Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Google’s Orkut – yet another example of misuse of Flash

December 19th 2007 in Uncategorized

Google’s Orkut Hit with a Javascript (Flash?) Worm

You get an email notification (or find out on Orkut) that you have a new scrapbook entry. It’s from a friend. It says.

2008 vem ai… que ele comece mto bem para vc

There’s no need to click on anything, just viewing it does the trick. The scrap deletes itself, and adds you to the Orkut Community “Infectados pelo Vírus do Orkut”. That group, as I write this, is gaining members at a rate of at least one hundred per minute.

One hundred per minute!  According to F-Secure, 400,000 accounts were affected before the attack was stopped by removing a download file that was needed to complete the hijack.  What was the download file?  Well, according to this site, a piece of javascript code, named virus.js was fetched (files.myopera.com/virusdoorkut/files/virus.js)

From what I can gather after trawling myriad blog entries about the incident, it seems that the exploit worked in a similar manner to the more traditional malicious Flash advertisements.  This blog entry has an interesting discussion about what was happening.

It certainly is becoming obvious that Flash is turning into the Typhoid Mary of the Internet.  There is no way for end users to easy disable the functionality that allows malicious banner advertisements and Flash content such as was used in the Orkut incident.  Yes, we can simply uninstall Flash, or use a Flash and advertisement blocker, but that doesn’t solve the problem, does it. It simply hides it.

Adobe needs to have a close look at what is going on and work out a way to stop the unsavoury types from using their product for malicious purposes, otherwise we will be playing whack-a-mole with the bad guys for a very long time to come and more and more visitors to web sites are going to block all advertisements for security reasons, not just because they don’t like ads.  This will, of course, have a negative flow-on effect on advertising revenues for web sites, not to mention the bad blood that will develop between web sites and advertising networks.

Update: more info on the McAfee blog and the Trend blog.

Oh, and in answer to the question “does the security update for Flash stop this from happening” … the answer is NO.


4 comments to...
“Google’s Orkut – yet another example of misuse of Flash”

Ryan Russell

It may not be completely clear from my blog entry you link to (because I wasn’t as clear myself at the time) but this particular worm is Javascript-only. The only “flash” bit was Orkut’s filters working incorrectly in an attempt to allow some Flash content.

But your general point stands, there are all kinds of viewers/players out there with holes waiting to bite web users.


“… On Wednesday afternoon, Trend Micro antivirus engineer Robert McArdle published a blog entry warning that a worm was replicating itself across Orkut using a Flash object that invokes malicious JavaScipt code.

“The attack works due to Orkut allowing users to embed Flash content in their scrap posts (although it does filter for normal XSS techniques),” said McArdle in a blog post. “The author appears to have created a SWFObject that calls the malicious JavaScript and was able to use this to bypass Orkut’s filters.” …”



Do any one have the screenshot of the above stated virus activity in Orkut.com. If so please post the link. We wanted to take a look at it.


Ryan Russell

I didn’t take a screenshot, but I saved off a copy of the page. ryan@thievco.com if you want it.

Yep, I thought that would get your attention [:)]
Microsoft have announced the following about Internet Explorer 8:

Microsoft are targeting 1H08 (first half of 2008) to deliver IE8 beta 1.

IE8 in standards mode now correctly renders the Acid2 Browser Test.  For compatibility purposes IE8’s rendering engine will default to “quirks” or “standards” mode.  Site developers will need […]

Previous Entry

Microsoft has launched a $250,000 Sweepstakes competition to show users how Internet Explorer can enhance online trust and confidence.  The interactive site quickly demonstrates IE7’s Phishing Filter and EV Certificates (the green address bar).  Once the demonstration is finished, the visitor is given the opportunity to enter the Sweepstakes.
Note: The competition is only open to residents […]

Next Entry