How the Tumblr worm spread so quickly

Although Tumblr is now cleaning-up pages which were affected by today’s worm, SophosLabs was able to briefly explore how the infection spread.

It appears that the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.

Each affected post had some malicious code embedded inside them:

The Base 64 string was actually encoded JavaScript, hidden inside an iFrame that was invisible to the naked eye, that dragged content from a url. Once decoded, the intention of the code becomes more clear.

This code explains why some users saw a pop-up message, seemingly coming from Tumblr:

If you were not logged into Tumblr when your browser visited the url, it would simply redirect you to the standard login page. However, if your computer was logged into Tumblr, it would result in the GNAA…

Read more in my article on the Naked Security website.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.