Skip to content

FaceBook worm quick and dirty review

Introduction:

Facebook is very popular among the world, and loads of “hackers”/ “script kiddies”  would like to send messages to your contacts for fun and profit. In this little quick and dirty review I will briefly analyse a worm that spreads on Facebook.

Analyse:

A few minutes ago, I was invited by a friend to a strange event, which asked me to click on the following links :

  1. “http://stump.ws/rocibv”.
  2. “http://www.littleurl.net/a5264c”


This link was supposed to give you a trick to see “how much people visited your profile”. Instead I got this ! ( one Event inviting all your friends to do the same and and Pseudo),

Hopefully, I used my facebook testing account (where no one gets hurt)


 

Once on the page, there was a field containing JavaScript, and they asked people to copy paste this link behind the facebook link, like the following  www.facebook.com/My_Malware_JS_code.


Below you may see the JavaScript code encoded in HexaDecimal (16)

To understand a bit better what was happening I converted the hex to char and you may see the result below

Some “hackers” even do not encoded their page and it looked like this :

I’m not a JavaScript expert, but I can read code, and this looked like a call to the website www.iabelo.com/e.js which executed a remote JavaScript file. I copied it, and you may look part of  it below ( again encoded mainly in Hex). To see the code. ( this is not the full code)

Once decoded in readable characters it appeared like the following :

As I said, I’m not an expert in JavaScript, but part of the quotes are messages, that should be posted somewhere, and the other parts are links and JavaScript commands requesting the creation of a group, and the creation of some chat messages, to all the contacts, as well as the browsing of all the contacts probably to “post” the creation of the group  to everybody.

My analysis of the worm will not go further because I have no much  time, but it gives an idea of “how it works” , and on what may happen to people who are clicking everywhere and copying strange links on facebook.

 

Btw: It looks like, telling people they will know who viewed their profile is very attractive to lambda users, because I got about 20 of those propositions now. If someone is going further in the analyse let me know I would be pleased to read “full” article on it.

 

How to avoid this ? (conclusion)

  • Look the kind of link  pasted ( if it looks strange, do not click on it).
  • If you don’t really know what is going on, ask a friend to look at it with you ( before clicking).
  • In this case the “french” writing language used  is really bad DO NOT CLICK ON IT, this is usually a very good clue !
  • Having an updated anti virus “may” / “could” / “should” help you.
  • If the link seems obvious ( a daughter had sex with her [whoever]) YES IT’s A TRAP !
  • The cake is a lie.
  • One trap to rule them all !

 

Post a Comment

Your email is never published nor shared. Required fields are marked *