
I was tricked on Facebook into downloading an obfuscated script - yammesicka
http://security.stackexchange.com/questions/128254/facebook-tricked-me-into-downloading-an-obfuscated-script
======
my_first_acct
Maybe the wrong place for a newbie question, but here goes.

IF I am running up-to-date versions of Windows and Chrome, and I click on this
link, is it game over? Or do I get another chance to refuse installation of
whatever malware is in the payload?

~~~
thefreeman
You have to double click the downloaded file to execute it under Windows
Script Host

~~~
my_first_acct
Thanks. That is somewhat reassuring. The likelihood of my doing something
stupid/oblivious is higher than it should be, but the likelihood of being
stupid twice in a row is quite a bit lower.

~~~
jaredsohn
I imagine the likelihood of making incorrect decisions twice in a row is
higher in some contexts, though. For example, if you click a button that says
it will download a Flash update from some random website, I'm guessing there
is a good chance you will then run it afterward.

------
Kiro
> I got a notification on Facebook: "(a friend of mine) mentioned you in a
> comment". However, when I clicked it, Firefox tried to download the
> following file:

I interpret that as it started downloading when clicking the notification but
the picked answer suggests otherwise.

------
x0ner
* Disclosure: I used to work for Facebook's security team and focused on threats that impacted users on the platform. *

The post outlines in some detail a common attack done by some actors known as
BePush/Killim. I made a request for help in fighting these clowns months ago
on a private security working group. Here's the post below which outlines a
good amount of detail about the hacks and motives. If you are interested in
tracking these actors yourself, it's pretty easy once you find one of their
command and control servers.

Example:
[https://www.passivetotal.org/passive/userexperiencestatics.n...](https://www.passivetotal.org/passive/userexperiencestatics.net)

From there, we can see the actors are using Cloudflare to obfuscate their
infrastructure, but we can make a pivot based on the WhosAmongUs IDs
(dsafagegg2 [1] and dsafagegg [2]) in order to find more websites owned by
these guys. It's a rats nest that extends to hundreds of domains registered
weekly. Servers are typically hosted in places where legal action is difficult
meaning the attacks seldom stop or go down completely.

    
    
      [1] https://www.passivetotal.org/trackers/WhosAmungUsId/dsafagegg2
      [2] https://www.passivetotal.org/trackers/WhosAmungUsId/dsafagegg
    

\-----------------------------------------------

As promised, below is a quick high-level summary of the malware outlined in
the subject. We've been dealing with the malware for months and while some
would call is spam, we consider it malware simply because any of the
executables or Chrome extensions could be changed to steal passwords, credit
cards or every document off a system. We welcome any help in dealing with
these actors and would also be interested in new ways to combat malicious
extensions, both Chrome and Firefox as those are only increasing in usage.

If you would like more information on the technical details of the binaries,
extensions or other loaders, feel free to shoot me a message. If there's
enough interest, I will just spam the list, but would prefer to keep this to
the higher level points, so others gain a better understanding of the threat.

-= Summary =-

BePush is a set of Turkish-based actors who use innovative techniques to
spread malicious code and spam through social networking sites and ad-based
networks. Those involved in the development of BePush malware are constantly
adjusting their TTPs to account for changes in detection or disruption. Actors
favor multiple levels of obfuscation through the use of short-url redirectors,
third-party hosting providers and multi-stage payloads. Despite high infection
rates, local law enforcement has yet to take an interest in pursuing those
actors involved.

-= Infection Process =-

Based on our logs, primary infection processes tend to occur through direct
traffic, followed by Facebook and various ad providers. Shortened URL links
are shared among users which typically traverse through a series of redirects
to a landing page mimicking Facebook infrastructure and using porn as a lure
to install a plug-in. Depending on the attacker behavior, payloads may be
delivered in the form of a Google Chrome extension (hosted within the store)
or through an executable (likely AutoHotkey, but could be Pyinstaller based)
that later replaces Chrome with a version of Chromium with their malicious
extension.

Once installed, malicious code will make use of the Facebook Graph API in
order to make requests/posts on behalf of the infected user using a stolen
access token. In order to establish a high infection count, the malicious code
will often create pages with malicious links, post statuses/comments to the
user's friends and spam within certain application pages. Once the spreading
routine completes, the process generally begins again with the infected user's
friends.

-= Motives and Capabilities =-

It appears the primary motivation for the BePush actors is the money gained
through the sale of Facebook likes, followers or various ad-network and
affiliate partners. In some cases, Facebook observed BePush actors including a
bundled bitcoin miner, but it never appeared to gain much popularity.

From a capabilities perspective, actors involved with BePush appear to pay
attention to how their code is detected. When numbers begin to dwindle,
changes to the code or 3rd-party providers are made. Actors demonstrate a
level of understanding in .Net programming, Python, JavaScript and techniques
used to detect spam. We have also observed the actors repurposing browser
exploits, but we never saw these used against users.

-= Third-Party Provider Usage =-

BePush favors the use of free and open infrastructure in order to keep their
campaigns alive long enough to get a strong infection foothold. The following
providers have been observed in some capacity:

    
    
      - Amazon AWS - Used for hosting content
      - Dropbox - Used to host binaries
      - Box.com (http://box.com/) - Used to host binaries
      - Bitly - Used for redirection
      - Tinyurl - Used for redirection
      - Godaddy - Used for redirection
      - WhosAmungUs - Used for campaign tracking
      - Stellar - Used for bitcoin wallet hosting
      - Imgur - Used for redirection 
      - Dot.tk - Used for redirection
      - Google - Used for redirection, Chrome extensions and binary hosting
      - CloudFlare - Used to obfuscate real infrastructure
      - Microsoft Azure - Used to host binaries
    

-= Detection and Research =-

BePush has a limited set of providers they prefer to use and through industry
relationships, we have been able to put pressure on the attackers. Here are a
couple items we noticed when doing disruption work that helped in making a
larger impact against the group.

Using passive DNS data to identify other domains sitting on the same IP
address (these guys don't use a lot of unique servers) Use ESET ( _Facebook_ )
or Microsoft ( _Kilim_ ) AV signatures to identify new binaries being used
Polling whos.amung.us ([http://whos.amung.us/](http://whos.amung.us/))
tracking pixels in order to identify/gauge recent campaigns Reaching out to
3rd-parties with domain and hash combination for takedown

-= Reference Hashes and Domains =-
    
    
      www[.]filmgetir[.]com
    
      https://www.virustotal.com/en/file/9e4484240df6e891b2a07c1ff2345e0864dd8b54e005c58388c6556cdc7cc120/analysis/
    
      www[.]kingtr[.]click
    
      https://www.virustotal.com/en/file/9e4484240df6e891b2a07c1ff2345e0864dd8b54e005c58388c6556cdc7cc120/analysis/
      www[.]pornokan[.]com
    
      https://www.virustotal.com/en/file/c5eeef4da2c64e8633b1f00745fecb0b692be27d4b615df086201754b07ebe60/analysis/
      https://www.virustotal.com/en/file/3566452da48ba0fa31b11deae561b4d5f2a1385e83fd5537a021e75b649664b6/analysis/
      https://www.virustotal.com/en/file/1a0163780f07aeaafd9e94fbe628b3f354b25afbec1f7c6e6e401cc7c06d909a/analysis/
      https://www.virustotal.com/en/file/b216915643628834acd60e7ae9647e51baca636d8b05ea66857d40c9d04172a8/analysis/
      https://www.virustotal.com/en/file/80d9d1df0d859fe6759bba7077be1a15eea477774c91e789e9d5988f19f0a023/analysis/
      https://www.virustotal.com/en/file/940bc772a2e301e15a326e667a318942dd840149afa4031245dd125c645330ab/analysis/

~~~
0xICECREAM
Thanks for the info. Technically speaking, posting a link on Facebook and
tagging a friend to it seems impossible, unless some manipulation or a flaw
was presented. Can you confirm or not that Facebook is somehow vulnerable to
tagging to links (not posts)

------
paulpauper
They must have gotten a TON of downloads..look at the sats:

[http://whos.amung.us/stats/pingjse3462](http://whos.amung.us/stats/pingjse3462)
[http://whos.amung.us/stats/pingjse346](http://whos.amung.us/stats/pingjse346)

------
vanderZwan
> _Facebook tricked me into downloading an obfuscated script_

This title suggests _Facebook_ is doing this, even though it's clearly a
malware exploit

~~~
dang
That was a badly rewritten title, and we've restored the original. (Edit:
never mind–the rewrite was at the host end.)

Submitters: please use the original title unless it is misleading or linkbait.
That's in the site guidelines
([https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)).
Making a title _more_ misleading and linkbait is the wrong direction!

(Submitted title was 'Facebook tricked me into downloading an obfuscated
script'.)

~~~
m-app
To be honest, the original title used to be just that:
[http://security.stackexchange.com/posts/128254/revisions](http://security.stackexchange.com/posts/128254/revisions)

~~~
dang
Oh, good catch. Sorry for doubting you, yammesicka :)

Actually the dynamic rewrite thing has only ever come up significantly with
NYT, who do that all the time.

------
Aelinsaar
I treat any attempt to download like an attempt to call my phone, or ring my
doorbell when I'm not expecting someone. Instant suspicion which is, 99% of
the time, unfounded. Still, I've never had to deal with the Jehovah's
Witnesses.

~~~
a3n
I engage Jehovah's Witnesses, but not in the dick way that capital A Atheists
might (I'm a small a atheist). I try to learn what they're about. They're
generally nice people.

~~~
ldehaan
what do you hope to gain by talking to them?

I'm assuming that by capital A, versus lowercase a; atheists, you are trying
to underscore the differences between people who understand that religion is a
hoax but it doesn't affect me right now so I'll let it pass, and those who
have been directly affected by religion and it's evils and see no other way
but to fight it as hard as they push it?

I will try to explain why this is bad: engaging the mentally ill in their
delusions is not only mean (you don't believe their crazy stories, so why
listen to them?) it's bad for society as a whole, because this is a untreated
mental illness that is totally treatable and it's being spread because people
refuse to treat it as a mental illness and instead say, believe what you want.

why is it bad to allow the masses to remain ignorant?

you (hopefully) wouldn't teach your children that the world is flat, because
you were educated against such teachings.

you wouldn't teach a medical student about the human body without allowing
them to learn about the human body by cutting it open and studying it.

you wouldn't let your neighbor spray your yard with ddt (hopefully) because a
higher being told him it was safe.

you wouldn't take advice from someone on the Internet without first
researching the topic (we all do)

yet we'll freely entertain the insanity of religion because why? so many
people believe it?

we all thought the world was flat, the human body was designed by God and
shouldn't be examined, sprayed ddt right in our children's faces, and still
take advice from strangers on the Internet without doing research because,
we're sheep (hanlons razor).

it's all stupidity, and fear. we're all alone, there is no guidebook and we're
so painfully self aware.

when you have No explanation, any explanation seems possible.

the world is not flat, but knowing we knew, was comforting.

anyways, what was I trying to get at?

don't let them in. keep them very far away from you.

if you want to help change the world, be proactive. openly challenge religious
beliefs any time they are presented. it could get you killed. it will get you
beaten.

but we all have a duty to further the human species, and putting us second to
imaginary beings is not exactly the way to go about it IMO.

~~~
morganvachon
It's not a mental illness to have faith in something. Faith is a normal part
of being human. Even atheists have faith: Faith in their own belief that there
are no gods or other supernatural beings. They don't have empirical evidence
that there are no higher beings, just as religious types don't have empirical
evidence that such beings exist. On a smaller scale, one can have faith in
one's own abilities or those of the people around them. Once again, not a
mental illness.

Now, I'll concede that religion is a manmade concept, usually a way for those
who seek power over others to achieve it. But faith and religion are two
completely different things. There are those who believe in a higher power
(God? Gods? Spirits? Aliens? Cthulhu?) who are anti-religion, just as there
are those who have no true faith in a higher power but use religion to further
an agenda (militant extremists and terrorists come to mind, both foreign and
domestic).

To put it another way, religion is an institution, faith is human nature.
_You_ have faith in the words you wrote; does that make you mentally ill? No,
of course not, you just come off as having a huge chip on your shoulder and a
predisposition for painting everyone in a billions-strong group with the same
brush.

But that's a typical human flaw, not a documented mental illness.

~~~
ldehaan
i really liked your reply :)

while I agree I think faith is a bit more than just human nature, I think it's
a mechanism developed over centuries to deal with the unknown while our minds
continued to expand to understand the unknown.

I think of it as a bug, maybe a little hack that was put in to deal with
situations that defy explanation. it helps us come up with explanations, it
has a function to deal with unexplained events without loosing our mental
model of the world.

faith is like a shim, there is a piece of a mental model that doesn't exist
and doesn't fit with your platform, so faith exists as a way into shim that
difference into your code base.

religion is code that takes advantage of the shim. however religion is a virus
and it takes over your other mental faculties, weakening them. introducing
functions that make no sense, but will continue to run until your mind finds a
place for them.

there are several ways to take advantage of the faith bug but you can see
patterns for different types of systems that use faith hooks to make calls to
your reason centers and overrides their output. the more these calls override
the reason centers the less they are used.

now the point at which the faith bug is the most susceptible to being utilized
is during the brains formative years, and this tactic is used incredibly
frequently.

so I see and agree with your point that religion is an institution and faith
is a function of humanity, but faith is a bug that can be patched and I also
would argue that faith is too broad a term for the reasoning functionality of
the brain.

faith is a good word to use when we lack the proper terms, but personal and
religious faith are a small subset of the entire faith function and I think it
needs to be broken up into its requisite parts.

and maybe the overall function that applies to religion in context to faith is
world-model_update(previous_model, new_viewpoint,
contextual_conviction/external_conviction) and It seems to me that there is
early injection malware in religious code and buffer overflow tricks when you
can't get the early injection code to work.

thanks for the reply :)

