New virus found spreading on Facebook.

(All links are safe to click, Everything not safe is purposely broken and unclickable)

UPDATE: I’ve ran the code inside a VM now

The original message had a filename of ‘video.html’ and was hosted at AmazonAWS.com – do not click on anything that is that if you receive such a message.

Inside the code there is a leak to a goo.gl shortened URL, This URL was created 10 days ago and at time of writing has 462,570 clicks. The URL redirects to http://facebook.com/profile.php?id= which will bring up the currently logged in users Facebook profile. You can view those statistics here

The virus first determines if you’re on mobile or not, then from there redirects to one of two pages, encrypted of course. I’ve unencrypted them for you here

The video.html sends the victim to tesirmt2 [dot] com/mobil.html on Android/Blackberry or anything that isnt Windows (or isnt able to run and is Windows)

That URL then forcefully sends the victim to the following site: mobile [dot] dollars4ads [dot] com/directclick/?&odata=YWlkPTMxNTQ0JnVpZD0xMzg4

Which in turn sends you into a blackhole of porn site redirects, First using a redirect script at the domain DateForSexyMoments [dot] com which loads what appears to be a landing page url at InstaBang [dot] com with the filename enter.php

This part appears to be solely for revenue generation, no exploit yet.

If on Windows and not blocked, A mockup of the YouTube Facebook page is then displayed.

I’m just now getting to the Javascript in this page. It is starting to look like this is where the Facebook propagation code is…

In this page there is a reference to the 33Across ‘Traffic and Monetization’ Platform in a JavaScript file called tc.js

Also on this page is a small.js …

I’ve been using FireFox w\ NoScript allowing the sites one by one, No exploit has triggered as of yet. Installing Chrome now.

What I’m trying to do currently is get the Video Controller request to fire, It looks like that is when the payload is dropped.

Of course on Chrome it fires right away.

Poorly worded broken english, Now we’re getting somewhere!

Cancelling the request puts us back to the start. And the background changes red as if to tell us we’ve done something wrong — Facebook does this all the time right?

Time to take the plunge, Installing malware… Now we get Green, Green means good.

It appears as if I’ve found the ‘Malware Campaign Control Center’ full of scripts and logs. Different loaders for different environments. Different campaigns and phishing attacks.

I’m going to contact a few people and hand this off now. I’ll add my passive analysis below.

From what I’ve been able to gather from my passive analysis prior to running in VM …

The exploit appears to target the Chrome Web Store, The clicks are entirely from systems using Google’s Chrome Web browser. The following unique string is passed in a webstore URL

“ldjfedjbfpfcjiklocflohdkmbofokoe”

This appears to be the Chrome Developer ‘ItemID’, This is stored in the variable ‘okkkkk’ and is called with the chrome.webstore.install() function.

That ItemID has been removed since it was discovered, A second message almost identical was sent about an hour later, Following the same methods a new ItemID has been discovered. (I’ve just reported it for abuse.)

“ofmhgagdimpdbfbealjicdmedmjmdgol”

Whether the victim is on a mobile device or not, The victim will be on Facebook (The link is sent over the Facebook service), in the body tag the function chromex(); is called which in turn calls chrome.webstore.install(), It appears as if a request to install a ‘Video Controller’ relies on social engineering inside the chromex() function. chromex() is called at every possible opportunity to do so.

Still have yet to find the code that causes it to propagate to other users on Facebook, Been using strictly passive code analysis so far. Might jump inside VM and allow an infection and examine some binaries and what I’m assuming will be an interesting Chrome extension.

If you found this writeup useful, Feel free to tip me some BitCoins at 18j2Env7QokhGG5MccS3LPBKnjsko6u4NQ

You can defeat mass surveillance, Here’s how (pictorial guide)

Originally published by The Fifth Column News on Mar 18th, 2015 under a Creative Commons Attribution-Share Alike 3.0 License.


Ft. Meade, MD (TFC) – Back in June 2014 I wrote an article; Don’t Ask for your Privacy, Take it back for the Reset the Net campaign.

“The hope of this campaign is to emerge in a post June 5th world with a more secure standard of communications.”

The only reason why mass surveillance works is because most of our communications are being sent in plain text, as easily read as you are reading this very article. Whether this is done willingly by the service provider or maliciously by the Government using devices and exploits without their knowledge, Encryption will keep (some of) your rights in tact, for now.

While I do admit there is a modest barrier to entry into the realm of secure communications, there is a number of ‘Out of the Box’ solutions emerging to attempt to reduce this barrier. I will detail these still in development solutions in the footer, and cover some of the more established solutions that require a small amount of setup next. (With a pictorial guide)

Secure instant messaging: Pidgin (w OTR plugin, Mobile users Get ChatSecure for Android or ChatSecure for iOS.)
Hide your IP (with exceptions!): Tor (Mobile users Get Orbot for Android.)
Encrypted GSM/SMS: TextSecure & RedPhone (Android only, iOS users get Signal 2.0)

On the complaints about Tor, Let me detail a few of the weakness that exist in Tor so that you may be able to understand its strengths. Tor was (initially) developed and funded by the US Government to give itself plausible deniablity for its own illegal and malicious actions against businesses and countries worldwide. If only the US Government used Tor it wouldn’t be very Anonymous, So it has to be a free for all to provide anonymity. That said, The Government doesn’t like supporting malicious actors other than itself. So, Darknet sites (The .onion network) were attacked. The reason this attack worked is for two reasons. One, Using Tor in a browser provides a wide attack vector via the Flash and JavaScript scripting engines. A script in Flash or JavaScript can report back the IP Address in the context of that code, before it passes over Tor. This is because the code is running locally in your browser and not on the server which does not know your IP address. Two, If every Tor node you are using is in fact owned by the US Government, a top-down view of all US Government nodes can in theory reveal your IP as an educated guess, but it is not conclusive.

Using Tor outside of a browser and not on the Darknet/.onion network will defeat this attack. Me personally, when I use Tor. I exclude all nodes that reside in a FVEY (Five Eyes) Member country. That is US, CA, AU, UK and NZ. I use an open source project called AdvTor to do this.

Pidgin is a messaging client that supports numerous protocols. The one I will focus on is XMPP, previously known as Jabber. The XMPP server I use is creep.im, You can add me using [email protected]. Here is a list of many XMPP servers.

There is no reason Pidgin shouldn’t be the MSN or ICQ of this decade. Most people have resigned to using Facebook for their messaging needs, But this is a horribly insecure centralized target for … pretty much everyone. XMPP allows you to use any number of servers in any number of countries to route your conversations thru, all with full encryption.

Here is a quick pictorial on how to get started with Pidgin (w OTR plugin

Click Add…

Fill out the form as shown below, using your own username and password.

I am using Tor in this example. Simply Install Tor and run it, The defaults will work. If you don’t want to do this, select ‘No Proxy’. The main benefit here with Tor (or any proxy) is maintaining your location security from whomever you selected to handle your chat (creep.im in the example).

If all goes well you will get this screen. This is your actual registration so remember your password.

Confirmation that all is well.

Add your first buddy. Feel free to add myself, [email protected] or the demo account I just made [email protected]

When someone adds you, This is what it will look like.

The OTR plugin gives further security by providing even more encryption and buddy authentication via secret phrases and questions. But even just using Pidgin over say regular Facebook is a huge improvement.

With the OTR plugin installed, Go to Tools -> Plugins in Pidgin, Select ‘Off the Record Messaging and hit ‘Configure Plugin’ – Now press ‘Generate’

If all goes well.

Now you will notice a new menu when chatting with Buddies and some new notices

There are a variety of methods of ‘authenticating’ a buddy. The simplest is ‘Manual Fingerprint Verification’ – For your first time encountering people, this is good. It will ensure that your communicating with the same person on the same machine you originally added.

Alternatively there is a secret question and answer. This is good for people you know well. If you know them well enough you won’t even need to tell them the answer :)

And thats all there is to getting started with Pidgin.

Want to use XMPP on your phone? Get ChatSecure for Android. iOS users get Signal 2.0

A project that is currently in development I’ve been keeping an eye on is uTox. It allows for sharing of your desktop, a webcam, pictures, or just regular chat. All securely with encryption by design. Even better is that it is ‘zero configuration’ – You open it and you start chatting. No account or signup or registration.

From their Github

“With the rise of governmental monitoring programs, Tox, a FOSS initiative, aims to be an easy to use, all-in-one communication platform that ensures their users full privacy and secure message delivery.

..

The goal of this project is to create a configuration-free P2P Skype replacement. “Configuration-free” means that the user will simply have to open the program and will be capable of adding people and communicating with them without having to set up an account. There are many so-called Skype replacements, but all of them are either hard to configure for the normal user or suffer from being way too centralized.”

Windows uTox Updater (installs uTox if it isn’t already)

You will end up with a ridiculously long ‘Tox ID’ – For example, mine is 1E64DB1DFAEA2DBDE2204826CE649DA8A6BEC90C93BA16B7F557228B48FF234A1CD1876F268C. You can make this more human readable at www.ToxMe.se My human readable Tox ID is [email protected]

Another project worth watching is BitTorrent Inc’s Bleep which is basically the same thing as uTox. Currently Bleep ‘looks’ better, but Tox has many more functions at the moment. Add me on Bleep with this slightly less ridiculously long string: 32969203ae7c11f935ea0b3b561656eed0d891d57da9ecf7641e91a50769cc69

Governments will eventually break these encryptions or make them ‘illegal’ and brand everyone using them a thought criminal and/or terrorist. But until that happens, Any one of these tools are effective ways to thwart mass surveillance and take back at least a little bit of your privacy. For now.

Check out my other article on mass surveillance. As well as some great talks from NSA Whistleblower Edward Snowden

Nigel Todman is an Independent Journalist, Technical Consultant, Social Activist, Web Developer and Computer Programmer from Ontario, Canada. Add him to Facebook and/or Follow him on Twitter E-mail: veritas [at] vts-tech [dot] org [PGP]

MIT 6.00.1x: Introduction to Computer Science and Programming Using Python

Download [PNG/PDF]

Verify the authenticity of this certificate at https://verify.edx.org/cert/e1fc04413dc14c04ae58c388094aa7e5

National Day of Action planned against Bill C-51 (#StopC51)

Originally published at the NAAIJ on Feb 28th, 2015. Check the NAAIJ for most recent updates

Follow us on Twitter @NAAIJ
Like us on Facebook NAAofIJ

Concerned Canadians across the nation are planning for a National Day of Action on March 14th, 2015 against Bill C-51. I have previously reported on Bill C-51 as well as OpenMedia’s Stop Spying on Us campaign over at The Fifth Column News

We will add a link to the various protest locations as we discover them. E-mail your protest locations to [email protected] and they will be promptly added here. Please reference C-51 Day of Action in the subject.

List of locations in footer as well as some flyers.

The National Event Hub & Call to Action is here

An Open Letter signed by over 100 University Professors from across Canada is also available here. This was sent to all Members of Parliament on Feb 27th. This is in addition to yet another open letter signed by a chorus of Supreme Court Justices, Ministers of Justice, Solicitors General of Canada and a number of former Prime Ministers that was released on Feb. 19th

The full text of the call to action is as follows:

The government is about to ram through a “secret police” Bill C-51 that is:

1. Reckless: It turns CSIS into a ‘secret police’ force with little oversight or accountability.
2. Dangerous: It opens the door for violations of our Charter Rights including censorship of free expression online.
3. Ineffective: It will lead to dragnet surveillance and information sharing on innocent Canadians that even
Stephen Harper has admitted is ineffective.

On March 14, people will gather together in communities across Canada for an emergency day of action to stop the government’s “secret police” law.

For more information visit OpenMedia.ca’s platform at: http://stopc51.ca/

Sign up for a day of action event in your community now at: http://action.StopC51.ca/

Leadnow.ca – À l’Action campaign:
https://leadnow.netdonor.net/ea-action/action?ea.client.id=1694&ea.campaign.id=35868

News release on impact of Bill C-51 by the BCCLA:
https://bccla.org/news/2015/02/release-canadian-rights-groups-decry-limited-parliamentary-committee-hearings-for-bill-c-51-proposed-major-national-security-reforms/

Media Inquiries:
BCGEU Communications
4911 Canada Way, Burnaby, B.C. V5G 3W3
Tel: (604) 291-9611
Email: [email protected]

LeadNow.ca has also set up a platform to help people set up events. Alternatively you can just Create an Event on Facebook


Alliston, Ontario Facebook Event Page
Antigonish, Nova Scotia Facebook Event Page
Bancroft, Ontario Facebook Event Page
Barrie, Ontario Facebook Event Page
Belleville, Ontario Facebook Event Page
Brampton, Ontario Facebook Event Page
Brantford, Ontario Facebook Event Page
Calgary, Alberta Facebook Event Page
Castlegar, British Columbia Facebook Event Page
Charlottetown, Price Edward Island Facebook Event Page
Collingwood, Ontario Facebook Event Page
Courtenay, British Columbia Facebook Event Page
Edmonton, Alberta Facebook Event Page
Fergus, Ontario LeadNow ‘Snap Action’ Page
Fredericton, New Brunswick LeadNow ‘Snap Action’ Page
Guelph, Ontario Facebook Event Page (Alt)
Halifax, Nova Scotia Facebook Event Page
Hamilton, Ontario Facebook Event Page
Kamloops, British Columbia Facebook Event Page (Alt)
Kitchener, Ontario LeadNow ‘Snap Action’ Page
Lindsay, Ontario LeadNow ‘Snap Action’ Page
London, Ontario Facebook Event Page
Mississauga, Ontario LeadNow ‘Snap Action’ Page
Moncton, New Brunswick Facebook Event Page
Montreal, Quebec Facebook Event Page
Nanaimo, British Columbia Facebook Event Page
Nelson, British Columbia Facebook Event Page
Newmarket, Ontario Facebook Event Page
North Bay, Ontario LeadNow ‘Snap Action’ Page (FB Event)
Orangeville, Ontario LeadNow ‘Snap Action’ Page
Orilla, Ontario Facebook Event Page
Ottawa, Ontario Facebook Event Page
Owen Sound, Ontario Facebook Event Page
Peterborough, Ontario LeadNow ‘Snap Action’ Page
Port Moody, British Columbia Facebook Event Page
Prince George, British Columbia LeadNow ‘Snap Action’ Page
Regina, Saskatchewan Facebook Event Page
Saint John, New Brunswick Facebook Event Page
Sarnia, Ontario Facebook Event Page
Salt Spring Island, British Columbia Facebook Event Page
Saskatoon, Saskatchewan Facebook Event Page
Stratford, Ontario Facebook Event Page
St. Johns, Newfoundland Facebook Event Page
Sudbury, Ontario Facebook Event Page
Toronto, Ontario Facebook Event Page
Vancouver, British Columbia Facebook Event Page
Vernon, British Columbia Facebook Event Page
Victoria, British Columbia Facebook Event Page
Windsor, Ontario Facebook Event Page
Winnipeg, Manitoba Facebook Event Page

Use the Hashtags #C51DayOfAction, #StopC51 & #StrkDownC51. #cdnpoli would also be good to use (Throw a #StopHarper in there too if you feel like it)

Here is an informative video from University of Ottawa Law Professor, Craig Forcese (Source)

People are also encouraged to change their profile pictures, avatars and covers photos to the following image:

Here are some flyers:

Nigel Todman is an Independent Journalist, Technical Consultant, Social Activist, Web Developer and Computer Programmer from Ontario, Canada. Nigel is also the Assistant Webmaster for the NAAIJ. Add him to Facebook and/or Follow him on Twitter E-mail: nigel [at] naaij [dot] org [PGP]

Load more