I became fascinated and intrigued by the most recent chat spams, email scams and malicious profile linking brought about from social networking sites, the most popular being Facebook. I have always wanted to do an article of the existing threats within social networking sites and this is a culmination of what I have personally seen and gathered recently. Several articles and blogs in the internet offers some advise of what, why and how to avoid it. Although, this is not an in-depth analysis but instead only an overview for your awareness of the machination behind the links, the cleverness, and intricate ways of how the programmers created the social networking threats.
If you are a Facebook user you should know “The Wall” where you can allow anyone to post their links, messages and other stuff depending on your own Privacy settings. Allowing everyone access to this feature will also allow anyone to spam you with different links to whatever they might fancy. Even though you have set posting to only those you know, this still does not safeguard you against malicious links, ads and spams. Besides, most of it can end up on your “News Feeds” anyway.
A trusted friend can become exposed to links and Apps that may end up on your wall or through your chat window. Some photos, videos and links can be very appealing to you that you may want to “click before you think” on it since they came from one of your friends. Usually the links can be very provocative, controversial or enticing, such as videos and photos that rouses your curiosity. Here are some examples:
The Securelist Team of Kaspersky Labs has identified an Advertising Botnet and the elaborate ways of how they’ll be able to get some cash out of the likes or clicks you make, they may even steal data from your system depending on the scripts running from those sites. Most specially if you download and install any add-ons, plug-ins or codecs for you to view the site, video or photo.
One form that I stumbled on was from a Facebook video link that will redirect you to a randomly named site that is directed to several DNS addresses that I was able to identify but I would rather conceal the result since the IP addresses belong to a legitimate server and data center provider. The host IP acts both as DNS server and a Reverse Proxy. Thus, when a client request is received by the DNS server it will retrieve the needed information from the “Author” server which is then forwarded to the client.
When we check the IP addresses from an online lookup tool for proxy testing we have a result of:
The author server behind the DNS addresses resolves the connection requests by generating a random and inventive URL response each time for every visitor such as the following:
Note: If you wish to know more about URL rewrites and Reverse Proxies follow the links below to several examples and descriptions:
1. Open Source Codes: http://urlrewriter.codeplex.com/
2. Rewrite engines: http://en.wikipedia.org/wiki/Rewrite_engine
3. Reverse Proxies: http://en.wikipedia.org/wiki/Reverse_proxy
3. Video: http://bit.ly/nObc1D
In actuality if we look closely at the links above they’re a set of 4 variable words randomly generated and stringed together which is done using Java scripting. After the site name gets resolved a series of events gets triggered, to be specific a variety of scripts within the HTML page will execute and some of which will also download into your Temporary Internet Folder. If you are using Internet Explorer as your default browser then the path of the folder will be located at: [Path=C:\%userprofile%\%appdata%\Local\Windows\Temporary Internet Files\]. If you may allow, let’s call the HTML embedded scripts as X-script, Y-script and Z-script for purposes of clarity later on.
As seen below, the first embedded script runs together with the HTML attribute inline with the Uniform Resource Identifier (URI) when it gets resolved. This is the X-script, which has a linked site that executes as an Application Program Interface (API) from the background and downloads as a Java Script (.JS file extension):
Although, when we copy the URL in a browser the file can be downloaded but will possess no file extension since it needs to be executed using a function within its scripting. When the API executes it creates an Internet Cookie through several scripting functions as follows:
The created HTTP cookie will now wait further instructions from the site or another script that will need its information. Currently, the created cookie is harmless and does not contain any relevant data. The only time that it can become maliciously useful and gather data from the system is after a plug-in or codec gets installed to continue playback of the video. In reality, cookies are erased either after every session in most internet sites or if the browser detects that a cookie has expired. A similar script seen above can be found and compared to the scripting done by the author from this site: http://www.quirksmode.org/js/cookies.html. The only difference is that the script from the site has a function for cookie deletion.
The video itself is an Adobe® Flash Player® object that plays only at a specific time frame which acts as a teaser. Also, the video will load only after its done running the X-script. At this point, second script will now execute a needed function let me call it as the Y-Script which blocks or stops playback after the allowed time frame has been reached. Once the video stops playing, the Y-script executes several checks as part of its function. The Y-script is also found within the body of the HTML and later created in the same Temporary Internet Folder just like the X-script. Once the Y-script blocks further playback it will proceed to do a check for any enabled pop-up blocker:
1. If your browser’s pop-up blocker is not enabled, you will see a pop-up window asking you to finish a survey linked to another site. The links are determined through the response from the author server.
2. If Y-script finds that a pop-up blocker is enabled, it will continue with its normal function in asking you to install a required plug-in or codec for the video to continue its playback and no pop-ups are generated.
Although, the pop-up blocker check doesn’t affect Y-script’s ultimate function which is to wait for you to install a plug-in or codec. So whether you continue with the survey or not, it doesn’t really matter for the Y-script. Now if you still choose to install the required plug-in or codec, a third script will refresh the page, “unblock” the video and continue the playback. This is now the Z-script which will be tied into the plug-in or codec that has been installed and will be tied by a DLL from either the plug-in or codec. This DLL file will also later hook itself to Windows Explorer and your browser that will control multiple features for future use and is not limited to the following: exploits in your system, sending spam links to your online friends through chat, wall posts to new malicious links of video, download malware, browser hi-jacks, gather private information, email accounts, passwords, bank accounts, credit card information and pop-up advertisements.
Once you’re lured into thinking that the site you are in contains the video you want to watch, an app you want to install, a photo you like to see or simply liking a link, several things may have already transpired without you knowing about it (remember the scripts?).
The final nail should be the plug-in, codec or you agreeing to put in a Username and Password. Whatever the form of intrusion used will only result to your system becoming compromised. Several other Social Networking threats can be worse than what I have given as an example which may install Malware without you noticing it.
In the internet world where Malware constantly evolves and becomes more resilient with every new strain, I only have one piece of advice and I have repeatedly mentioned it to every owner of an infected machine to always think before you click.