MakeMeLaughNow - analysis of a new generation worm on Facebook (translation)

Original author: KRZYSZTOF KOTOWICZ
  • Transfer
In a recent topic, they expressed the wish that it would be good if someone translated. I looked at the text - it seems not so much. Therefore, to whom it is interesting, we look ...


A new malicious worm application on Facebook has been released at will.

It avoids the sandbox mechanism on Facebook and is activated BEFORE the authorization form is shown - just by visiting the application page, you begin to send a message to your friends and update your status.
As stated in the news on niebezpiecznik.pl , it uses the Facebook mobile site (touch.facebook.com) for distribution. I quickly analyzed - let's see what exactly is in the application code.

Disclaimer: Do not do this at home - I am a professional stuntman and also like to live dangerously. Do not perform this analysis on your standard Facebook account, use a virtual machine in case any exploit is implemented there and so on. As soon as I found out that touch.facebook.com was involved, I added:
127.0.0.1 touch.facebook.com
to / etc / hosts (this redirects all requests to touch.facebook.com to my computer), but please be careful. You have been warned.

Take a quick look around



The application’s home page looks like this:

image

All you can see is a few ads. But a lot of things are happening underneath this. Let's look at the Firebug network bar.
image

The application, even before requesting any permissions from you, already sends requests to touch.facebook.com, possibly sending messages and performing other actions on your behalf. These requests are marked in red in the screenshot (I blocked the Facebook mobile site). After that, the advertisement from be2.pl is loaded. So the application is definitely malicious.

Get shorty code



By itself, the code and HTML are in the apps.facebook.com/fbml/fbjs_ajax_proxy.php?__a=1

code "sandboxed" in the JSON file and looks like this: image

After downloading the JSON file to the local disk and then extracting it (I used PHP & Spidermonkey for extraction and Eclipse for formatting) we get the final application code (see . step2_2.js) .

Sandbox



All Facebook applications are “ sandwiched ” in order to prevent them from linking to the global window object (so that they cannot change the Facebook page, redirect, send hidden forms, and so on). The following important things should be noted for this specific analysis:

  • JS code and objects are in the prefix namespace ( aBIGNUMBER_variable_name)
  • HTML objects have IDs using the namespace ( div id="appBIGNUMBER_name" ) (a div should be enclosed in triangular brackets, but with them the Habroredactor mercilessly twists, removed - approx. Transl. )
  • $FBJSUsed to prevent the application from linking to the global window object. For our purposes, you can assume that
    $FBJS.idx(a) === a
    $FBJS.ref(this) === this
  • For substitutions, I replaced BIGNUMBER with the letter 'x'.


All the code used in this post is hosted on github.com - look, this is really interesting.

Analysis



Clouding Method


After initialization, the application starts with the following declaration:

ax_domethod = ax_findvalues.firefunc(ax_document.getElementById('help_container').getFirstChild().getTitle());

Thus, the application receives the title of one of its DOM elements and passes it to some function. What's in the title? Looking at the page code ( app.html ) we will see that it looks rather strange:
class="m"
fbcontext="6ff9e32a4c8c"
title="choy:ketmdslqxb.ujpzgvnra/fiw_?="/>


It looks like the header is something like a key that can be used to decrypt hidden application variables. And we are right. Actually, it choy:ketmdslqxb.ujpzgvnra/fiw_?= is a dictionary - ax_create.help () function picks up characters from this dictionary to form URLs, field names and so on. Character offsets are defined in the slightly confusing variable ax_meth .

Data scratching


Ok, the application is confusing and uses the DOM object to decrypt its variables. But what does it do?
Let's look at ax_findvalues :
var ax_findvalues = {
a : ((new ax_RegExp('st_.or._i.\\\x22 .al.e=\\\x22(.*?)\\\x22', ''))),
//
b : ((new ax_RegExp('b_d.s.\\\x22 v..ue=\\\x22(.*?)\\\x22', ''))),
// value = type="hidden" id="fb_dtsg" name="fb_dtsg"
c : ((new ax_RegExp('p.o..le\\.p.p\\?i.=(\\d+)\\\x22', ''))),
// href="http://www.facebook.com/profile.php?id=xxx" your profile ID
d : ((new ax_RegExp('na.e=\\\x22i.s\\[]\\\x22 v.l.e=\\\x22(.*?)\\\x22', 'gi'))),
// name=ids[] value= -- your friend ids
//...


This variable contains very interesting regular expressions - they are used to extract the IDs of your friends, your own ID and some unique authenticators from the HTML code embedded in Facebook into the application. But the application can not do anything with this data, since we are protected by "sanding", right? Well, not quite.

Hacked by touch


Hacked by touch - a free translation of the word game “Exploited by touching”, which literally means that an exploit was used on the mobile site touch.facebook.com. - (approx. Transl.)


Looking even deeper into the code, we can see that the confused data is actually: So, most likely, the application contacts touch.facebook.com in order to send messages and update statuses. Again, we are right . The process itself:
m=http://touch.facebook.com/message_send.php
ftarg=fra
su=http://touch.facebook.com/submit_status.php (status update)
pid=post_form_id
lp=http://touch.facebook.com/reqs.php?id=
fhome=http://touch.facebook.com/home.php
fbd=fb_dtsg
hc=fb_dtsg



  • ax_findvalues.firefunc () retrieves your friends ID and other data in ax_sheep, ax_params variables ( line 264 )
  • A new form and iframe are created.
  • ax_methodaction ( line 183 ) fills out a form on touch.facebook.com with the following message to some (maximum 20) friends:
    i thought of you ...

    im using up my fb ad credits to send ua gift so HERE = http: //apps.facebook. com / makemelaughnow /
  • If you have more than 500 or less than 2, then the status update: "only go here if you are my TRUE friend http: //apps.facebook.com/makemelaughnow /" (the links are corrupted so God forbid no one clicks. Habra editor if disables the creation of links, then disables automatic transfers - approx. transl. ).
  • You add this application to yourself ( line 297 )
  • Advertising is displayed and the application cleans up its objects.


Conclusion



What we can see here is an application that supposedly exploits a Facebook vulnerability when a mobile site uses the same authentication as a normal site, but is not protected by a “hacking” mechanism. Thus, the application, instead of requesting permission to update your status, silently receives a data session from the DOM and sends requests via touch.facebook.com, avoiding sandbox protection and spreading quickly - very similar to the CSRF / session hijacking vulnerability . It is clear that the error is used on the Facebook site. Lesson - do not forget about your mobile sites .

The original is here .

UPD .:as suggested in the comments, the parser tweaks the links a bit, so to follow the links, look where they lead and just correct them.

PS If you notice any inaccuracies in the translation - let me know, I do not know the Russian software lexicon perfectly.

Also popular now: