If you are looking for how to avoid or recover: read this one instead.

In the past few weeks, a lot of Facebook users have received the following (or similar) messages posted by their friends
Hi Friends see Face-book images rotate 360* see here >> http://SHADYCLOUDS.TK/
Really cool Facebook revolving images. MUST SEE http://rotatingimage2.tk/.

Following are observations and analysis of the same.

A few key observations

  1. This attack does not utilize any XSS, XSRF or XSS Inclusion vulnerability in Facebook. So, no one can be infected by just opening the Facebook unlike in the case of the recent vulnerability in Twitter.
  2. They are all based on what can be called “social XSS” – email equivalent of that would be mugged in London scam. Message from friend tempts the user to run a script in address-bar of the tab in which Facebook is open, any script executed from address bar runs as if it is a script hosted on facebook.com website and can do everything which the logged-in user can do (unless facebook detects and catches malicious automated action). Since the script is treated to be from same-origin, the XSRF prevention is defeated.
  3. Interestingly, the first script I encountered was from graphicgiants.com and it redirects to facebook.com in case the referrer is not Facebook. It can be downloaded using curl by faking the referrer (curl -e facebook.com graphicgaints.com)
  4. The irony is that even after the complete analysis, I am not able to find the code to generate any rotating images. I doubt if it was that tough to write.

Below is the analysis of the worm. I posted the raw code here.

Disclaimer: This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.