Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    There appears to be a Web worm that has replicated at an alarming rate through Google‘s Orkut social network in the last few hours.

    Infection starts when the user is sent an email telling them that they have a new Scrapbook entry (essentially a guestbook). Upon visiting their page the user sees the text:

    “2008 vem ai… que ele comece mto bem para vc”

    No interaction is necessary; simply looking at the scrap starts the infection sequence. The scrap deletes itself, and the user is added to the Orkut Community “Infectados pelo Vírus do Orkut.” It then downloads and executes a heavily obfuscated JavaScript from[REMOVED]/virus.js, which in turns sends a copy of the original Scrapbook post to all of the user’s Orkut Contacts, so that they too will be infected by the threat.

    At last count the group had over 400,000 users who had been infected. A Google translation of the description of the groups reads:


    If you came into this community, make sure that no data was stolen and not your will, that is not my goal.

    If I are sure at the end of all, this community should is lotada of people

    This just to show how Orkut may be dangerous, you came up here without clicking absolutely no link malicious, everything was done reading scraps.”

    It appears from both the script which we have analysed and this description that this script was designed purely to spread, rather than for more malicious purposes normally associated with this type of attack. The author has since pulled the malicious JavaScript from the Web, having apparently gotten his point across.

    The attack works due to Orkut allowing users to embed Flash content in their scrap posts (although it does filter for normal XSS techniques). The author appears to have created a SWFObject that calls the malicious JavaScript and was able to use this to bypass Orkuts filters.

    This is not the first time a worm like this has targeted a social network. MySpace fell victim to the infamous “Samy Is My Hero” XSS Worm released in 2005.

    Luckily for the almost half a million users, this was purely a proof of concept. The possible implications of a more malicious attack in the future however are much more worrying.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice