issue differently. And, the same worm is spreading around today using different domains to host the QuickTime file, Spoof Login page, and JavaScript. I guesstimate that at least 1/10th of all active users were infected by this thing over the past few days. And, there is no telling how many accounts have been phished. Yesterday, MySpace Tom posted the below:



I think that makes it pretty safe to say that the MySpace crew has come to the same conclusion as me: a metric TON of people have already been phished via this worm setup. I smell a lot of spam in the near future.

Yesterday, I didn't mention a part of this guy's hustle that is pretty interesting. He is hosting the files being used for this worm on domains he has compromised. I imagine he is doing this in order to have a little room for denial. "Dude, I don't know what you guys are talking about. Someone else is spamming the hell out of that place with the url to my Zango page." Yeah, sure.

As of right now:
He cleaned up his JavaScript a bit and it now randomly inserts the QuickTime file from one of two domains. Yesterday he was using two domains also, but they were both standalone operations doing the exact same thing. So, he has the QuickTime file, JavaScript, and spoof login page sitting on two separate domains - working together now. His phishing efforts have been cut short though. Both of the Spoof Login pages are set to post the inserted data over to a third domain (a .edu) which is already down. And, the webmaster at one of the domains added some text to the spoof login on his domain warning people that it's a fake:



I'm not sure if he has this same double-whammy setup on any other domains right now though. If not, I'm sure he will soon enough. I'll say it again: this is not going away until MySpace bans QuickTime embeds.

P.S. If you want to block this thing from screwing with your profile you can add .mov to your blocked extensions if you have FireFox and Adblock. If anyone wants to write a blog explaining this to newbies, I'll gladly link to it from here. Thanks for the idea Abraxus. ;-)

Tiny Update:
If you want to protect yourself from getting / spreading this worm and other stuff that is sure to follow:

1. Download FireFox to use as your internet browser. Sorry Billy G :P
2. Follow the instructions in this forum post on how to add Adblock and the settings to block QuickTime files from screwing with you.

There are other ways of blocking this, but that's a pretty easy one.

Another Tiny Update:
Here's a nifty  blog entry (with videos) that takes you through the process of installing Adblock in order to protect yourself from this worm: AdBlock Plus Tutorial