Social networking sites with large userbases are attracting more attention as malicious code propagationvectors these days. There have already been a few worms that havecirculated through social networking sites.
This isn’t the first worm on Orkut, and the worm works in a similarmanner to its predecessors by using “scraps”- messages considered partof a “scrapbook”. A user receives a scrap from an acquaintancecontaining a pornographic image that is designed to look like a Flashmovie. If the user clicks on the image file, in an attempt to play the“movie”, they are directed to a malicious Web site.
Let us look at some of the steps in the infection process in more detail.
A copy of the malicious scrap is sent to all members listed in the user’s friend list
The user clicks the Flash-like image, which redirects to a maliciousWeb site. The malicious Web site contains JavaScript which composes thesame scrap and sends it to all users present in the friend list ofvictim.
The scrap uses Google domain links to avoid CAPTCHA checks
What is interesting in this attack is a redirection URL used to foolOrkut. Orkut shows a CAPTCHA image for human validation whenever anyuser posts a scrap containing a link and an image. However, CAPTCHA isnot used if the URL and image both come from any of the Google domains.This worm uses a redirected URL request from Google video to redirectto the malicious Web site and escape the CAPTCHA checks.
The user is asked for confirmation to run what looks like a Flash Player installer
The malicious URL contains a snippet of code that presents a Portuguesealert message, asking the user to download a file namedInstal_flash_player9.7.0.exe:
ULTIMA VERSÃO DO MACROMEDIA FLASH PLAYER NÃO ENCONTRADO, POR FAVOR, FAÇA O DOWNLOAD E INSTALE
This roughly translates to:
THE ULTIMATE VERSION OF MACROMEDIA FLASH PLAYER WAS NOT FOUND, PLEASE GET THE DOWNLOAD AND INSTALL IT
If the user is enticed into downloading and executing the supposedFlash Player file, they will unwittingly install a copy of TrojanDownloader.
The Trojan downloads multiple threats from different domains
When the Trojan is executed, it connects to other external Web sitesand downloads multiple threats. The URLs seemingly lead to .JPG files,but in actuality they are saved as .exe files after each downloadcompletes:
• [http://]avdetectordok.ifastnet.com/[REMOVED]ro.jpg (Saved as
C:\Windows\windosremote.exe)
• [http://]pluginforweb22.ifastnet.com/[REMOVED]kk.jpg (Saved as
C:\Windows\logservicess.exe)
• [http://]youprincipalpug.ifastnet.com/[REMOVED]em.jpg (Saved as
C:\Windows\win32chekupdate.exe)
Symantec antivirus products detect these additional files as Downloader, Trojan.Dropper and Trojan Horse.
This worm could signal the inclusion of social networking sites asanother propagation vector for malicious code. Orkut, with a wide userbase and minimal limiting configuration, seems to be an easy method forsocially engineered attacks and the distribution of malicious code. Thescraps are received from known members on the friend’s list, whichmakes it makes it easier to surpass a user’s suspicions about thelegitimacy of the messages. This could also be easily used as a vectorfor targeted malicious code attacks.
Users should use discretion when clicking links from known orunknown senders, as well as avoid following URLs sent along withgeneric messages. Symantec Security Response observed this attacklasting for a couple of hours, and then the malicious URL wasredirected to a non-malicious Web page. As we write this we have a fewmore reports of the same malicious code being served through differentdomain links.
Update: Further analysis of the maliciousJavascript, along with the assistance of Google's security team, showsthat this threat doesn't expose any unknown vulnerability in Orkut. Theprogram does require user interaction in order to 'scrap' itself tousers in the friend's list.