logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: blogs | Posted by Avatar Staff 313 days ago
Via: http://www.symantec.com | Tags: the orkut worm digging deeper comments Discuss  

Due to some confusion with this particular threat, we’ve decided to provide some further details on the Orkut worm we blogged on earlier in the week. The worm, recently renamed to W32.Scrapkut, uses active code injection as a vehicle to propagate to the Orkut friends of its unfortunate victim.



Initially, a malicious scrap is posted to the victim’s scrapbook, containing a link to what appears to be a YouTube video:



image1.jpg



When a victim clicks on the link, they are redirected to an external site which prompts them to download the file “flashx_player_9.8.0.exe”. For those who read Symantec’s Security Response Blog regularly, you may recognize the page in question:





My colleague Liam O’Murchu identified this in a previous blog, and the page shown above matches word-for-word that of the page used by the W32.Imcontactspam worm. This may be yet another creation by the same people who brought us both W32.Imcontactspam and Infostealer.Bancos, however this has not been confirmed.



When executed, flashx_player_9.8.0.exe retrieves the files windosremote.exe, logservicess.exe and win32chekupdate.exe from http://[REMOVED].ifastnet.com. These files download additional files that perform a variety of malicious actions, but logservices.exe is the main executable for further propagation. Logservices.exe first copies itself as maindwxp.exe to four different locations on the system to ensure it is executed on startup.





Maindwxp.exe then checks in with the command and control server via a GET request with specific parameter values. Interestingly, the page returned simply contains the word “Rastreados” followed by a number. In Portuguese, “rastreados” means “crawled” - at last check the number was 13559.



Maindwxp.exe then executes and begins checking for an active browser window, waiting for the victim to visit Orkut. Once the victim is in an authenticated Orkut session, maindwxp.exe injects Javascript code into the active Orkut web session. This Javascript code which is actually based on a popular Greasemonkey script is then executed within the context of the Orkut domain and the user’s authenticated session, resulting in the malicious scrapbook entry being sent to all the victims’ friends, and the cycle begins again.





Social networking sites will continue to be an attractive target for attackers, as highly interactive sites can spread threats very quickly. Attackers will evolve their techniques to respond to increased security measures, and we have seen a variety of threats exploiting the trust people have in their friends. It is yet another reminder to treat electronic communications with care, no matter who it is from.


addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security