Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

July 16th, 2012

Click for me, thanks!

Social sites are great for people who want monetize theirs ideas. But sometimes these ideas are far more sinister.

Over the last few last weeks,  researchers at the Avast antivirus labs in Prague have noticed new attack based on a combination of social sites, fake Flash Players and the promise of illicit videos of well-known Hollywood stars.

A number of users have complained that theirs Twitter and Facebook accounts are spreading links inviting people to see an explicit ‘home movie’ of Hollywood star Kirsten Dunst. There is of course no such movie but instead the link sends users to a fake “Facebook style” site that convinces users that they can download the movie as well as various pictures. The fake “facebook style” site is also backed up by comments from other supposed Facebook users.

However, if a visitor clicks on the video, a warning pops up claiming that they have out date Flash Player with a prompt to download an update. This is a perfect example of social engineering attack as it sets up a bait then asked for an innocuous update which requires user interaction to progress the attack. We’ve also seen farm of legitimate looking porn sites which act as proxies of other video sites and just replace the videos with the same fake Flash Player links.

In this case the update of so called Flash player should immediately ring some alarm bells as it a not digitally signed, from a unverified author and has a suspicious source link. If the user installs the fake update, the supposed video is still not served as it does not exist. Instead the attacker has effectively turned the user into an unwitting zombie visiting these sites due to the infection from the fake Flash Player.

This attack is aimed at making money from click fraud but the same idea can be used for more dangerous things like spreading key loggers to intercept critical credentials for online transactions. The advice from us is that if you are offered an update for Flash or another browser plugin – stop, manually browse to legitimate developer site and get it from there (if you need it at all). In the case of Flash, the update is freely available from the secure www.adobe.com website.

The attack starts with posts on Facebook and Twitter. The creator probably created several fake accounts and starts posting links, or as it seems, infected users can also post such links without their knowledge.

We found that there were two kinds of links. One of the links leads to site like . Running this executable file writes inside Run key. This file is a clicker, which downloads list of target urls to click.

The second way is a little bit different. The user is redirected to . We found three different possibilities -id=1 is for payload for Firefox (XPI addon), id=2 is is for Google Chrome (CRX addon) and id=3 is i.exe (MSIE BHO),

This Firefox addon (as well as the Chrome addon) contains script, which is packed by Dean Edwards packer. After running, this script changes some settings in Firefox configuration as you can see in next picture

It sets several new variables inside. All those new values start with TestAddon. There are two websites hidden under encryption in two of the variables – TestAddon.buri what is link and fallback address . User’s guid is set in TestAddon.guid. It is 32 chars long hexstring.

On those sites is script with link to sites like .

We discovered two different contents in js_f.php. The first one was used for spreading this attack via innocent users. That script updates victim’s FB and twitter status. It sends inside theirs status sentence “Kirst*en. Dunst ma**********g on hidden camera”, “It happened in United Stateshotel” And link to bit.ly/MT**4S->  and add image in status from http://i.imgur.com/[HIDDEN].jpg.

This is used for redirecting users to download Fake Flash Player. This script has some interesting functions. It could solve captcha by sending http request to . It steals the Facebook user’s session tokens and has function to automatically like FB’s pages. It can also update status with text and link to “LOL Miley Cyrus got caught having s3x http://tol.co/**”. Then it works like the second version of js_f.php.

The second discovered js_f.php contains link to http://[HIDDEN]/search/anticheat6.php?username=foreste – we found many different sites of this kind.

From those sites browser receives lists of sites which are injected inside hidden iframe which is served with every click in browser. The purpose of this is a financial gain to the creator of the malware.

For id=3 fake Flash Player is offered to download. We found many different names for this file like i.exe, FlashPlayer.exe etc. After install, this file is injecting BHO (http://en.wikipedia.org/wiki/Browser_Helper_Object). It works on same model as others IDs. The only difference is that is sending request to sites like  in r5.php is base64 coded script.

After decoding there is the following datablob:

URL:http://[HIDDEN].com/|REFERER:http://the[HIDDEN]8000.com|TIME1:60000|REPEAT:2|CLEAN_COOK:0|
JS_INSERT:http://[HIDDEN]/jstest.js?17626719|JS_ENABLED:1|IMAGES_ENABLED:0|
SHIT_ENABLED:0|FRAMES_ENABLED:1|WEIGHT:6|JS_TIMES:15

Inside jstest.js are many links to different sites that are visited by user’s browser and the attacker gains money from clicks. This file generates dll file with random name which drops inside system directory, if user is administrator, otherwise in temp directory.

To sum it up: The huge number of web plug-ins and updates that change on an almost daily basis can trick the average user into downloading malicious applications without realizing. The attackers try and make these fake updates look real and it is hard to tell the difference. Although this example is not really dangerous for the user, the same techniques could be used for much more malicious aims. What is also worth noting is the absence of detections of other AV products of this malware, with the exception of executable files. This is a known problem for both the AV companies and the testers, which still tend to test only the binaries and not the whole chain of infection (in case of this malware, there is no executable needed for Firefox/Chrome).

Simple graph of how the various modules are interconnected:

List of urls used for attack

 

 

 

 

 

 

 

 

 

Some VT links with detection statistics for various modules:

y.exe

https://www.virustotal.com/file/4424bcbe80175b848db47c85b3f80dcde7402abfbdb66b4111595adbc53d96d7/analysis/1342100809/

https://www.virustotal.com/file/5b83125e634df16d7fcb1492b79906d6814b3e5e67bf211c9b4c75b81c1a25c2/analysis/1342099082/

payload for Firefox (XPI addon)

https://www.virustotal.com/file/587828e222f9cd0abf2c226771775a472b556ca8e4855591100e3fdf35d87c98/analysis/

https://www.virustotal.com/file/35271d1cbda56be623e8cf53415f5774cc8cdf3d67701fed2e1e1f66e89ae126/analysis/1342099219/

payload for Google Chrome (CRX addon)

https://www.virustotal.com/file/904e6f562428c9ef3071c44f887b3a3ef8431c5680e6943518b6a44579c5355a/analysis/1342100608/

https://www.virustotal.com/file/e49a2af4de5adab848a0e5fb2fd7088462aa32b08f08270395d321c4ac64937b/analysis/1342099251/

payload for Microsft Internet Explorer (MSIE BHO)

https://www.virustotal.com/file/439b6c2d92a8fa0f59cc07ab896ce741b76ecd9ea3db98725b5fb7c115d35774/analysis/1342099276/

https://www.virustotal.com/file/94da4e2272eb725f8173914b1a0361215c827337bce9f4d12a4337acf2fa636a/analysis/

j.php

https://www.virustotal.com/file/a25a51da36fe7bca535b9c5b9f2d10e11a7d6f2a124b11f586768d21b8768ad9/analysis/1342100410/

https://www.virustotal.com/file/61466cf82344470390f764aea410448d2b495e15cb95050524e7cf1f5ea392d0/analysis/

js_f.php – without FB functionality

https://www.virustotal.com/file/9965648a1121a1f167dbc293f06f9d7ff1658b019b0757731266d4de34264c01/analysis/1342099371/

js_f.php – with FB functionality

https://www.virustotal.com/file/9965648a1121a1f167dbc293f06f9d7ff1658b019b0757731266d4de34264c01/analysis/

Categories: analyses, lab, Virus Lab Tags:
Comments are closed.