Facebook – How, exactly, does a Facebook worm work

facebookjavascriptSecurity

I initially had assumed that a FB friend of mine was spreading a malicious link because she had innocently accepted an app and given it privileges, but she says that's not the case. See the exchange:

Friend: "Don't click on the link you got from me! It's infected! I got it from (name redacted)!!! I'm sorry! I gotta stop ****** around!"
Me: "You accepted an FB application. All you have to do is go to Account -> Privacy settings -> Apps and websites and un-accept the offending application. That's why I don't do FB apps, period."
Friend: it's not an app. not on the list…it's a worm

How does that work? JavaScript shenanigans when the person clicks on the link?

Best Answer

Yes, exactly JavaScript. I just met such a worm and tried to decode it.

What the actual problem is:

The recent Facebook worm works by getting users to visit a page, which makes them insert a JavaScript string into their address bar and therefore executing it.

So, DON'T EVER copy some JavaScript code into your address bar. That's the main problem. And don't click any links you don't trust. Or at least open those links in a new window using the Privacy Mode (Firefox) or Incognito mode (Chrome) so that it won't be able to access your Facebook session.

What did our hackers do to make people not realize what they're doing?

Escaping the script

The string you copy into the URL bar mostly links to another JavaScript which is executed. This script is actually decoded into entities. So instead of using string characters, the whole script was put into a string and escaped so that no human could read it in the first place.

For example, if I had a very malicious function I'd escape it and the user would only see:

function%20test%28%29%20%7B%20alert%20%28%22LOL%22%29%3B%20%7D

and unescaped it would be

function test() { alert("LOL"); }

The script therefore unescapes "itself" before it is executed.

Obfuscating it

Now it's getting ugly: Before escaping it, the evil JavaScript code is obfuscated, with function names like _____x and variables like aLDIWEJ. This makes still sense for JavaScript, but it is entirely unreadable to humans. This is done, again, to mask the intentions of our Facebook hackers.

At this point, the code could have looked something like this:

enter image description here

What the script does

Well, what this script does is take your current Facebook session. Because you are logged into the site, it can do anything in your name. For example, things it can do through Facebook's API is:

  • creating an event like "OMG I can see who stalked me!"
  • chatting with people
  • posting status updates
  • etc.

This all happens by calling some of Facebooks API pages (some PHP pages, I forgot which).

Related Topic