532007 - Received Suspicious Facebook Message with a URL that Attempted to Attack my Computer

Status: RESOLVED WORKSFORME

(Firefox :: Security, defect)

Description

[William M. Quarles]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729)

I received a suspicious Facebook message from my brother of all people, and it looked like this in my e-mail box:

------------------

Chris sent you a message.

Subject: WOW

"Are you suree tthis is youur firrst actiing experiencee?
http://www.facebook.com/l/0b72f;chikodilihoffart.blogspot.com/"

To reply to this message, follow the link below:
http://www.facebook.com/n/?inbox%2Freadmessage.php&t=1279783120293&mid=17e6ef0G7715a3G37cbcecG0

___
Find people from your BellSouth address book on Facebook! Go to: http://www.facebook.com/find-friends/?ref=email

This message was intended for walrus@bellsouth.net. Want to control which emails you receive from Facebook? Go to:
http://www.facebook.com/editaccount.php?notifications=1&md=bXNnO2Zyb209MTI2NjU2NDczODt0PTEyNzk3ODMxMjAyOTM7dG89NzgwNDMyMw==
Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA 94304.

--------------

I clicked on the link, and the page proceeded to attempt to attack my computer. The attempt was blocked by Norton 360, which said that the application through which the attack came was (program path)\FIREFOX.EXE. There are detailed messages stored in my log about the attack, but I'm not sure how to submit them to you. The stupid Norton 360 program doesn't seem to have a copy and paste function. I'm submitting the exported file from the Norton 360 Security History. I have no idea how to read the file

Reproducible: Always

Steps to Reproduce:
1. Go to that silly website
2. Let it attack your computer, and pray to your god that your firewall will handle it.

Comment 1

[William M. Quarles]

Attachment: Zipped file of recent History of attacks detected by Norton 360 on WMQ's comptuer.

I have no idea how to read the file once it is unzipped.

Comment 2

[Brandon Sterne (:bsterne)]

Blogspot URL has code that redirects to a known malware URL:
hxxp://www.jost.cc/495/?go

I did wget on that URL with Firefox User-Agent and got a series of redirects to
hxxp://www.beeg.com/

the source for which I'll attach momentarily, but I haven't loaded it yet.  I need to find a fresh VM to run it in.

Comment 3

[Daniel Veditz [:dveditz]]

The facebook link takes you to http://chikodilihoffart.blogspot.com/ which appears to be a fake blog (one reposted news article). The sole purpose of that blog appears to be a safe-looking host for obfuscated script which loads the reported attack site http://www.jost.cc/495/?go (now blocked by Firefox if you use the SafeBrowsing feature).

When I load the jost page I get redirected to an Adult Friendfinder banner. Either the malicious content was cleaned up, or given that a page that's just an ad is a little suspicious maybe it only serves the malicious content to certain regions or when given certain referrers (both have been observed in malware sites). Google says they found 3 trojans on the site, but don't say which ones or what the infection vector was. 
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.jost.cc

Comment 4

[Daniel Veditz [:dveditz]]

Attachment: attack page from jost.cc

I got the redirects to beeg.com (NSFW porn site) without a user-agent or a Mac one, but other than being porn doesn't appear to contain harmful scripts. But with an IE 7 Vista user agent I got this obfuscated content from that jost page itself.

Comment 5

[Daniel Veditz [:dveditz]]

Attachment: example page loaded by attack script

The obfuscated jost code tries to load a page from a whole list of raw IP addresses. tried a couple and got the same content so it's probably an attempt to survive server shutdowns.

I could have been fooled into loading another misdirection page (like the www.beeg.com Brandon and I both initially got). For one thing I just noticed the jost code uses window.redirect which doesn't work in Firefox, so I'll have to go back and see if Firefox users get sent somewhere different.

The jost.cc page loads urls like
   hxxp://174.59.6.52/go.js?0x3E8/f=fb2/view/console=yes/
which redirects (again, window.redirect) to
   hxxp://174.59.6.52/d=174.59.6.52/0x3E8/f=fb2/view/console=yes/

(replace hxxp with http, following Brandon's lead)

Comment 6

[Daniel Veditz [:dveditz]]

I misread the window.redirect stuff (assumed too much). Firefox gets the same page. In addition to the flash ("Yuotube"?) that's probably malicious it also tries to download a setup.exe. It's just setting location.href so you'd get a prompt and the ability to cancel, but we start downloading in the background to save time and we do send those files through anti-virus on windows if you've got one installed. You were in no danger from that copy because you would have had to first tell Firefox to save it (otherwise we immediately delete the temporary copy) and then go run that file.

This "setup.exe" is apparently the "Koobface" worm
   http://en.wikipedia.org/wiki/Koobface
but not all antivirus programs identified it.
http://www.virustotal.com/analisis/a2ac3ed0b33236d524c4f1cc6f31851da046559bb8d47ab377866182df053962-1259719834

I don't know what private data might be in your norton file so I'm hiding that attachment.

It looks like there was no Firefox exploit here, just an attempt to get you to download and install bad stuff which was caught by Firefox working with your antivirus. And hopefully you wouldn't have run the file anyway even if it was a new worm. While alarming, this incident shows that even the "nice" parts of the internet like Facebook aren't entirely safe -- don't download and run things if you have the slightest suspicion about it. Legitimate software comes from sites you seek out, not thrust at you while you're doing something else, and it will be signed by a legitimate company.

Comment 7

[Daniel Veditz [:dveditz]]

(In reply to comment #0)
> I received a suspicious Facebook message from my brother of all people, and it
> looked like this in my e-mail box:

Oh, and tell your brother that he's been infected by this worm and needs to scan his computer (or maybe one of your brother's Facebook friends, but I don't think the worm can fake a facebook sender the way e-mail worms can).