Dont-Text.info / FightingGuy.info facebook worm - full analysis

Today another Facebook worm utilising clickjacking attack is spreading - as for now it has infected around 7000 profiles (yes, we do have the stats :). It's spreading, as usual, as a link on your friends' Facebook pages with the text I will never text Again After seeing this!!:

I will never text Again After seeing this!!

There are many variants available! - e.g. This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)


Update: There are, as I suspected, additional domains that host the same worm - dangerous texts / domains are also (do a reverse IP lookup to see additional domains):

• happy-mc-meals.info - OMG... Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds! (NO SURVEYS)
• craziestguy.info - This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)
• stupid-dress.info - Girl Gets Kicked Out Of School For DRESSING LIKE THIS! OMG!
• girls-secrets.us - 21 Things Women Can Do That Guys Cant!
• nevertexting.info
• never-text.info
• crazyamerican.info
• usabadguy.info
• guy-girl.info
• bad-meals.info
• usa-guy.info
• guy-fight.info
• usa-fight.info

Update 2: The scam continues. This time the scammer uses dont-text.tk domain with a really interesting disclaimer (see full text).

See below for analysis of what the worm actually does and to do some hacking with it. As a bonus, you will get a live page to analyze worm spreading.

I published the source code files for the dont-text.info worm, so feel free to consult them if you're interested in all the details. I will only discuss the actions of the worm from the user's and technical perspective here.

The worm is a simple clickjacking page. A target of the link promoted on Facebook is:
http://dont-text.info or http://fightingguy.info  (possibly other variants will come up soon). After clicking the link, you will see the page like this:

Worm home page

It's looking like Facebook, but it isn't. It's actually a document (index.html) and two nested iframes (main.php and widget.php). On the left is just a regular image suggesting that millions of people like this - this is fake, it's just a JPEG file (fans.jpg). The worm uses right click blocking Javascript (which is obviously easy to disable) to make it harder for viewers to analyze the source code. Here's the video to show you what does the worm look like from user's POV.

The video

The usual clickjacking

The page entices user into clicking on the video, which in fact is just a clickjacking trick - there is an invisible frame following the mouse that is positioned on the facebook like button - clicking the link will 'like' the page in Facebook, the effect on your Facebook page is:

Monitoring the clicks

But that's not the only thing that happens - the page constantly monitors what element is being clicked on.This is the relevant section in widget.php:

var timeFrame;
 $(function() { timeFrame=setInterval("FBAutoLike();", 1599);});
 function FBAutoLike(){
   if ( $(document.activeElement).attr('id')=="fbframe" ){
  clearInterval(timeFrame);myBoolean=1;
  document.location="http://dont-text.info/widget2.php"; // this is basically for redirection
   }
 }

So if you're clicking on the like button (document.activeElement is facebook like frame) - it will redirect to widget2.php page. This page wants you to like another domain link (e.g. if you're on dont-text.info, it wants you to like fightingguy.info etc.). For the user it only looks as if the first click "didn't work", so he has to click again, but what he really does is that he likes both pages.

It is possible that, server side, there is a whole pool of domains that would get randomly chosen to be liked by the user.

Let's make additional $$$

After doing the clicks , you will get redirected to widget3.php. This file uses ascendmedia.com afiliate network to display some survey and get more money. For me it currently looks like this, but your mileage may vary.

There doesn't appear to be any offers available for your country

The survey is configured by the attacker on the advertising network - he only loads the script http://adscendmedia.com/gwjs.php?aff=4462&prf=2130&sid= - see the source code files to see what the script does, but it's just a regular ad network stuff.

To complete the analysis, this is the graph showing what domains are involved when loading the worm pages. The graph was made using the excellent (but pretty low level) Fireshark extension.

*amung.us is are statistics widgets (see below),  tynt.com is yet another tracking page, adscentmedia.com serves surveys (and gives $$ to worm author).

Some statistics, please

The worm author was dumb enough to include a public tracker for the displayed pages, so he could monitor their usage. But he only hid it from being displayed to the user - after modifying the HTML source you can easily see that there is a hidden stats counter image with a link to detailed statistics page!

The bottom button was hidden, but it isn't now

So, you can check out and see how well is the worm spreading by using the following links:
http://whos.amung.us/stats/kjhjr07ypw93/ - for the http://dont-text.info page
http://whos.amung.us/stats/f37i8pb27p1f/ - for the http://fightingguy.info page
Update: http://whos.amung.us/stats/n8r959nxkqe0/ for http://dont-text.tk page
http://whos.amung.us/stats/pywmfia8ld97/ for http://girls-secrets.us

As for now, it looks as if each worm was viewed by several thousands of profiles, probably most of them are infected:

Detailed stats

Who is responsible?

Well, we have several methods of finding out who is personally responsible for this worm.

1. In the source code, there are several references to Sell your Facebook Fan pages : victorialinn@live.com, so this would be a good clue. Shame on you, Victoria.
2. The person taking money from the surveys has an affiliate id 4462 on ascendmedia.com
3. The page has a link to a Facebook application "Name The Fish" (app id 157919964238416 - link http://www.facebook.com/apps/application.php?id=157919964238416)  that links back to dont-text.info. The application was created by a developer named Raelene Murphy (FB profile id 100001214890936)
4. The whois for two domains (they were created just a few days ago) points to welovefb.info and youlovefb.info as the nameservers, the registrar data is:

Registrant Name:James Smith c/o Dynadot Privacy
Registrant Organization:
Registrant Street1:PO Box 701
Registrant Street2:
Registrant Street3:
Registrant City:San Mateo
Registrant State/Province:CA
Registrant Postal Code:94401
Registrant Country:US
Registrant Phone:+1.6505854708

Dynadot is the anonymizing company, but the name, James Smith, according to their FAQ, is real. The whois for welovefb.info is also in the source code files.

How to remove?

It's tricky to unlike a worm page like this in Facebook, you have to go through several steps. I've posted a video on how to do this:



Basically, go to your profile's Likes and Interests, edit the section, click "Show other pages" and remove the malicious ones. Not very user-friendly. FB doesn't offer any mechanism that I know of to report such pages, so e.g. the dont-text.info page is still active and attracting more users...

Update: The disclaimer

Today (25 Oct) the scammer launched yet another scam campaign using dont-text.tk domain, but this time he puts the CLICKJACKING DISCLAIMER in the footer:

This website is not created or affiliated with Facebook in anyway. Trademarks, service marks, logos, (including, without limitation, the individual names of products and retailers) are the property of their respective owners.
By clicking anywhere on this page, you acknowledge and you are giving full consent to use the 'like' feature of Facebook to 'like' this page and one other relevant page to promote the presence of this page on Facebook.
If you do not agree with the above terms, please exit this page immediately.

That's just hilarious :) Well, I guess we should all read disclaimers:)

What's new?

This worm is pretty standard clickjacking FB worm, but what's new is that it tries to like more than one page and it uses some pretty dumb user tracking functionality. Also, by using affiliate ID we could easily track down who is responsible for it.

If you're interested in more Facebook worms analysis, just click on the 'facebook' tag or do a search for facebook in this website. If you have any questions regarding this or other worms, just leave comment or contact me directly. Commenters: thanks for all the updates with new domains related to this scam. Keep them coming!