Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

New Orkut Worm: “Bom Sabado!” – Good Saturday For Orkut Users

image
THREATLABZ
September 25, 2010 - 2 min read
Today, on 25th September 2010, a new worm affecting Orkut emerged. I received several calls from friends asking about this new Orkut worm. They told me that their scrapbook was flooded with text messages called “Bom Sabado!” and they were forcefully made to join some fake Orkut communities. This worm seems to be created by a Portuguese hacker as the meaning of this message is “Good Saturday” in Portuguese. I found the scrapbook of one of my friends flooded with the same malicious messages. Here is the screenshot,
Image
I looked at the source code of the scrapbook page and found that a malicious iframe is being used to spread the worm. Here is what the malicious code looks like:
Image
The malicious iframe points to “tptools.org/worm.js”. I tried to download this malicious JavaScript file but the domain no longer exists. I was however able to find the source code for this malicious JavaScript file on a Google forum. The obfuscated JavaScript inside the file can be seen below:
Image
The script was easy to decode and I too found the decoded source code on the internet. This malicious JavaScript creates some HTTP GET and POST requests to Orkut. It then obtains the list of friends for the infected user and sends the same malicious message to them with embedded hidden Iframe. This malicious JavaScript also forces infected users to join a few fake Portuguese communities as listed below,
http://www.orkut.co.in/Main#Community?cmm=106691341
http://www.orkut.co.in/Main#Community?cmm=106698628
http://www.orkut.co.in/Main#Community?cmm=558494
http://www.orkut.co.in/Main#Community?cmm=6
http://www.orkut.co.in/Main#Community?cmm=106698808
This worm does not perform any truly harmful activities, but instead forces infected users to join different fake communities. It looks like the motive of the attacker behind this is simply to see how many he could infect. The screenshots of different communities involved in the attack (below), show that within few hour,s this worm infected many users:
Image
Image
This new worm shows how quickly an attack can spread and how dangerous social networking sites can be. Even though this worm didn't perform any malicious activities, it could have been used to steal sensitive information like passwords, personal information, etc. This was certainly not a 'Good Saturday' for Orkut users to be sure. Do not open your Orkut scrapbook until Orkut fixes the problem, even though the malicious site is down.
“Bad Saturday” for Orkut users.
Umesh

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.