Sunday, February 10, 2013

All your Facebook Worms are belong to us !

Hello guys,

It's my first post after a while of being offline ,hopefully to be worth the delay .

A couple of days ago ,while i was surfing facebook pages ,one of my friends posted about 2 ~ 5 successful posts on my wall .They weren't some usual games/apps links ,they were a url to an external link to some kind of spamming pages ( humm .. unusual ) .
My friend -whom using Chrome browser- did some fuzzing on that site ,and found that ,when somebody clicks that link ,it takes the victim to an external site ,that site is in turkish language and has a button inside ,which when clicked ,downloads and installs automatically a Chrome's extension which in turn makes use of all user data gathered ,and makes use of the facebook account by spreading his worm worldwide .

So now ,a lot of questions can be asked here :
-What is that site ?
-How is it able to take advantage of my facebook account ( or other data ) ?
-What kind of data can be gathered by this worm ?

All these questions can be answered after doing a tiny analysis on the process and steps of this worm .

First of all, let's start by doing the same steps of a user who is going to click on that link ,the shared url is :

When we click on that url ,we are taken to a page that looks like this :

Weird enough !!
The story starts when clicking on that button ( Guncelle ) .When looking into the source code of this page ,we will find that this whole page is just an iframe ,which underneath exists the real malicious site which is :


When clicking on that *virtual* button ,we are actually triggering this javascript code :

var is_opera=navigator.userAgent.toLowerCase().indexOf("opera")>-1;
var is_chrome=navigator.userAgent.toLowerCase().indexOf("chrome")>-1;
var is_safari=navigator.userAgent.toLowerCase().indexOf("safari")>-1;
var is_firefox=navigator.userAgent.toLowerCase().indexOf("firefox")>-1;
else if(is_firefox)
else if(is_opera)
    var inst=""
function go()
What this code actually does is simply ,checking on what browser the victim is surfing the page on ,by checking the SIP userAgent header ,and after that it redirects the user to the valid page based on his browser .

Here ,and because my friend was running chrome ,it will redirect us to :

 This page contains a javascript function named kur() which is defined as follows :
function kur(){
var is_chrome=navigator.userAgent.toLowerCase().indexOf("chrome")>-1;
        alert("Birazdan Çikan Pencerede Ekle Butonuna Tiklayiniz!");
else {
 Again ,it's checking if the victim is running Chrome ,if no it redirects him back to the index page which is the main site running beyond the iframe ,which in turn will see what browser is he running from and redirects him to the valid page ,otherwise ,it executes chrome.webstore.install() function .

So what does this function mean ?! As Chrome's developers page shows :

Once you've published your app or extension, you may be wondering how users will find and install your app. For users who browse the Chrome Web Store and find your item, its a very easy one-click process to install it. However, if a user is already on your site, it can be cumbersome for them to complete the installation - they would need to navigate away from your site to the store, complete the install process, and then return.
As of Google Chrome 15, you can initiate app and extensions installations "inline" from your site. These apps and extensions are still hosted in the Chrome Web Store, but users no longer have to leave your site to install them.
When users install the app, they will see an installation confirmation dialog similar to the one pictured above .Just like the dialog displayed when installing directly from the Chrome Web Store, it lists all of the permissions that your app or extension is requesting. Additionally, this dialog includes the average Chrome Web Store rating and the number of users, giving users extra confidence about what they are about to install.
 The prototype of this inline function looks like this :
chrome.webstore.install(url, successCallback, failureCallback)
It's similar to a "google api" for web applications .It takes three parameters ,we will concentrate on the most important one which is the url from which the function will get the application from .Now when we return to kur() function , we can notice that it's getting an application named : Live Broadcast ,which can do the following as its main webstore page details :
This extension can access:
  • Your data on all websites
  • Data you copy and paste
  • Settings that specify whether websites can use features such as cookies, JavaScript, and plug-ins
  • Your browsing history
  • Your list of installed apps, extensions, and themes
  • Your tabs and browsing activity
So ,continuing with the function kur() ,after getting the application from google web store ,it will use a javascript function named alert() which pops up a message box and then asks the user if he wants to add Live Broadcast extension for Chrome or not via chrome.webstore.install() function .The trick is that it will stay calling kur() function recursively every time the user closes the alert message box and again the extension confirmation box will still pop up until the user accepts it .

And that way ,the worm works and can let the hacker make use of the data anyhow he wants .

It's too dangerous to click on any link you see ,specially from unknow senders or at social sites ,make sure that you know what you are clicking on ,as well as whom sent it before actually clicking on it.

[~]Special thanks go to Eyad Warraky for discovering the worm ,as well as letting me do this beautiful worm analysis ,Thx  ;-)