There appears to be a Web worm that has replicated at an alarming rate through Google’s Orkut social network in the last few hours.

Infection starts when the user is sent an email telling them that they have a new Scrapbook entry (essentially a guestbook). Upon visiting their page the user sees the text:

“2008 vem ai… que ele comece mto bem para vc”

No interaction is necessary; simply looking at the scrap starts the infection sequence. The scrap deletes itself, and the user is added to the Orkut Community “Infectados pelo Vírus do Orkut.” It then downloads and executes a heavily obfuscated JavaScript from http://files.myopera.com/virusdoorkut/[REMOVED]/virus.js, which in turns sends a copy of the original Scrapbook post to all of the user’s Orkut Contacts, so that they too will be infected by the threat.

At last count the group had over 400,000 users who had been infected. A Google translation of the description of the groups reads:

“CALMA!

If you came into this community, make sure that no data was stolen and not your will, that is not my goal.

If I are sure at the end of all, this community should is lotada of people

This just to show how Orkut may be dangerous, you came up here without clicking absolutely no link malicious, everything was done reading scraps.”

It appears from both the script which we have analysed and this description that this script was designed purely to spread, rather than for more malicious purposes normally associated with this type of attack. The author has since pulled the malicious JavaScript from the Web, having apparently gotten his point across.

The attack works due to Orkut allowing users to embed Flash content in their scrap posts (although it does filter for normal XSS techniques). The author appears to have created a SWFObject that calls the malicious JavaScript and was able to use this to bypass Orkuts filters.

This is not the first time a worm like this has targeted a social network. MySpace fell victim to the infamous “Samy Is My Hero” XSS Worm released in 2005.

Luckily for the almost half a million users, this was purely a proof of concept. The possible implications of a more malicious attack in the future however are much more worrying.

In today’s world of social networking sites, finding enough information to impersonate someone is trivial at best. The only difficult part of the process is tracking down an individual from, say, their email address to their profile on a MySpace or Bebo page. With the new OpenSocial initiative, this has become a lot easier to do.

Sites such as Spokeo, Spock and a whole host of others will gladly trawl all available OpenSocial social networks if supplied with an email address of a “friend.” The full list of services implemented depends on the site, but a full list of the services provided by Spokeo is available here. This stuff is a dream come true for identity thieves.

Let’s take an example. I decided to use my own email address and see what I could find out about myself. Now it should be noted that I do not take part in a lot of online social networking, so this should yield higher results in most cases. Also, I deliberately set my status to “public” on the networks that I do frequent for the purposes of the experiment as these services (luckily) will not trawl private pages.

The search showed my Bebo account, Picasa account, my personal blog, my Amazon WishList and all entries I have made to Digg.com. Note that OpenSocial does not include Facebook, so that did not show up. I have been careful to keep personal data off the Web, but had completely forgotten about the Picasa and Amazon pages.

For added effect, I decided to pick one of my friends at random, and just using their email address, to find out as much about them as possible. Obviously I won’t call out the exact details, but here’s a taster: name, address, date of birth, photos, family members, location of work plus full education/work history, phone number, likes/dislikes, pets, and a whole lot more.

Considering that most banks ask for less information than that when changing details, you begin to get an idea of how big an issue this is.

My advice for people out there using social networking sites is to mark your profiles as private wherever possible. You could even use one of the services mentioned above to check what information you have left open—if you are comfortable giving them the logins to your accounts of course.