12

There's a Facebook virus doing the rounds: Your face in 20 years (safe link, but don't follow the instructions).

It clearly grabs some Javascript from a url (e.g. changeups.info/age/u.php?0.5069423061795533) and runs it on your page, which posts on the walls of all your friends. The problem is I can't access the script (and investigate what it's doing) without being signed into Facebook (since it's a Facebook page, using the API, it'll just ask you to log in if you go to the url), which I obviously don't want to do.

Is there a way of safely stepping through Javascript so that I can download the script and avoid the malicious effects of it?

fredley
  • 1,455
  • 1
  • 16
  • 25

4 Answers4

13

Don't step through it, instead use an interactive proxy (I'm partial to Fiddler, there are many others...).
When the javascript is downloaded, it will first pass thru your proxy tool - you can grab it, save it out, and then block it from going on down to your browser.

Since you know it's malicious, you'd be better reviewing the source rather than executing it, especially in the context of your account.

If that's not good enough, and you want to execute it, create a new account and login with that, from a throwaway VM.
No reason to try and sanitize potentially obfuscated and evasive malware... Just isolate it.

AviD
  • 73,317
  • 24
  • 140
  • 221
10

Here is the source code for the worm are talking about. I got this because one of my friends got pwn3d and he posted a link to my wall. I logged out of facebook and then clicked on the link. I had Tamperdata and Firebug installed, but i didn't need any of it. Its trying to get you to copy-paste a JavaScript include to the source code above. viewing the page's source is enough to see its tricks.

A more general answer to your question is to use a sandbox. If its javascript memory corruption exploit then you should use a VM. In this case I know its malware resident to a logged-in fb user. If i wanted to know more of how it worked in action then I would sign up for a FB account to test this.

rook
  • 47,238
  • 10
  • 96
  • 182
4

Warning: Please note that the following is only advisable on a virtual machine. Obviously, debugging malware shouldn't be done on a productive system ;)

You can step through instructions with Firebug, a Firefox-Addon that comes with a lot of debug features, accessing DOM after JavaScript execution and more. It is widely used and well documented.

Secondly, I have a tip on on how to improve readability for malicious, obfuscated JavaScript: Declare your code as a function and use the toString method:

evil_function = (function() { yourcopypasta_here } alert(evil_function.toString(2));

This will give more pretty output, with a few spaces where helpful :) The parameter 2 for toString is undocumented and will probably only work on Firefox.

freddyb
  • 511
  • 3
  • 9
  • 2
    Heh, if you think real obfuscation can be solved by simple toStringing, you havent seen much code... even non-malicious javascript ;). But +1 on Firebug. – AviD May 04 '11 at 19:27
2

You may use http://wepawet.iseclab.org/ that would analyze malware online. If you are willing to do it on your own, you can use Malzilla. Similar tool is FileInsight from McAfee.

  • These wouldn't work in this situation, since you need to be logged into FB for the code to even download. – fredley May 04 '11 at 15:33
  • @fredley, so, create temporary account and login there in safe environment. I don't see possibility to bypass authentication to get protected content. My answer is about analysis of malware. –  May 04 '11 at 16:55