Application security, Incident Response, Malware, Phishing, TDR, Vulnerability Management

Google’s Orkut clean after fast but harmless self-replicating worm is halted

Google has halted the spread of a worm on its social networking website, Orkut, but not before the self-replicating script reportedly spread to more than 400,000 member profiles.

The worm, which took advantage of a cross-site scripting vulnerability, did not contain a malicious payload but users could be infected merely by viewing a message on the "scrapbook" of their compromised profile.

Once infected, victims unknowingly deliver an email to all of their contacts, requesting that recipients visit their own profiles to see the same message on their scrapbooks. The messages, written in Portuguese, read, "Infectadoes pelo Virsu do Orkut," which translates to "infected by the Orkut virus."

The fast-spreading worm conjured up memories of the infamous "Samy is my hero" MySpace worm, another harmless attack unleashed in the fall of 2005. That worm, considered to be the first-ever self-propagating cross-site scripting worm, added more than a million friends to the profile of Samy Kamkar, who was 19 at the time.

The Orkut worm began impacting users late Tuesday night and was still spreading by 7 a.m. Wednesday morning, said Kee Hinckley, on his TechnoSocial blog.

"The issue isn't whether or not the worm was dangerous," he wrote. "The issue is that I now don't trust Google to respond quickly the next time there's a worm. And the next one might not be so benign."

Orkut was the victim of such an attack in June 2006.

But Craig Schmugar, a threat researcher with McAfee Avert Labs, told today that the worm does not necessarily signal that the next widespread social networking attack will be financially motivated.

Most attackers, he said, prefer to remain stealth and have their payload be effective as long as possible.

But that doesn't mean cybercrooks after money will not continue to exploit vulnerabilities on these popular sites, he said.

"What we see from the more professional groups tend to be lower key, the more personalized and spear phishing attacks as opposed to the mass, get-it-everywhere-you-can kind of attacks," he said.

A Google spokesperson said in an email to today that the worm is no longer spreading.

"Google takes the security of our users very seriously," the spokesperson said. "We worked quickly to implement a fix for the issue recently reported in Orkut.  We also took steps to help prevent similar problems in the future.  Service to Orkut was not disrupted during this time."

Orkut is extremely popular in Brazil and India but has not caught on in the United States with nearly the same fervor as MySpace and Facebook.

Still, businesses here should still pay attention, Schmugar said.

"It kind of speaks back to the larger issue of acceptable-use policies that organizations should consider," he said. "As security threats become more prevalent, it speaks to a greater need (for policy)."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.