Pink Floyd worm in 'Chinese Facebook' (Aug 25, 2009)
SonicWALL UTM Research team observed a new cross-site scripting worm in the wild. It is distributed within a Chinese popular social network website renren.com.
Renren, which means “everyone” in Chinese is China’s largest online community with more than 22 million active users; it is similar to Twitter or Facebook, as it allows users to share various information, including pictures and videos with each other.
The worm itself is contained in JavaScript and is very similar to April’s Mike Mooney Twitter worm. This worm abuses the fact that users can point to Flash movies, coupled with the small flaw in the video player code used by the Renren.com site.
Worm masquerades as a flash music video of Pink Floyd’s Wish You Were Here and spreads by exploiting a cross-site scripting hole. It contains a maliciously crafted Flash component loaded with an AllowScriptAccess=”always” parameter.
By default, this parameter is set to “sameDomain”, which means that a Flash object can only access the webpage if it was retrieved from the same domain. Setting this parameter to “always”, the Flash file can directly access any element of the local webpage, including cookies.
The flash file is used to execute the JavaScript code present in the message body and load a script called evil.js from an external domain. The domain hosting the Javascript is registered to YanChun Liu in Henan province of China. JavaScript code is used to exploit a cross-site scripting (XSS) flaw present in the website and spread the worm through its API.
There is a string “I’m not a malicious worm.” in the worm and, in fact, it doesn’t do anything other than spread.
There are also comments in the code that are lyrics from a German’s musician’s Maximilian Hecker “Rose” song.
This malware is also known as W32/PinkRen-A [Sophos], TrojanDownloader:SWF/Nerner.A [Microsoft], JS.Frienren [Symantec].
SonicWALL Gateway AntiVirus provides protection against this malware via Agent.EKC#Js (Trojan) and Agent.BE#Swf (Trojan) signatures.