Teen uses worm to boost ratings on MySpace.com

Eric Lai   Today’s Top Stories    or  Other Spam, Malware and Vulnerabilities Stories  

E-Mail As a Service: Time for Another Look? Learn from the latest Internet Security Threat Report update Client Security Podcast Managing Mobile Data with Endpoint Security for Laptops What to Ask When Evaluating Messaging Security Systems The Impact of Messaging and Web Threats Sign up to receive Security Resource Alerts

October 17, 2005 (Computerworld) -- Using a self-propagating worm that exploits a scripting vulnerability common to most dynamic Web sites, a Los Angeles teenager made himself the most popular member of community Web site MySpace.com earlier this month. While the attack caused little damage, the technique could be used to destroy Web site data or steal private information -- even from enterprise users behind protected networks, according to an security services firm.
The unknown 19-year-old, who used the name "Samy," put a small bit of code in his user profile on MySpace, a 32-million-member site, most of whom are under age 30. Whenever Samy's profile was viewed, the code was executed in the background, adding Samy to the viewer's list of friends and writing at the bottom of their profile, "... and Samy is my hero."
"This is an attack on the users of the Web site, using the Web site itself," said Jeremiah Grossman, chief technical officer at Santa Clara, Calif.-based WhiteHat Security Inc.
The worm spread by copying itself into each user's profile. Because of MySpace's popularity -- it had 9.5 billion page views in September, making it the fourth most popular site on the Web, according to comScore Media Metrix -- the worm spread quickly. On his Web site http://namb.la/popular/, Samy wrote that he released the worm just after midnight on Oct. 4. Thirteen hours later, he had added more than 2,500 "friends" and received another 6,400 automated requests to become friends from other users.
"It didn't take a rocket or computer scientist to figure out that it would be exponential, I just had no idea it would proliferate so quickly," Samy said in an e-mail interview posted Friday at Google Blogoscoped. "When I saw 200 friend requests after the first 8 hours, I was surprised. After 2,000 a few hours later, I was worried. Once it hit 200,000 in another few hours, I wasn't sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000."
Samy also received hundreds of messages from angry MySpace users. He wasn't contacted by officials from Los Angeles-based MySpace, though his account was deleted. MySpace was purchased in July by Rupert Murdoch's News Corp. for $580 million. MySpace didn't return requests to comment.
The attack depended on a long-known but little-protected vulnerability called cross-site scripting (XSS). XSS arises because many Web sites -- apart from static sites that use only simple HTML code -- are dynamic, allowing users to manipulate Web site source code.
Web sites and Web browsers such as Internet Explorer and Firefox try to block such XSS holes, said Grossman. But the vulnerabilities continue to exist, for which he blames both the browser creators and the Web site operators.
Standard enterprise network security tools such as firewalls, antivirus and Secure Sockets Layer don't thwart XSS and other Web application attacks because the affected user is already behind his firewall, said Grossman, whose 14-person firm is a managed security services provider.
"The network is pretty locked down. But all of the new attacks are targeting where nobody is looking -- the Web application layer," he said.
Other Web application-layer break-ins include a case earlier this year where more than a hundred applicants to Harvard Business School got an early peek into their admission files by simply modifying the URL typed into their browser address box. In a more serious phishing attack last year, someone injected code into SunTrust Banks Inc.'s Web site designed to send e-mails from SunTrust's Web site asking account holders for account details.
An early version of an XSS-related vulnerability was discovered in Hotmail in 2001. That flaw allowed an attacker to send an e-mail with malformed HTML code to a Hotmail user, whose browser would interpret the broken commands as legitimate script that would tell the Web site to steal the user's private information.
Grossman said most such cases go unreported.
While both Firefox and Internet Explorer promise security enhancements in upcoming versions, Grossman said he doubts they will entirely fix the XSS problems.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"What can I say? For me, XP SP3 was the cat's meow, the best Windows client operating system ever. But,..." Read more... "A Westchester, New York woman has her MacBook back after having it stolen by two Bronx men. How did she..." Read more... Read more Security posts or See all Blogs

Microsoft to limit capabilities of cheap laptops FBI worried as DoD sold counterfeit networking gear Update: Microsoft to appeal $1.3B EU fine More top stories...

XP SP3 cripples some PCs with endless reboots Windows Vista more secure than XP, says security company Microsoft grows DAISY for blind computer users while Adobe wilts

5 easy ways to commit career suicide Mistakes such as putting down co-workers or burning bridges when you resign are surefire ways to darken your career prospects. Here's how to avoid them Opinion: Get ready for these 6 game-changing technologies Hype and promises abound in the IT world, but these six breakthroughs really will change your life, says author and former IT manager John Brandon. What brain drain? Baby boomers are retiring and taking their knowledge with them. Why do so few in IT seem to care? Tales from the crypt: Our first computers Computerworld editors share stories of their first PCs, including some classics and some real clunkers -- then we ask readers to share their early-PC tales. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing  Universal Threat Management - Because Conventional UTM is Not Enough! Get this white paper now! (Source: Juniper Networks) This white paper, written by Mark Bouchard of Missing Link Security Services, examines the challenges confronting today's enterprises with respect to managing threats on a network. It also discusses the need for "Universal Threat Management", which is a security solution approach for all physical locations within an enterprise that require threat protection. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. New Fujitsu High-End Itanium Windows- and Linux-Based PRIMEQUEST Servers Offer the Utmost in High Availability New Fujitsu High-End Itanium-Based PRIMEQUEST Servers Offer Industry-Leading System Management for Linux and Windows Symantec State of the Data Center Report 2007 View more whitepapers

• Microsoft to limit capabilities of cheap laptops
• FBI worried as DoD sold counterfeit networking gear
• Update: Microsoft to appeal $1.3B EU fine
• More top stories 

XenServer FREE trial Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration. Request free trial now



Try Fluke Networks' EtherScope Analyzer on your network FREE Quickly solve the wide range of problems you encounter - 10, 100 and Gigabit, twisted pair and optical fiber, LAN or wireless LAN. The EtherScope Analyzer combines the essential tools you need to monitor network traffic and switch interfaces, discover devices, networks, VLANs, access points, mobile clients and more. See the power of this portable network analyzer on your network. Request free trial now *Terms and conditions: Evaluation units are available only for a limited time and will be scheduled on a first-come first-served basis. Not available in all geographies. Limited quantities available; customers requesting evaluation units may be waitlisted for the next available unit. It will be at the discretion of Fluke Networks to accept or decline requests for this free evaluation.