Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Viruses in Virtual Worlds

From: David Farber <dave () farber net>
Date: Sun, 17 Feb 2008 06:31:55 -0800

________________________________________
From: Joseph Lorenzo Hall [joehall () gmail com]
Sent: Sunday, February 17, 2008 1:46 AM
To: David Farber
Subject: Viruses in Virtual Worlds

http://www.news.com/8301-10789_3-9873863-57.html

Exploiting QuickTime flaws in 'Second Life'

by Robert Vamosi

WASHINGTON--Researchers Charlie Miller of Independent Security
Evaluators, and Dino Dai Zovi, turned their attention to Second Life
during a Saturday morning presentation at ShmooCon, an East Coast
computer hacking conference. The researchers didn't exploit a flaw
within Linden Labs' Second Life, but within QuickTime. They showed how
an attacker could make money stealing from innocent Second Life
victims.

Miller and Zovi are both experienced with flaws within Apple products.
Miller published the first Apple iPhone flaw shortly after its
release. At last year's CanSecWest security conference, Zovi exploited
a QuickTime flaw to win a "PWN to Own" hack-a-Mac contest. While
Second Life does not install QuickTime, it invites users to install
the player if they want to see multimedia files within Second Life.

What Miller and Zovi realized is that while direct communication
between an attacker and a victim within Second Life passes through the
servers at Linden Labs, multimedia objects are actually stored
somewhere else. Hence, an object with a multimedia link could inject
malicious code. In this case, researchers exploited a recent flaw
within RTSP tunneling.

For their demonstration, they created "the most evil pink box you will
ever see." They could have linked their malicious code to attributes
of an avatar's hair, clothes, or anything else. They also could have
buried the pink box underground or otherwise hidden it, but both
researchers admitted they weren't very good players within Second
Life.

Within Second Life they used a property that they own to demonstrate
the exploit. Linden Labs sent a representative at the conference and a
robot to the virtual demonstration site. The robot held a sign saying
Hello to ShmooCon attendees watching the live demo.

In the demo, the researchers were able to show that their avatar
became infected when it came too near the pink box. The code they used
raided the avatar's Linden dollars and emptied the bank account. On
the Internet, an attacker can get one dollar for every 275 Linden
dollars stolen, so there is a financial incentive to these attacks and
other future attacks. The attack demonstrated today works only on the
property they own, and for the safety of others they put up signs
perimeter that clearly stated a demo of an exploit was in progress.

To protect yourself while in Second Life, the researchers suggested
either turning off multimedia altogether, or setting the multimedia
preference within Second Life not to play streaming video when
available, but to ask the user first.


--
Joseph Lorenzo Hall
UC Berkeley School of Information
http://josephhall.org/

-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: