Although Tumblr is now cleaning-up pages which were affected by today’s worm, SophosLabs was able to briefly explore how the infection spread.
It appears that the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.
Each affected post had some malicious code embedded inside them:
This code explains why some users saw a pop-up message, seemingly coming from Tumblr:
If you were not logged into Tumblr when your browser visited the url, it would simply redirect you to the standard login page. However, if your computer was logged into Tumblr, it would result in the GNAA content being reblogged on your own Tumblr.
(By the way, Sophos is now protecting customers by blocking access to the strangled.net url)
Thanks to SophosLabs expert Fraser Howard for his assistance with this article.