There appears to be a Web worm that has replicated at an alarming rate through Google’s Orkut social network in the last few hours.
Infection starts when the user is sent an email telling them that they have a new Scrapbook entry (essentially a guestbook). Upon visiting their page the user sees the text:
“2008 vem ai… que ele comece mto bem para vc”
No interaction is necessary; simply looking at the scrap starts the infection sequence. The scrap deletes itself, and the user is added to the Orkut Community “Infectados pelo Vírus do Orkut.” It then downloads and executes a heavily obfuscated JavaScript from http://files.myopera.com/virusdoorkut/[REMOVED]/virus.js, which in turns sends a copy of the original Scrapbook post to all of the user’s Orkut Contacts, so that they too will be infected by the threat.
At last count the group had over 400,000 users who had been infected. A Google translation of the description of the groups reads:
“CALMA!
If you came into this community, make sure that no data was stolen and not your will, that is not my goal.
If I are sure at the end of all, this community should is lotada of people
This just to show how Orkut may be dangerous, you came up here without clicking absolutely no link malicious, everything was done reading scraps.”
It appears from both the script which we have analysed and this description that this script was designed purely to spread, rather than for more malicious purposes normally associated with this type of attack. The author has since pulled the malicious JavaScript from the Web, having apparently gotten his point across.
The attack works due to Orkut allowing users to embed Flash content in their scrap posts (although it does filter for normal XSS techniques). The author appears to have created a SWFObject that calls the malicious JavaScript and was able to use this to bypass Orkuts filters.
This is not the first time a worm like this has targeted a social network. MySpace fell victim to the infamous “Samy Is My Hero” XSS Worm released in 2005.
Luckily for the almost half a million users, this was purely a proof of concept. The possible implications of a more malicious attack in the future however are much more worrying.
December 19th, 2007 at 3:14 pm
[...] - Orkut Worm Arbor Networks - Orkut XSS Worm SophosLabs - Large scale Orkut virus outbreak not cool TrendMicro - Orkut/Google worms Compromise over 400,000 accounts Share This Digg [...]
December 20th, 2007 at 2:17 am
[...] Trend Micro: Orkut/Google worms compromise over400,000 accounts [...]
December 20th, 2007 at 6:04 am
[...] It’s early in this enterprise 2.0 game, but one question keeps popping up for me. What are the security implications here? It’s no small issue. What if you had an Orkut/Google mashup when a worm hit (this isn’t theoretical since TrendMicro reported it on Wednesday). [...]
December 20th, 2007 at 7:30 am
[...] malicious .js file (virus.js)Additional Linkshttp://www.f-secure.com/weblog/archives/00001342.html http://blog.trendmicro.com/orkutgoogle-worms-compromise-over-400000-accounts/ Orkut Blog - More information may be posted laterhttp://en.blog.orkut.com/ Published Dec 20 [...]
December 25th, 2007 at 10:14 pm
[...] Robert McArdle’s Blog WhiteHat Security describes XSS in detail Wat is XSS? - From Wikipedia Published in: [...]