Analysing facebook spam pages[Depth]

Spam alert. Avoid this.
I was browsing facebook today when a link caught my attention.

Lol !Checkout this video its a very embarrassing moment for her

The moment i looked upon it i knew that its a spam and i didnt had much to do so i tried to learn what it did.
after clicking on the link we get redirected to http://awts-on-tv6.blogspot.com/?video
since most of the people will try to watch the video and for that the website requires you to download and install a plugin.
in this case that plugin is Youtube Premium Plugin.(cleverly crafted, or is it though?)
So i click on install plugin and B00m all of my friends on facebook have their walls +1'd by a new post,
created by me (funny i never did that).
and that post again randomly changes.
Lesson 1: never install those plugins.
but lets say that you did, ofcourse i DID!
then lets move to the next step, analysing.
notice the top right corner it says that i installed the plugin.
even after installing the video isnt visible so i take it as a Spam.
Warning if doing this kind of testing, beforehand logout your facebook profile. i will explain later why.




now it is installed and i have logged of before hand thus making the plugin fail and none of my friends got spammed again so that they again do what i accidently did with their sorry hands.


next thing we do is go to the core of this plugin
i already knew that chrome stays in %homedrive%\\users\\<username>\\appdata\\local\\google\\chrome
therefore if a plugin is actually installed then it is residing in this directory for sure. unless its some sort of malware. which i found to be a false claim, yes its definetly a spam.


moving further we have a folder called user data in the application
upon browsing all the folders and subfolders i finally found the place where plugins are installed.
C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Extensions
there were two folders here during my time.
opening them i found many files, one said mibbit.png ..... and other folder said icon.png.
since one extension i installed was mibbit IRC client and other one was this youtube one we are currently trying to break down. we arrive to the conclusion that other folder was our final extension.




in that folder there was only one file which could do anythnig to our browser. i.e. .js file or javascript
a section of that file i have shown in image. notice the highlighted part
in all of the javascript there is only one URL and no other malicious functions.
http://betterfinace.com/script.js
thus my curiousity grew. upon opening the file i got this
another link and opening this marked link i get final thing. you can open the js link and it isnt malicious in any way i assure you. your browser wont execute that and will only open js file in text mode for you to see.
the first function enchulatuFB tells us that the coder of this thing is of spanish origin.
next thing we note is tons of functions.
1st: uses iframes to post some data
2nd the highlighted part says the following in the messagebox. read comments for more information. as of now remember that i puts the images given in the messagebox on the screen like in the first image given by me check out the girl in bottom. thats the image this function loads.
also note that malicious attackers can be able to infect your pc with a string like aaaaasdhjhnfajsdasldlas  so dont try to execute them since they can be simple machine code which can harm you in any possible way. avoid direct gibberish code execution at all costs. what i did alert(string.convert.....); was stupid dont do that.
3rd function: reads cookies of browser and stores them somewhere.
4th function sets cookie passd by parameter
5th and 6th function are used in collaboration to set predefined strings in diffferent order.
like
 'check this out ... shocking ',' This shocking ...', 'I hate it happened to her ..'
  'check this out ... OMG ',' Ehey ',' Hey ',' Hey! ',' LOL ',' Hello! ',' Look! ',' This is sic.. ',' Damn!'
    'u wont believe! ',' check this embarrassing video ',' why did this happen to her?'
    ' Bizarre . '
thus explaining random order of strings which i got and my friends got after infection.

last and finally fb_comparte function uses facebooks cookies to generate new request for browser to evaluate friends of the victim and post the aforementioned strings on everyone of thei walls. thus making this campaign a hit. :)
for better understanding of the javascript read some good books then check the js file out.
it will explain everything about how elements of a webpage are grabbed to view friend lists and how [POST] request can send data to another user using forms. as a result their walls can get flooded with such spams.
i hope you would have understood how to analyze anything like this if it comes good in future.

posted under |

1 comments:

Unknown said...

how to remove the spam from my fb account

Post a Comment

Newer Post Older Post Home

Followers

    !!!! LeTs ChAt !!!!

    AddThis

    Share |

    Hack'a'Holic

    Subscribe to hackaholicteam

    Powered by in.groups.yahoo.com

    Blog Archive

    Powered by Blogger.