Today, on 25th September 2010, a new worm affecting Orkut emerged. I received several calls from friends asking about this new Orkut worm. They told me that their scrapbook was flooded with text messages called “Bom Sabado!” and they were forcefully made to join some fake Orkut communities. This worm seems to be created by a Portuguese hacker as the meaning of this message is “Good Saturday” in Portuguese. I found the scrapbook of one of my friends flooded with the same malicious messages. Here is the screenshot,
I looked at the source code of the scrapbook page and found that a malicious iframe is being used to spread the worm. Here is what the malicious code looks like:
The script was easy to decode and I too found the decoded source code
This worm does not perform any truly harmful activities, but instead forces infected users to join different fake communities. It looks like the motive of the attacker behind this is simply to see how many he could infect. The screenshots of different communities involved in the attack (below), show that within few hour,s this worm infected many users:
This new worm shows how quickly an attack can spread and how dangerous social networking sites can be. Even though this worm didn't perform any malicious activities, it could have been used to steal sensitive information like passwords, personal information, etc. This was certainly not a 'Good Saturday' for Orkut users to be sure. Do not open your Orkut scrapbook until Orkut fixes the problem, even though the malicious site is down.
“Bad Saturday” for Orkut users.