If you are looking for how to avoid/recover : read this one instead.

In past few weeks, a lot of facebook users have received following (or similar) messages posted by their friends
Hi Friends see Face-book images rotate 360* see here >> http://SHADYCLOUDS.TK/
Really cool Facebook revolving images. MUST SEE http://rotatingimage2.tk/ .

Following are observations and analysis of the same.

A few key observations

  1. They do not utilize any XSS, XSRF or XSS Inclusion vulnerability in Facebook. So, no one can be infected by just opening the facebook (unlike in case of recent vulnerability in twitter)
  2. They are all based on what can be called “social XSS” (email equivalent of that would be mugged in london scam)
    Message from friend tempts the user to run a script in address-bar of the tab in which facebook is open, any script executed from address bar runs as if it is a script hosted on facebook.com website and can do everything which the logged-in user can do (unless facebook detects and catches malicious automated action).
    Since the script is treated to be from same-origin, the XSRF prevention is completed defeated.
  3. Interestingly, the first script I encountered was from graphicgiants.com and it redirects to facebook.com in case the referrer is not Facebook.
    It can be downloaded using curl by faking the referrer (curl -e facebook.com graphicgaints.com)
  4. Irony is that even after the complete analysis, I am not able to find code to generate any rotating images (I doubt if it was that tough to write)

Below is the analysis of the worm [raw code here which can be read without horizontal scroll]

Disclaimer: This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.