Monday, October 18, 2010

Dont-Text.info / FightingGuy.info facebook worm - full analysis

Today another Facebook worm utilising clickjacking attack is spreading - as for now it has infected around 7000 profiles (yes, we do have the stats :). It's spreading, as usual, as a link on your friends' Facebook pages with the text I will never text Again After seeing this!!:

I will never text Again After seeing this!!

There are many variants available! - e.g. This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)


Update: There are, as I suspected, additional domains that host the same worm - dangerous texts / domains are also (do a reverse IP lookup to see additional domains):
  • happy-mc-meals.info - OMG... Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds! (NO SURVEYS)
  • craziestguy.info - This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)
  • stupid-dress.info - Girl Gets Kicked Out Of School For DRESSING LIKE THIS! OMG!
  • girls-secrets.us - 21 Things Women Can Do That Guys Cant!
  • nevertexting.info
  • never-text.info
  • crazyamerican.info
  • usabadguy.info
  • guy-girl.info
  • bad-meals.info
  • usa-guy.info
  • guy-fight.info
  • usa-fight.info
Update 2: The scam continues. This time the scammer uses dont-text.tk domain with a really interesting disclaimer (see full text).

See below for analysis of what the worm actually does and to do some hacking with it. As a bonus, you will get a live page to analyze worm spreading.

I published the source code files for the dont-text.info worm, so feel free to consult them if you're interested in all the details. I will only discuss the actions of the worm from the user's and technical perspective here.
The worm is a simple clickjacking page. A target of the link promoted on Facebook is:
http://dont-text.info or http://fightingguy.info  (possibly other variants will come up soon). After clicking the link, you will see the page like this:

Worm home page
It's looking like Facebook, but it isn't. It's actually a document (index.html) and two nested iframes (main.php and widget.php). On the left is just a regular image suggesting that millions of people like this - this is fake, it's just a JPEG file (fans.jpg). The worm uses right click blocking Javascript (which is obviously easy to disable) to make it harder for viewers to analyze the source code. Here's the video to show you what does the worm look like from user's POV.

The video



The usual clickjacking

The page entices user into clicking on the video, which in fact is just a clickjacking trick - there is an invisible frame following the mouse that is positioned on the facebook like button - clicking the link will 'like' the page in Facebook, the effect on your Facebook page is:

Monitoring the clicks

But that's not the only thing that happens - the page constantly monitors what element is being clicked on.This is the relevant section in widget.php:
var timeFrame;
 $(function() { timeFrame=setInterval("FBAutoLike();", 1599);});
 function FBAutoLike(){
   if ( $(document.activeElement).attr('id')=="fbframe" ){
  clearInterval(timeFrame);myBoolean=1;
  document.location="http://dont-text.info/widget2.php"; // this is basically for redirection
   }
 }

So if you're clicking on the like button (document.activeElement is facebook like frame) - it will redirect to widget2.php page. This page wants you to like another domain link (e.g. if you're on dont-text.info, it wants you to like fightingguy.info etc.). For the user it only looks as if the first click "didn't work", so he has to click again, but what he really does is that he likes both pages.

It is possible that, server side, there is a whole pool of domains that would get randomly chosen to be liked by the user.

Let's make additional $$$

After doing the clicks , you will get redirected to widget3.php. This file uses ascendmedia.com afiliate network to display some survey and get more money. For me it currently looks like this, but your mileage may vary.

There doesn't appear to be any offers available for your country
The survey is configured by the attacker on the advertising network - he only loads the script http://adscendmedia.com/gwjs.php?aff=4462&prf=2130&sid= - see the source code files to see what the script does, but it's just a regular ad network stuff.

To complete the analysis, this is the graph showing what domains are involved when loading the worm pages. The graph was made using the excellent (but pretty low level) Fireshark extension.

*amung.us is are statistics widgets (see below),  tynt.com is yet another tracking page, adscentmedia.com serves surveys (and gives $$ to worm author).

Some statistics, please

The worm author was dumb enough to include a public tracker for the displayed pages, so he could monitor their usage. But he only hid it from being displayed to the user - after modifying the HTML source you can easily see that there is a hidden stats counter image with a link to detailed statistics page!
The bottom button was hidden, but it isn't now

So, you can check out and see how well is the worm spreading by using the following links:
http://whos.amung.us/stats/kjhjr07ypw93/ - for the http://dont-text.info page
http://whos.amung.us/stats/f37i8pb27p1f/ - for the http://fightingguy.info page
Update: http://whos.amung.us/stats/n8r959nxkqe0/ for http://dont-text.tk page
http://whos.amung.us/stats/pywmfia8ld97/ for http://girls-secrets.us

As for now, it looks as if each worm was viewed by several thousands of profiles, probably most of them are infected:

Detailed stats

Who is responsible?

Well, we have several methods of finding out who is personally responsible for this worm.
  1. In the source code, there are several references to Sell your Facebook Fan pages : victorialinn@live.com, so this would be a good clue. Shame on you, Victoria.
  2. The person taking money from the surveys has an affiliate id 4462 on ascendmedia.com
  3. The page has a link to a Facebook application "Name The Fish" (app id 157919964238416 - link http://www.facebook.com/apps/application.php?id=157919964238416)  that links back to dont-text.info. The application was created by a developer named Raelene Murphy (FB profile id 100001214890936)
  4. The whois for two domains (they were created just a few days ago) points to welovefb.info and youlovefb.info as the nameservers, the registrar data is:
Registrant Name:James Smith c/o Dynadot Privacy
Registrant Organization:
Registrant Street1:PO Box 701
Registrant Street2:
Registrant Street3:
Registrant City:San Mateo
Registrant State/Province:CA
Registrant Postal Code:94401
Registrant Country:US
Registrant Phone:+1.6505854708

Dynadot is the anonymizing company, but the name, James Smith, according to their FAQ, is real. The whois for welovefb.info is also in the source code files.

How to remove?

It's tricky to unlike a worm page like this in Facebook, you have to go through several steps. I've posted a video on how to do this:



Basically, go to your profile's Likes and Interests, edit the section, click "Show other pages" and remove the malicious ones. Not very user-friendly. FB doesn't offer any mechanism that I know of to report such pages, so e.g. the dont-text.info page is still active and attracting more users...

Update: The disclaimer

Today (25 Oct) the scammer launched yet another scam campaign using dont-text.tk domain, but this time he puts the CLICKJACKING DISCLAIMER in the footer:

This website is not created or affiliated with Facebook in anyway. Trademarks, service marks, logos, (including, without limitation, the individual names of products and retailers) are the property of their respective owners.
By clicking anywhere on this page, you acknowledge and you are giving full consent to use the 'like' feature of Facebook to 'like' this page and one other relevant page to promote the presence of this page on Facebook.
If you do not agree with the above terms, please exit this page immediately.

That's just hilarious :) Well, I guess we should all read disclaimers:)

What's new?

This worm is pretty standard clickjacking FB worm, but what's new is that it tries to like more than one page and it uses some pretty dumb user tracking functionality. Also, by using affiliate ID we could easily track down who is responsible for it.

If you're interested in more Facebook worms analysis, just click on the 'facebook' tag or do a search for facebook in this website. If you have any questions regarding this or other worms, just leave comment or contact me directly. Commenters: thanks for all the updates with new domains related to this scam. Keep them coming!

32 comments:

Anonymous said...

Well, it came too late for me, but thanks for the detailed analysis

Andy said...

I have a friend who "likes" these two pages, seems to be exactly as you've detailed. Is this malicious, should my friend be concerned about personal information being disclosed or malicious code residing on their PC? Is there any action that needs to be taken?

Unknown said...

@Andy

No, I didn't encounter any malware being served, it's just for getting people to fill out the survey so he could get $$$. But you never know, it might serve malware only for given browsers etc. I'd say - don't worry, just tell your friend to remove the 'likes' so it doesn't spread more.

Andy said...

I'll pass it on. Thanks indeed, Andy

Anonymous said...

Hi

This may sound stupid but how do you remove the likes? There doesn't seem to be anywhere to unlike the pages. :/

Anonymous said...

I found how to remove it. :D

Thanks for an interesting read.

Unknown said...

@anonymous

good for you, maybe you found a better way than me (I've posted the video). If so, please share in the comments.

Peter said...

If you turn off "platform applications" in your FB privacy settings, the clickjacking won't work. Instead, you'll get a popup telling you that you've turned off platform applications and asking you if you'd like to turn them on. If you just close the popup, it won't add the "like".

Anonymous said...

Thanks for posting this!!! It got me! ...but I was able to remove it from my FB Profile Info section and from my FB Wall Feed within about 15 mins, thanks to a quick Google of the page name, and your detailed info. Hopefully no damage done. :)

Anonymous said...

I opened this page but I have firefox with no script running. I actually clicked on the video looking image and nothing happened. I was too suspicious of the thing to allow the site's scripts so do you think I avoided the whole mess?
Thanks, Greg

Anonymous said...

For some odd reason, Facebook blocked me from sharing this on my profile. It's been marked as abusive.

Anonymous said...

hallo, i was able to delete it from my likes, but not from my info page, it's still “xy likes....“ there. Can anybody help? (can't see your video)

Unknown said...

Very interesting analysis. Go on with that.

Pam said...

I saw one today with stop-texting.info if you care to add it.

Larry Smithmier said...

Thank you for the analysis! I know better, really I do, but when I saw the link from a friend I clicked and was infected. I was able to disinfect myself, and passed the link to my friend who also removed the page. Great depth of analysis and superb follow through.

Anonymous said...

http://www.girls-secrets.us/ is another one click jacking site.

Anonymous said...

I could get the like of my profile feed but it´s still in my "interests and likes". How do I remove it from there?

Momenth said...

A suggestion for the display of the domains of the click-jacking sites. When printing it on the blog, can you separate between the dots because when linking the blog on Facebook it is flagged as inappropriate.

I guess that some of the domains is in the facebook filter already, but not all.
But that effectively stops us from warning people, ironically.

Anonymous said...

Thanks for the info! I was one of the idiots that fell for it!

Anonymous said...

"Anonymous said...
I found how to remove it. :D

Thanks for an interesting read."

>> please tell me ! i can't find any way to remove this %*$# page !! even when i try to edit my profile, i can find the link "this american guy must..." but i can't remove it... please help me ! i've tried everything !

Anonymous said...

For somebody who wants to mess with the person, the person is known as dpshit on Hack Forums.

http://www.hackforums.net/archive/index.php/thread-179612-8.html

Anonymous said...

Thanks for the help. I check the source and found the email so I googled that and found this page. Thanks again.

dame said...

thanks for sharing this!!

Imran said...

Try http://www.ipfingerprints.com which is a good tool to find out information about an IP address, it also does reverse IP.

Woeuh said...

Useful info; thanks!

anon said...

 i can't remove it.. waaaaaah!

Rudo Devesh said...

 i can't remove it..

Hack Facebook said...



Hi there! I could have sworn I’ve visited this site before but after going through many of the posts I realized it’s new to me. Regardless, I’m certainly pleased I came across it and I’ll be bookmarking it and checking back frequently! Learn how to hack a facebook account. Visit www.hackfbaccount.org for the latest facebook hacking tips, information and tools.





Your style is so unique compared to other folks I've read stuff from. Thank you for posting when you have the opportunity, Guess I will just book mark this blog. Ever wanted to hack your friends or foes facebook account? Just visit www.hackfbpassword.org and hack anyboy today. No strings attached. It takes just 2 minutes to hack any facebook account.

Hack Facebook said...



I’m impressed, I must say. Seldom do I come across a blog that’s equally educative and entertaining, and without a doubt, you have hit the nail on the head. The problem is something that too few folks are speaking intelligently about. I am very happy I stumbled across this during my search for something regarding this. Visit www.hackfbaccounts.org to download facebook profile hacker and facebook hacker. Online facebook hacker and its all free now download www.hackfbaccounts.org.

Malik Gupta said...

Hack Facebook

Malik Gupta said...

yes you can Hack Facebook they provide phishing and hacking software

davey said...

< a href="http://www.fbhackz.com" >Facebook Password Hack< /a>