MakeMeLaughNow - analysis of a new generation worm on Facebook (translation)
- Transfer
In a recent topic, they expressed the wish that it would be good if someone translated. I looked at the text - it seems not so much. Therefore, to whom it is interesting, we look ...
A new malicious worm application on Facebook has been released at will.
It avoids the sandbox mechanism on Facebook and is activated BEFORE the authorization form is shown - just by visiting the application page, you begin to send a message to your friends and update your status.
As stated in the news on niebezpiecznik.pl , it uses the Facebook mobile site (touch.facebook.com) for distribution. I quickly analyzed - let's see what exactly is in the application code.
Disclaimer: Do not do this at home - I am a professional stuntman and also like to live dangerously. Do not perform this analysis on your standard Facebook account, use a virtual machine in case any exploit is implemented there and so on. As soon as I found out that touch.facebook.com was involved, I added:
to / etc / hosts (this redirects all requests to touch.facebook.com to my computer), but please be careful. You have been warned.
The application’s home page looks like this:
All you can see is a few ads. But a lot of things are happening underneath this. Let's look at the Firebug network bar.
The application, even before requesting any permissions from you, already sends requests to touch.facebook.com, possibly sending messages and performing other actions on your behalf. These requests are marked in red in the screenshot (I blocked the Facebook mobile site). After that, the advertisement from be2.pl is loaded. So the application is definitely malicious.
Get
By itself, the code and HTML are in the
code "sandboxed" in the JSON file and looks like this:
After downloading the JSON file to the local disk and then extracting it (I used PHP & Spidermonkey for extraction and Eclipse for formatting) we get the final application code (see . step2_2.js) .
All Facebook applications are “ sandwiched ” in order to prevent them from linking to the global window object (so that they cannot change the Facebook page, redirect, send hidden forms, and so on). The following important things should be noted for this specific analysis:
All the code used in this post is hosted on github.com - look, this is really interesting.
After initialization, the application starts with the following declaration:
Thus, the application receives the title of one of its DOM elements and passes it to some function. What's in the title? Looking at the page code ( app.html ) we will see that it looks rather strange:
It looks like the header is something like a key that can be used to decrypt hidden application variables. And we are right. Actually, it
Ok, the application is confusing and uses the DOM object to decrypt its variables. But what does it do?
Let's look at ax_findvalues :
A new malicious worm application on Facebook has been released at will.
It avoids the sandbox mechanism on Facebook and is activated BEFORE the authorization form is shown - just by visiting the application page, you begin to send a message to your friends and update your status.
As stated in the news on niebezpiecznik.pl , it uses the Facebook mobile site (touch.facebook.com) for distribution. I quickly analyzed - let's see what exactly is in the application code.
Disclaimer: Do not do this at home - I am a professional stuntman and also like to live dangerously. Do not perform this analysis on your standard Facebook account, use a virtual machine in case any exploit is implemented there and so on. As soon as I found out that touch.facebook.com was involved, I added:
127.0.0.1 touch.facebook.com
to / etc / hosts (this redirects all requests to touch.facebook.com to my computer), but please be careful. You have been warned.
Take a quick look around
The application’s home page looks like this:
All you can see is a few ads. But a lot of things are happening underneath this. Let's look at the Firebug network bar.
The application, even before requesting any permissions from you, already sends requests to touch.facebook.com, possibly sending messages and performing other actions on your behalf. These requests are marked in red in the screenshot (I blocked the Facebook mobile site). After that, the advertisement from be2.pl is loaded. So the application is definitely malicious.
Get shorty code
By itself, the code and HTML are in the
apps.facebook.com/fbml/fbjs_ajax_proxy.php?__a=1
code "sandboxed" in the JSON file and looks like this:
After downloading the JSON file to the local disk and then extracting it (I used PHP & Spidermonkey for extraction and Eclipse for formatting) we get the final application code (see . step2_2.js) .
Sandbox
All Facebook applications are “ sandwiched ” in order to prevent them from linking to the global window object (so that they cannot change the Facebook page, redirect, send hidden forms, and so on). The following important things should be noted for this specific analysis:
- JS code and objects are in the prefix namespace (
aBIGNUMBER_variable_name
) - HTML objects have IDs using the namespace (
div id="appBIGNUMBER_name"
) (a div should be enclosed in triangular brackets, but with them the Habroredactor mercilessly twists, removed - approx. Transl. ) $FBJS
Used to prevent the application from linking to the global window object. For our purposes, you can assume that$FBJS.idx(a) === a
$FBJS.ref(this) === this
- For substitutions, I replaced BIGNUMBER with the letter 'x'.
All the code used in this post is hosted on github.com - look, this is really interesting.
Analysis
Clouding Method
After initialization, the application starts with the following declaration:
ax_domethod = ax_findvalues.firefunc(ax_document.getElementById('help_container').getFirstChild().getTitle());
Thus, the application receives the title of one of its DOM elements and passes it to some function. What's in the title? Looking at the page code ( app.html ) we will see that it looks rather strange:
class="m"
fbcontext="6ff9e32a4c8c"
title="choy:ketmdslqxb.ujpzgvnra/fiw_?="/>
It looks like the header is something like a key that can be used to decrypt hidden application variables. And we are right. Actually, it
choy:ketmdslqxb.ujpzgvnra/fiw_?=
is a dictionary - ax_create.help () function picks up characters from this dictionary to form URLs, field names and so on. Character offsets are defined in the slightly confusing variable ax_meth .Data scratching
Ok, the application is confusing and uses the DOM object to decrypt its variables. But what does it do?
Let's look at ax_findvalues :
var ax_findvalues = {
a : ((new ax_RegExp('st_.or._i.\\\x22 .al.e=\\\x22(.*?)\\\x22', ''))),
//