Facebook Malicious W0rm !

Hi Everyone,

Phishers became more professional , using various ways to get users credentials, Facebook is one of the popular websites that is apt to such attacks.

Today i want to share with you guys this blog post concerning a malicious code that is widespread all over the internet. Recently I was tagged in a post by a friend on Facebook, so i checked this post and i found that it’s about a new method to “Hack Facebook accounts” as i wanted me too to hack some Facebook accounts ( lol :p ) i was curious on how can i do it, then i found these steps :

  1. First go to your victim’s profile.
  2. Select Inspect Element.
  3. Copy the code from this link : http://pastebin.com/raw.php?i=PwMMAP19(o_O).
  4. Now paste the script into the box given blow (Console).
  5. Press Enter and after 10 seconds you’ll get a message from your victim includes his email and password.

I didn’t follow these steps of course, I suspected something wrong so on i checked directly the link. I found that it contained some obfuscated JavaScript, I took a fast look trying to understand what this script does to hack Facebook accounts, I noticed that it’s not clear so far ( hex encoding/not structured code) generally not fully understandable. My curiosity growth and i tried to examine it deeply. Consequently i copy the code to a JavaScript beautifier in order to reveal the hidden sections, after decoding it i was looking at the code, it revealed some sections but still not fully comprehensible, there were a few methods that were designed to be confusing, and then several strings and arrays that would eventually be decoded using another way and executed to understand the code.

At the beginning i thought i’m facing a kind of Luckysploit malwares, so in this case i have to find better ways to run javascript in a secure environment to minimize the risks that go with executing it. I didn’t see any tool could be built to generically deobfuscate this code completely. I got Malzilla in my hands so i sent the sample to Malzilla Decoder and i tried to run the script away from my Facebook account or browser and show eval() result in some parts of the code because it seems sending some POST Requests to Facebook server. Anyway this wasn’t able to get me the values I was looking for and if I had missed another eval() it’s possible that I could have executed what was clearly malicious code. I proceeded directly to manual analysis , i examined the code, it was clearly 9 main functions that sends many XHR requests to Facebook server and perform many actions, but initially the script brings some cookies like : c_user & fb_dtsg – to implement them later.

var fb_dtsg = document.getElementsByName(‘fb_dtsg’)[0].value;

var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);

In addition i noticed that the 3 last functions : [ Report(param), arkadaslari_al(id), RandomArkadas(), yorum_yap(id,param) ] appears to be obfuscated to make the code more disorganized using an easy method simply we have 2 arrays : _0xb161 & _0xa22c contains multiple elements hex encoded :

var _0xa22c = [“value”, “fb_dtsg”, “getElementsByName”, “match”, “cookie”, “1395443067381092”, “onreadystatechange”, “readyState”, “arkadaslar = “, “for (;;);”, “”, [……..] “status”, “close”];

I realized after that these elements are used to be implemented in the functions i already mentioned and passed around via a series of misleading assignments. Every time a function wants to use an element it sets a reference to it ( i.e :  _0xa22c[2] ==> “getElementsByName”). After digging around for a few minutes and coding a simple program to put each element in its place. Finally i got an organized and comprehensible code, Now it’s time to take a look to the tasks assigned to each function.

Deobfuscated & explained script here : http://pastebin.com/1hY0kwCk

We should now do a simulation of this process to ( get the victim email & password ohh i’m so excited ^^ :p) since we know what the code does & discovered the bad reasons behind coding this script. Besides once i executed this script following the steps above using a test accounts in an isolated environment to prevent any risky execution i got a strange behavior. The background of Facebook changes, a media player appears and auto-played, all the functions executed their tasks successfully, actual results was stealing your Facebook cookies and uses your account to like a series of pages,subscribe in a list, add profiles, auto follow,report a profile, Like and get tagged in a post. So the hole process results in gaining access to Facebook paths/sensitive Data.

fb  fb2

Moreover i was searching for many sources on the net to get a similar sample. Then i found many codes with different audio links : http://picosong.com/media/songs/XXXXXX so i suspected that maybe it’s used to run a crafted mp3 files ( i.e : used to exploit a 0-Day in browsers) or to run some malicious binaries. worse than that, i found some Add-ons that is used to such ends but some of them are deleted  like “Facebook Essential”, but many others still used for bad purpose.

To sum up i want to mention that these scripts can be extended to steal victim cookies easily or used on potential victim to loads a compromised web page or opens a malicious link. Contains often highly obfuscated Javascript that determines what is on the victim’s computers and loads all exploits to which this computer is vulnerable. So we wanted at the beginning to trap a victim and get his credentials but we are the real victim.

It’s just a quick post, hope you like it.

Stay tuned …

email : jigsaw0658@gmail.com