Orkut Gets Flooded with ‘Bom Sabado’ Scraps
By on September 25th, 2010

If you are amongst the few who still give a damn about Orkut, you might have noticed something fishy going on over the past few hours. A large number of users are randomly flooding their friend’s scrapbooks (Orkut’s equivalent of Facebook Wall) with the following message:

Orkut-Hack-Bom-Sabado

It doesn’t take a genius to figure out that the “Bom Sabado!” messages are automatically generated by a script. However, it is not clear if this is simply a script exploiting vulnerability in Orkut, or have the accounts sending the automated scraps been compromised.

If you are amongst those affected, it’s highly recommended that you follow the steps highlighted below:

  • Switch to the “older version” of Orkut.
  • Log out of Orkut.
  • Clean your browser’s cache and cookies.
  • Log in and change your password and security question.

If you haven’t been affected yet, it is strongly advised that you avoid Orkut until the issue has been resolved. I managed to trigger the same exploit while researching this article. Recently other high profile websites like Twitter and YouTube also fell victim to XSS attacks.

This is a developing story; we will update this topic as soon as we learn more. In the meanwhile, stay tuned to Techie Buzz and don’t forget to share your experience, if you have also been affected.

Update 1: The worm appears to have originated in Brazil, where Orkut is still exceptionally popular. Many of the affected users are noticing the Brazilian flag on their status messages. Additionally, the word ‘Bom Sabado’ means ‘Good Saturday’ in Portuguese, which is the official language of Brazil. We are still awaiting an official response from Google.
Update 2: ‘Bom Sabado’ is now trending on Google.

Bom-Sabado

Update 3: Google has finally responded. An update posted on the official forum claims that the ‘Bom Sabado’ bug has been contained.

We’ve contained the “Bom Sabado” virus and have identified the bug that allowed this and have fixed it.
We’re currently working on restoring the affected profiles.

However, we are seeing new variants of the worm (such as ORKUT 3XPL0!T5) appear, which suggests that the underlying vulnerability is yet to be plugged.

Update 4: Google has officially confirmed that the attack did not lead to any compromised user account information. For more information check our follow-up post.

Tags: , , ,
Author: Pallab De Google Profile for Pallab De
Pallab De is a blogger from India who has a soft spot for anything techie. He loves trying out new software and spends most of his day breaking and fixing his PC. Pallab loves participating in the social web; he has been active in technology forums since he was a teenager and is an active user of both twitter (@indyan) and facebook .

Pallab De has written and can be contacted at pallab@techie-buzz.com.
  • Tanmoy Talukdar

    For everyone whose orkut account has been affected with the ‘bom sabado’ worm ….

    The worm injects a hidden iframe containing a malicious javascript http://tptools.org/worm.js [do not click this], which steals the user cookie which contains the password in an encoded form. So the attacker do not get to know your plaintext password but can login using your credentials by impersonating using the cookie to fool the identification system. So a trivial solution is to diable javascript, another solution is to disable iframes or u can take an advanced measure by blocking the domain http://tptools.org/ by editing your hosts file and redirecting it to a safe address, say 127.0.0.1

    go to C:\windows\system32\drivers\etc\
    There is a file named ‘hosts’. By default it is read-only. Go to it properties and uncheck the tickmark beside read-only
    edit it with you favourite editor.

    add this line at the end of it

    127.0.0.1 tptools.org

    save it. and then restart your network interface. ( in simple words, just reconnect your interner connection ) and bingo!! the worm’ll be useless.

    Hope this helps..

    • Harika

      Bt in my properties..,there is no tick mark for read-only…Even though i got the scrap ‘bom sabodo’ :(
      is there any problem with this..please suggest me… :(

    • munchy

      why should we add this line ???

      • http://www.pallab.net Pallab De

        If you add that line, whenever your browser tries to load the js, it will get a loopback address (and thus never succeed in loading the malicious script).
        Opera users can simply add it to their content blocker file.

    • Harika

      i mean…i couldn’t add that 127.0.0.1 tptools.org at the end..even it is not in read only mode by default.. :(

      • Ved

        Open the Notepad in the AS Administrator, then open that HOST File in the Notepad, Edit it…You are Done…

    • Ritesh kumar

      Friends their is nothing to affraid with Bom Sabado!
      it was a hacked loop. its over but delete it dont forget…
      TC

    • Karnendra

      when i did so, a dialog box popped up saying,”You don’t have the permission to save in this location, contact the administrator to obtain permission.
      Would you like to save in the My documents folder instead ?”
      Now what?

      • Sarath varma

        orkut hacked…getting nude messages

  • hitesh

    Those who are infected automatically join some brazillian communities, that cannot be unjoined.

    • Anish

      I found automatically joined by several Brazilian communities. But i was able to UNJOIN from it. Am i affected?

      • http://www.pallab.net Pallab De

        Yes, probably.

  • Pingback: Bom Sabado! Virus In Orkut - How To Remove / Solve It? | Computer Tips And Tricks, Gadgets, How-To, Life - 2.0 Style

  • http://www.geneefm.com/ Siva

    It means “Good Saturday”… please logout Orkut immediately.. and change your password.
    SIVA Rajendran.. From Chennai.

  • Siddhartha Das

    After doing the above mentioned steps:

    Use m.orkut.com to open the non html version of orkut to check your scraps.
    This is the mobile version of Orkut which is working.Check the scraps and sadly though u cant delete them.

    • dip

      use google chrome, u can also delete scraps using m.google.com!

  • munchy

    it means good saturday buddy not good friday..

    • http://www.pallab.net Pallab De

      Thanks. Fixed.

  • dino

    Where is Google team …that conquor the web .i tried to delete my communities but failed or not supported. i can’t imagine this from google…….

  • bikker

    updated 1000000% solution
    to orkut virus ! “bom-sabado”

    Find a file named HOST
    u’ll find it here

    Windows 95/98/Me c:\windows\hosts
    Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
    Windows XP Home c:\windows\system32\drivers\etc\hosts
    Win 7 – C:\windows\system32\drivers\etc\hosts

    Then open it with NOTEPAD
    got to the end to that file

    Add this code at the end
    (remove # symbol while writing in host file !! from . and org/com)

    127.0.0.1 tptools.#org
    127.0.0.1 http://www.tptools.#org
    127.0.0.1 convites.001webs.#com

    click save

    you are done ! ..clear ur cookies and logout and log in again !! happy orkuting :)

    • Anish

      Hello dear. As you mentioend in the path there is no folder or files namely “hosts” in windows XP ‘ETC’ subfolder.

    • Khan

      But What for Windows 7?

    • Krish

      For those who run some sort of firewall, just block tptools. org site. But be sure that this is no failsafe way, as site from which script is downloaded could be easily changed in a updated scrap.
      Bom Sabado ;)

  • Abhik

    I have recently found about 40 scraps from have been deleted from my scrapbook.

  • abhi

    my gender has been changed…one of my friends has also got a nude pic and another found all his scraps deleted……

    • http://www.pallab.net Pallab De

      Follow the steps outlined in the post.

  • dharmendra

    what should we do to avoid this bom sabado virus?????

  • Tanmoy Talukdar

    This attack now seems to be spreading in geometric progression people are customizing the .js file to make their own cookie stealing scripts. So instead of editing ‘hosts’ by hand the better solution is to block the tag.
    follow the instructions given in

    http://techpaul.wordpress.com/2008/11/07/how-to-block-iframes/

  • Tanmoy Talukdar

    bom sabado killed, yet again … http://bit.ly/adhr0V

  • Naveen

    hey itz Naveen !!

    if u r trouble vit orkut virus ???to solve this problem ?? plz follow the instructions…..

    Find a file named HOST
    u’ll find it here
    –
    Windows 95/98/Me c:\windows\hosts
    Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
    Windows XP Home c:\windows\system32\drivers\etc\hosts
    Win 7 – C:\windows\system32\drivers\etc\hosts
    Then open it with NOTEPAD
    got to the end to that file
    Add this code at the end
    (remove # symbol while writing in host file !! from . and org/com)
    127.0.0.1 tptools.#org
    127.0.0.1 http://www.tptools.#org
    127.0.0.1 convites.001webs.#com
    click save
    you are done ! ..clear ur cookies and logout and log in again !! happy orkuting :)

    • Rocky

      Thhhhankkkkk U !!! Ur suggestion was very helpful !!

  • mohan

    yesterday at 2pm,i got a scrap bomsabado from both of my friends,but thy aren’t friends,i thought wat’s is this,and said tat i have joined in so many communities tat havent seen it ever

  • laxmipati raj

    hi thanks for ur post……..i tried all ur countermeasures against bom sabado…..delete cookies,change password ………..but now i dont have any more access to my account…….it shows wrong password,,,,,,,,,,,, i think i lost my account…
    can u help me to get back my account????????????
    plz help

  • krishna

    Hey dudes if ur affected wid bom den jus go to dis link nd fill up d form u ll get back ur acc in 1day

    https://www.google.com/support/accounts/bin/request.py?hl=en-US&contact_type=acc_reco&ara=2&ctx=acc_reco&source=no_ts&rd=1

 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN