For the last few days we saw a XSS worm outbreak on renren.com - which is a facebook-like website in China.
The worm itself poses as a flash file for the "Pink Floyd - Wish You Were Here" video - which tries to execute an external javascript file. The first line for the worm is a friendly greeting:
// I'm not a malicious worm.^^;
The technique used in this worm exploits a simple XSS hole in the website - with a payload which has a flash component with the AllowScriptAccess="always" attribute to allow the above "non-malicious" javascript to spread the worm via renren.com's API.
This is same technique used back in 2007 by the Okurt worm .
We now detect the worm as W32/PinkRen-A.
