Author Topic: Facebook malware?  (Read 5775 times)

0 Members and 1 Guest are viewing this topic.

September 29, 2008, 10:01:43 pm
Read 5775 times

pozican

  • Newbie

  • Offline
  • *

  • 1
Received a strange friend request in my email. ( >screenie< )

Clicked the "facebook.com" link ( http://www.facebook.com/n/?profile.php&id=1422704759 ) which redirects to here -> http://www.hamperz.co.uk/catalog/update.exe - It tried to download a couple virus'es.

Mal/emogen-Y
W32/Kobot-Gen
W32/Kobot-Gen
Mal/Behav-024
Mal/Emogen-Y
Mal/Behav-024


Thinking of John and you lot, I opened up malzilla and here's what I got (on facebook)

Code: [Select]
<script>(function(href) { function split2(s, delim) { var i = s.indexOf(delim); return i == -1 ? [s, ''] : [s.substring(0, i), s.substring(i + 1)]; } function q_explode(q) { var arrayQueryExpression = /^(\w+)((?:\[\w*\])+)=(.*)/; if (!q) { return {}; } var ii, result = {}; q = q.split('&'); for (ii = 0, l = q.length; ii < l; ii++) { var match = q[ii].match(arrayQueryExpression); if (!match) { var term = q[ii].split('='); result[decodeURIComponent(term[0])] = decodeURIComponent(term[1] || ''); } else { var indices = match[2].split(/\]\[|\[|\]/).slice(0, -1); var name = match[1]; var value = decodeURIComponent(match[3] || ''); indices[0] = name; var resultNode = result; for (var i = 0; i < indices.length-1; i++) { if (indices[i]) { if (resultNode[indices[i]] === undefined) { if (indices[i+1] && !indices[i+1].match(/\d+$/)) { resultNode[indices[i]] = {}; } else { resultNode[indices[i]] = []; } } resultNode = resultNode[indices[i]]; } else { if (indices[i+1] && !indices[i+1].match(/\d+$/)) { resultNode.push({}); } else { resultNode.push([]); } resultNode = resultNode[resultNode.length-1]; } } if (resultNode instanceof Array && indices[indices.length-1] == '') { resultNode.push(value); } else { resultNode[indices[indices.length-1]] = value; } } } return result; } function q_implode(obj, name ) { name = name || ''; var r = []; if (obj instanceof Array) { for (var ii = 0; ii < obj.length; ++ii) { try { if (obj[ii] !== undefined) { r.push(q_implode(obj[ii], name ? (name + '[' + ii + ']') : ii)); } } catch (ignored) { } } } else if (typeof(obj) == 'object') { for (var k in obj) { try { r.push(q_implode(obj[k], name ? (name + '[' + k + ']') : k)); } catch (ignored) { } } } else if (name && name.length) { r.push(q_encode(name) + '=' + q_encode(obj)); } else { r.push(q_encode(obj)); } return r.join('&'); } function q_encode(raw) { var parts = String(raw).split(/([\[\]])/); for (var i = 0, l = parts.length; i < l; i += 2) { parts[i] = window.encodeURIComponent(parts[i]); } return parts.join(''); } var href_parts = split2(href, '#'), frag = href_parts[1]; if (frag) { if (frag.charAt(0) == '/') { var new_uri = frag; } else if (frag.indexOf('=') != -1) { var u = split2(href_parts[0], '?'), path = u[0], query = q_explode(u[1]), frag_parts = split2(frag, '#'), frag_query = q_explode(frag_parts[0]), frag_frag = frag_parts[1]; for (var k in frag_query) { query[k] = frag_query[k]; } var query_s = q_implode(query), new_uri = path + (query_s ? ('?' + query_s) : '') + (frag_frag ? ('#' + frag_frag) : ''); } else { return; } if (new_uri != href_parts[0]) { window.location = new_uri; } } })(window.location.href);</script><script>window.location.replace("http:\/\/www.facebook.com\/login.php");</script>


Thought you might be interested.

 -poz

September 30, 2008, 12:23:45 am
Reply #1

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Can you post the email headers?

September 30, 2008, 12:32:25 am
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I can all but guarantee that the link text (http://www.facebook.com/n/?profile.php&id=1422704759) will have been different to the actual link HREF, which is likely what took you to the malware ......

As tjs mentioned, please either post the e-mail (preferably the e-mail source, not just the content as you seem to have HTML e-mail activated), or forward it to;

mdl_malware AT it-mate DOT co DOT uk

/edit

Just a note btw, the JS at the page you mentioned, is actually legit - it redirects you to the facebook login page if you aren't logged in.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net