Google's Orkut Social Network - New worm infects 400,000 users
Posted
Thursday, December 20, 2007 3:31 PM
by
hwaldron
Thankfully, this new Java Script based worm attack was relatively harmless and did not compromise personal information. It was most likely launched as a proof-of-concept test. Google also quickly stopped these attacks.
Folks should always be cautious in social network environments, as MySpace and similar sites have been constantly attacked. Avoid accepting anything suspicious even if it's from one of your friends, as they may be among the infected. AV software should be kept up to date as many vendors now offer detection.
Google's Orkut Social Network - New worm infects 400,000 users
http://www.pcworld.com/article/id,140653-c,worms/article.html
QUOTE: Google's Orkut social networking site appeared to have been hit by a relatively harmless worm, but one that demonstrated the continuing vulnerability of Web applications. Some Orkut users received an e-mail telling them they had been sent a new scrapbook entry -- a type of Orkut message -- on their profile from another Orkut user. The description of the group reveals that the worm was designed to show Orkut could be dangerous to users even if they do not click on malicious links, Hinckley wrote. The worm apparently did not try to steal any personal data.
At one time the infected group was adding new members at a rate of 100 per minute, and had reached a few hundred thousand members, according to various postings, but the problem appears now to be fixed, Hinckley wrote. Orkut's scrapbook feature allows people post messages that contain HTML code, but it may lack a filter to strip out malicious JavaScript, Hinckley wrote.
McAfee: W32/KutWormor - Google Orkut Worm
http://vil.nai.com/vil/Content/v_143807.htm
QUOTE: The infected user will start to send scraps (messages on Orkut model) to his friends. The scrap will arrive by email to the friend with some portuguese messages like: "2008 vem ai... que ele comece mto bem para vc", which means "2008 is arriving, I hope that it starts quite will for you", or "Boas Festas de final de Ano!", which means "Have a nice new years party!".
Once the user received the email and checks the scrap, the message will contain a javascript, called virus.js which will execute and start the sending scraps process and add the infected user to the "Infectados pelo Virus Orkut" community. This is specially target for Brazilian users, the majority of the users from the Google social network, but other users may be affected by checking these scraps.
Method of Infection:
-- the user receives an email telling that they got a new scrap...
-- the user checks Orkut's scrapbook...
-- by just checking the scrap book they became infected since the message has a link to a remote malicious .js file (virus.js)
Additional Links
http://www.f-secure.com/weblog/archives/00001342.html
http://blog.trendmicro.com/orkutgoogle-worms-compromise-over-400000-accounts/
Orkut Blog - More information may be posted later
http://en.blog.orkut.com/