Alicia Keys followers might have to be more careful (literally) when visiting her MySpace page. ExploitLabs recently found out that a background image injected into the artist’s page would redirect a carelessly clicking user to malicious sites supposedly located in China. The said inserted background image was said to be prominent enough, that, when a user’s click is misplaced, s/he can already be “transported” to the said malicious sites.
Further analysis and research by TrendLabs reveals that this piece of malicious code has in fact compromised several other MySpace pages — typically those profiled in the site’s “Top Artists” page. In addition, according to Senior Threat Research Ivan Macalintal, the injected code jumps to any one of the following URLs:
Here’s an example of the injected code:
From the said Web sites, users are then prompted to download a fake video codec (again), which is actually a “rather nasty Trojan”, according to Ivan. Sounds familiar? Looks like another variant of the DNS-changing ZLOB Trojan, isn’t it?
See the following diagram for a summary of its routines:
Trend Micro detects the injected code as HTML_DLOADER.WLZ, while the ZLOB variant being downloaded as TROJ_ZLOB.DCY.
Although MySpace was said to have fixed the problem, there’s always the possibility of hacks like these to occur in the very near future. An extremely popular social networking site like this offers a lot — millions of people to befriend, access to the most popular musicians and in some cases, even partners for life. Aside from the good stuff, its popularity has also been taken advantage of by hackers, and they have proven to be successful. With the infiltration of the page of a huge musical icon like Alicia Keys, who has a fan base reaching millions, those millions may be in for a surprise.
But wait! Here’s the real surprise (or not): Trend Micro Network Architect Paul Ferguson did a little more digging at it seems that the IP addresses of the *.cn sites related to this MySpace hack are actually hosted in servers that are known to be the haven for Russian Business Network (RBN) activities in the past!
So… from the looks of it, it seems RBN “poofing” out of the picture is indeed not permanent. Look, it’s poofing back in again. As Paul said, “we’re definitely seeing RBN activities shifting to *.cn domains (among others)”.