I was tricked on Facebook into downloading an obfuscated script
I got a notification on Facebook: "(a friend of mine) mentioned you in a comment". However, when I clicked it, Firefox tried to download the following file:
This is an obfuscated script which seems to download an executable (
autoit.exe) and run it.
This is the part I managed to deobfuscate:
['Msxml2.XMLhttp', 'onreadystatechange', 'readyState', 'status', 'ADODB.Stream', 'open', 'type', 'write', 'position', 'read', 'saveToFile', 'close', 'GET', 'send', 'Scripting.FileSystemObject', 'WScript.Shell', 'Shell.Application', '%APPDATA%\\', 'ExpandEnvironmentStrings', 'Mozila', 'https://www.google.com', 'http://userexperiencestatics.net/ext/Autoit.jpg', '\\autoit.exe', 'http://userexperiencestatics.net/ext/bg.jpg', '\\bg.js', 'http://userexperiencestatics.net/ext/ekl.jpg', '\\ekl.au3', 'http://userexperiencestatics.net/ext/ff.jpg', '\\ff.zip', 'http://userexperiencestatics.net/ext/force.jpg', '\\force.au3', 'http://userexperiencestatics.net/ext/sabit.jpg', '\\sabit.au3', 'http://userexperiencestatics.net/ext/manifest.jpg', '\\manifest.json', 'http://userexperiencestatics.net/ext/run.jpg', '\\run.bat', 'http://userexperiencestatics.net/ext/up.jpg', '\\up.au3', 'http://whos.amung.us/pingjs/?k=pingjse346', '\\ping.js', 'http://whos.amung.us/pingjs/?k=pingjse3462', '\\ping2.js', '']
Is this an exploit on Facebook? Is it possible that my friend got a virus which targets their contacts by tagging them on malicious links? Should I report this to Facebook? If so, how?
Is that link something you re-uploaded or the actual link you were sent? I ask because I would like to get the original link taken down.
Well I hope that didn't autorun, because I wasn't expecting my browser to download that when I clicked the link.
I do not believe your friend was targetted. You cannot control the content of noticfications. If anything, facebook itself was exploited with a completely fraudulent notification.
Question from the peanut gallery: Would a reasonable anti-virus package (eg, Norton) have caught this?
I'm dumb but you mean you clicked on the FB notification and *that* notification link got you download the malware or you clicked on whatever link/post your friend tagged you in?
bg.js), the autoit Windows executable, and some autoit scripts which install them. All of these files are named with
.jpgextensions on the (likely-compromised) server they are hosted, to be less-conspicuous.
The malware appears to be partially incomplete or otherwise underdeveloped or perhaps based off some other malware (quality is very low). Many of the autoit scripts don't actually do anything, and what appears to be a ZIP meant to contain a Firefox extension is actually empty. The autoit scripts are a ton of includes combined into a single file, but only one (ekl) actually has a payload at the end.
The one active autoit script which runs on infection replaces the Chrome, IE, and possibly other browser shortcuts with a shortcut to Chrome with the necessary arguments to run the malicious Chrome extension.
The Chrome extension is mainly how this malware is being propagated. It does some nasty things like blacklisting antivirus software domains, and sending Facebook messages automatically. Actually there was a webservice back end at
http://appcdn.co/datajsserving some scripts which would be injected on any page a user visited based on the URL currently being viewed, which was how the Facebook messages were being posted. This service is now offline, likely taken down.
Is this an exploit on Facebook?
Not exactly, more-like abuse of Facebook. Facebook's code hasn't been exploited, your friend just has an infected browser phishing their contacts on their behalf.
Is it possible that my friend got a virus which targets their contacts by tagging them on malicious links?
Yep, that's exactly how this malware is spreading itself.
Should I report this to Facebook? If so, how?
Yes, see How to Report Things in the Facebook help center.
Getting the following URL's taken offline by contacting their hosts would also be good.
http://userexperiencestatics.net/ext/Autoit.jpg http://userexperiencestatics.net/ext/bg.jpg http://userexperiencestatics.net/ext/ekl.jpg http://userexperiencestatics.net/ext/ff.jpg http://userexperiencestatics.net/ext/force.jpg http://userexperiencestatics.net/ext/sabit.jpg http://userexperiencestatics.net/ext/manifest.jpg http://userexperiencestatics.net/ext/run.jpg http://userexperiencestatics.net/ext/up.jpg http://whos.amung.us/pingjs/?k=pingjse346 http://whos.amung.us/pingjs/?k=pingjse3462 http://appcdn.co/datajs
Unfortunately, CloudFlare still has not taken theCloudFlare just emailed me to say they restricted access to the files, and says they will notify the host.
userexperiencestatics.netURL's down though I contacted then shortly after posting this answer, and I don't know who is actually hosting these files.
After I and likely others reported the
.jseURL to Google, they appear to have taken down the file. If you find any more copies, those should also be reported. It seems people have been receiving the files from numerous sources.
This malware and post is getting a lot of attention, so I'll add some more info to address people's questions:
Will this file automatically run when downloaded?
Probably not unless you have configured your browser to do so. It is meant to trick you into opening it.
Can it infect my phone, or non-Windows computer.
As far as I know, Windows is the only OS which can run this malware. As I mentioned, it uses the Windows Script Host. I don't believe even Windows phone is vulnerable, though I don't know much about Windows phone.
UPDATE ON RANSOMWARE:
Previously it was assumed the autoit scripts contained ransomware, however after further inspection this appears not to be the case. There is just a bunch of unused crypto function obscuring the actual payload, which I've mostly deobfuscated to this.
UPDATE ON CHROME EXTENSION:
The unpacked Chrome extension code can be viewed here. Details on what it did integrated above.
UPDATE FOR JSE SCRIPT:
comment_24016875.jsescript can be viewed here.
I've reported the `userexperiencestatics.net` URL to Google and MyWOT. The `whos.amung.us` URL appears to simply be some form of analytics.
@NathanOsman Yep, I reported the `.jse` file to Google earlier, and it appears to have been taken down. I reported the `userexperiencestatics.net` URL's to CloudFlare, but no results yet.
The `.jpg` files are actually PE executable files with the incorrect file extension. They need to be taken down too.
What looks like Facebook's fault to me, the script was downloaded for me when I clicked a link I received from Facebook to my mail (https://facebook.com/l.php?u=https%3A%2F%2Fdoc.google.com…) even though the post itself was deleted by then. I believe that their service was exploited to pass an external URl as a direct link to a comment. This redirect service has been criticized before: http://www.codehesive.com/index.php/archive/facebook-privacy-and-the-mystery-of-l-php/
@AlexanderO'Mara Could you incorporate that this was indeed an XXE vulnerability in facebooks code, since the link to the malware was not just posted as a comment, but actually sent by facebook to private email accounts ?
@Falco Sure, but first could you clarify how you know this happened? I haven't been able to find evidence of it, but I also did not receive one of these email.
Re: "The malware appears to be partially incomplete": The author of the malware may not have very high coding standards: from your description, it sounds like a lot of copy-and-pasting happened, or a lot of starting various angles and then discarding them, with no cleanup afterward once (some) stuff was working.