QuickTime Worm Utilizes Active Content to Spread in MySpace

There's a new QuickTime worm out and about. This QSpace or Quickspace worm started spreading through MySpace users. What's most interesting is that this worm is written in Javascript, and is embedded in a blank QuickTime file.

Our Honeyclient Project is very interested in spidering sites that contain active content such as Flash and Javascript. Active content sites are good vectors for attacks. When a user goes to an active content site, they are in effect giving the remote server permission to execute locally on that user's machine. That's exactly what this QuickTime worm took advantage of here.

For our honeyclient architecture, we're current working on obtaining URL information from active content material. For example, if the site is Flash-based, it is difficult to navigate that site without decompiling the Shockwave Flash (SWF) file.