How the Tumblr worm spread so quickly

Filed Under: Featured, Malware, Social networks, Spam, Vulnerability

Tumblr wormAlthough Tumblr is now cleaning-up pages which were affected by today's worm, SophosLabs was able to briefly explore how the infection spread.

It appears that the worm took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.

Each affected post had some malicious code embedded inside them:

Code from a malicious Tumblr post

The Base 64 string was actually encoded JavaScript, hidden inside an iFrame that was invisible to the naked eye, that dragged content from a url. Once decoded, the intention of the code becomes more clear.

Code used by Tumblr worm

This code explains why some users saw a pop-up message, seemingly coming from Tumblr:

Pop-up message

If you were not logged into Tumblr when your browser visited the url, it would simply redirect you to the standard login page. However, if your computer was logged into Tumblr, it would result in the GNAA content being reblogged on your own Tumblr.

Reblogged post on Tumblr

(By the way, Sophos is now protecting customers by blocking access to the url)

It shouldn't have been possible for someone to post such malicious JavaScript into a Tumblr post - our assumption is that the attackers managed to skirt around Tumblr's defences by disguising their code through Base 64 encoding and embedding it in a data URI.

See also: Tumblr worm hitting websites, posting identical message from GNAA

Thanks to SophosLabs expert Fraser Howard for his assistance with this article.

, , , , ,

You might like

8 Responses to How the Tumblr worm spread so quickly

  1. Bobby · 1039 days ago

    How about the content to the url? That's where the actual tumblr call is made eh?

    • Fraser Howard · 1038 days ago

      Yes. The url simply did a HTTP 301 redirect to the Tumblr reblog URL, triggering the reblogging of the article.

  2. redirects to - Was it previously redirecting to another IP that contained some kind of malware loader?

    • Jean Valjean · 1038 days ago

      Yes. The domain went down (i.e., changed to resolve to localhost) at roughly 5:30pm yesterday. Prior to that it was resolving to an IP that has been associated with scads of other domains, some of them pretty sketchy looking.

  3. Steve · 1039 days ago

    Nothing in this article describes the actual exploit. Sophos is a joke.

  4. Jerome · 1038 days ago

    I would blur some of those racist comments... and even most of the text... no point in spreading hatred.

  5. Jeremy · 1038 days ago

    So this worm didn't make any money for the developers? Strange

  6. GuyWhatKnows · 1038 days ago

    It wasn't meant to harm anyone and it wasn't even really a worm. It was the same type of attack as the twitter XSS attacks. All it did was spread. It was, like a rabbit virus which only spreads, mostly harmless.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley