Dont-Text.info / FightingGuy.info facebook worm - full analysis

Today another Facebook worm utilising clickjacking attack is spreading - as for now it has infected around 7000 profiles (yes, we do have the stats :). It's spreading, as usual, as a link on your friends' Facebook pages with the text I will never text Again After seeing this!!:

I will never text Again After seeing this!!

There are many variants available! - e.g. This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)


Update: There are, as I suspected, additional domains that host the same worm - dangerous texts / domains are also (do a reverse IP lookup to see additional domains):

• happy-mc-meals.info - OMG... Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds! (NO SURVEYS)
• craziestguy.info - This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)
• stupid-dress.info - Girl Gets Kicked Out Of School For DRESSING LIKE THIS! OMG!
• girls-secrets.us - 21 Things Women Can Do That Guys Cant!
• nevertexting.info
• never-text.info
• crazyamerican.info
• usabadguy.info
• guy-girl.info
• bad-meals.info
• usa-guy.info
• guy-fight.info
• usa-fight.info

Update 2: The scam continues. This time the scammer uses dont-text.tk domain with a really interesting disclaimer (see full text).

See below for analysis of what the worm actually does and to do some hacking with it. As a bonus, you will get a live page to analyze worm spreading.

I published the source code files for the dont-text.info worm, so feel free to consult them if you're interested in all the details. I will only discuss the actions of the worm from the user's and technical perspective here.

"The Hottest girls on Facebook" everonia.com malware analysis

Another worm spreading with clickjacking technique is now active, targetting Facebook users. If your FB friends display something similar to this:

The hottest girls on facebook on everonia.com

don't follow the link. If you're curious, what is happening & how the attack works, read on.

Creating, obfuscating and analyzing malware JavaScript

I've translated my talk on Analyzing and Obfuscating Javascript-based malware to English:

Malware attacks on unaware Internet users’ browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we’ll try to avoid detection by jsunpack and Capture-HPC, we’ll also trick Dean Edwards’ Unpacker.

Creating, obfuscating and analyzing malware JavaScript

View more presentations from Krzysztof Kotowicz.

The materials for the demos are on github. For Polish viewers - see the polish version of the talk.

The talk mentions jsunpack vulnerability where malware could detect that functions have been overloaded - I've done some research on how jsunpack could fix this by overriding toString better.

MakeMeLaughNow - analysis of new generation facebook worm

A new facebook worm malware application 'makemelaughnow' is out in the wild.
It escapes FB sandbox mechanisms and activates BEFORE displaying the credentials form -  only by visiting application home page you send messages to your friends and update your status.
As the news on niebezpiecznik.pl say, it uses Facebook mobile site (touch.facebook.com) to propagate. I did a quick analysis - Let's take a look on what's exactly going on in the app code.

Ultimate toString() override

As shown in my last talk on malware analysis, automatic malware detectors could be easily beaten by detecting their emulation layer. For example, malware could always use Function.toString() method to check if any function has been emulated by the sandbox. Today I raise the bar a little - we'll switch the toString() method in a way that is significantly harder to detect by malware authors.

Malicious Javascript talk - materials

I've published the talk from yesterday's OWASP meeting:

Update: English version

Creating, obfuscating and analyzing malware JavaScript

View more presentations from Krzysztof Kotowicz.

Tworzenie, zaciemnianie i analiza złośliwego kodu JavaScript

View more presentations from Krzysztof Kotowicz.

A/V recording of the talk - varlog.pl

Also - all the code from demonstrations is now published on GitHub, so you could take a look for yourselves (there even is an additional attack I forgot while giving the talk). Thank you for all the kind words - I really appreciate it. Personally I found Pawel's talk much more interesting and I kept taking notes as crazy :) Congratulations to you, Pawel! I'd like to hear your critical feedback on the talk - what one thing could be changed to make it better, were the examples ok, or maybe there was some confusion here and there, which part was boring etc. I'm still learning, although I must say that I really liked the subject presented.