Today, on 25th September 2010, a new worm affecting Orkut emerged. I received several calls from friends asking about this new Orkut worm. They told me that their scrapbook was flooded with text messages called “Bom Sabado!” and they were forcefully made to join some fake Orkut communities. This worm seems to be created by a Portuguese hacker as the meaning of this message is “Good Saturday” in Portuguese. I found the scrapbook of one of my friends flooded with the same malicious messages. Here is the screenshot,
I looked at the source code of the scrapbook page and found that a malicious iframe is being used to spread the worm. Here is what the malicious code looks like:
The malicious iframe points to “tptools.org/worm.js”. I tried to download this malicious JavaScript file but the domain no longer exists. I was however able to find the source code for this malicious JavaScript file on a Google forum. The obfuscated JavaScript inside the file can be seen below:
The script was easy to decode and I too found the decoded source code on the internet. This malicious JavaScript creates some HTTP GET and POST requests to Orkut. It then obtains the list of friends for the infected user and sends the same malicious message to them with embedded hidden Iframe. This malicious JavaScript also forces infected users to join a few fake Portuguese communities as listed below,
http://www.orkut.co.in/Main#Community?cmm=106691341
http://www.orkut.co.in/Main#Community?cmm=106698628
http://www.orkut.co.in/Main#Community?cmm=558494
http://www.orkut.co.in/Main#Community?cmm=6
http://www.orkut.co.in/Main#Community?cmm=106698808
This worm does not perform any truly harmful activities, but instead forces infected users to join different fake communities. It looks like the motive of the attacker behind this is simply to see how many he could infect. The screenshots of different communities involved in the attack (below), show that within few hour,s this worm infected many users:
This new worm shows how quickly an attack can spread and how dangerous social networking sites can be. Even though this worm didn't perform any malicious activities, it could have been used to steal sensitive information like passwords, personal information, etc. This was certainly not a 'Good Saturday' for Orkut users to be sure. Do not open your Orkut scrapbook until Orkut fixes the problem, even though the malicious site is down.
“Bad Saturday” for Orkut users.
Umesh
