web analytics

New virus found spreading on Facebook.

(All links are safe to click, Everything not safe is purposely broken and unclickable)

UPDATE: I’ve ran the code inside a VM now

The original message had a filename of ‘video.html’ and was hosted at AmazonAWS.com – do not click on anything that is that if you receive such a message.

Inside the code there is a leak to a goo.gl shortened URL, This URL was created 10 days ago and at time of writing has 462,570 clicks. The URL redirects to http://facebook.com/profile.php?id= which will bring up the currently logged in users Facebook profile. You can view those statistics here

The virus first determines if you’re on mobile or not, then from there redirects to one of two pages, encrypted of course. I’ve unencrypted them for you here

The video.html sends the victim to tesirmt2 [dot] com/mobil.html on Android/Blackberry or anything that isnt Windows (or isnt able to run and is Windows)

That URL then forcefully sends the victim to the following site: mobile [dot] dollars4ads [dot] com/directclick/?&odata=YWlkPTMxNTQ0JnVpZD0xMzg4

Which in turn sends you into a blackhole of porn site redirects, First using a redirect script at the domain DateForSexyMoments [dot] com which loads what appears to be a landing page url at InstaBang [dot] com with the filename enter.php

This part appears to be solely for revenue generation, no exploit yet.

If on Windows and not blocked, A mockup of the YouTube Facebook page is then displayed.

I’m just now getting to the Javascript in this page. It is starting to look like this is where the Facebook propagation code is…

In this page there is a reference to the 33Across ‘Traffic and Monetization’ Platform in a JavaScript file called tc.js

Also on this page is a small.js …

I’ve been using FireFox w\ NoScript allowing the sites one by one, No exploit has triggered as of yet. Installing Chrome now.

What I’m trying to do currently is get the Video Controller request to fire, It looks like that is when the payload is dropped.

Of course on Chrome it fires right away.

Poorly worded broken english, Now we’re getting somewhere!

Cancelling the request puts us back to the start. And the background changes red as if to tell us we’ve done something wrong — Facebook does this all the time right?

Time to take the plunge, Installing malware… Now we get Green, Green means good.

It appears as if I’ve found the ‘Malware Campaign Control Center’ full of scripts and logs. Different loaders for different environments. Different campaigns and phishing attacks.

I’m going to contact a few people and hand this off now. I’ll add my passive analysis below.

From what I’ve been able to gather from my passive analysis prior to running in VM …

The exploit appears to target the Chrome Web Store, The clicks are entirely from systems using Google’s Chrome Web browser. The following unique string is passed in a webstore URL

“ldjfedjbfpfcjiklocflohdkmbofokoe”

This appears to be the Chrome Developer ‘ItemID’, This is stored in the variable ‘okkkkk’ and is called with the chrome.webstore.install() function.

That ItemID has been removed since it was discovered, A second message almost identical was sent about an hour later, Following the same methods a new ItemID has been discovered. (I’ve just reported it for abuse.)

“ofmhgagdimpdbfbealjicdmedmjmdgol”

Whether the victim is on a mobile device or not, The victim will be on Facebook (The link is sent over the Facebook service), in the body tag the function chromex(); is called which in turn calls chrome.webstore.install(), It appears as if a request to install a ‘Video Controller’ relies on social engineering inside the chromex() function. chromex() is called at every possible opportunity to do so.

Still have yet to find the code that causes it to propagate to other users on Facebook, Been using strictly passive code analysis so far. Might jump inside VM and allow an infection and examine some binaries and what I’m assuming will be an interesting Chrome extension.

If you found this writeup useful, Feel free to tip me some BitCoins at 18j2Env7QokhGG5MccS3LPBKnjsko6u4NQ