Friday, March 29, 2013

Gone Phishin' on the Facebook

Social Media sites are rife for exploitation and malicious intent.  They have become a staple of connectivity between colleagues, family, and friends to the point that they are in many cases the focal point of communication.  Chief among these social media sites, is Facebook.  Not quite professional a network as Linkedin, not quite as informal as Twitter. Facebook is a perfect storm of chat, image host, and blurbs about how delicious your friend's lunch was.  Of course the information you post on these networks is what makes them so juicy a target for scammers.

Clickjacking is a scam technique that tricks users into clicking on something they perceive as legitimate but it is actually designed to harvest a “Like” or a click through to something malicious.

These Facebook scams don’t hide nearly as hard as you might think.  More than likely you have one in your News Feed.  So let me drop some helpful hints on how to spot a Facebook scam:

  • Shared/Liked a link for something clearly Not Safe for Work.
  • Shared/Liked a link for ANYTHING related to Free ANYTHING.  Nothing in life is free, so don’t expect it on Facebook either.
  • Shared/Liked a link from a less reputable source.  Example: Tommy Boy shared a link from : OMG!! COUPONS!?!1! Free Ipads and more
  • Shared/Liked Video or pic is displayed differently than other pic or videos.
  • You are tagged in a post which has other seemingly random friends also tagged along with a shortened URL.

My example today will cover 3/5 of the above so let’s get started!


This immediately met my criteria for suspicion.  In a secure environment, and on my Dog’s Facebook account, I was feeling comfortable to explore further without putting my personal account at risk.

Clicking that ‘video’ link will immediately take you to a page that almost looks legitimate.  It has the Facebook navbar, but no chat bar.  To deter the more savy users from inspecting these elements further, the scammers have ensured that right-click is disabled.  The code for which looks like this:

Closer inspection of the source will reveal that it isn’t even a video, but an image of a video.  See:

Fortunately for this victim, the attackers were only after his like’s and not his account or computer.  Clicking through this ‘video’ triggers a ‘LikeJacking’ attack.  So far, 160 people have fallen for this scheme.

The attacker’s goal here is not to spread malcontent and chaos, but rather to make money by scamming affiliate marketers.  A ‘Like’ on Facebook requires no two step verification to ensure that the user in question indeed clicked ‘Like’.  The harvested ‘Like’s from the scam can then be used for any purpose they desire since there is no elaboration on what is actually being endorsed.  As you see in the above screenshot, this button could be attached to anything the scammers choose to give the impression that 160 people ‘Like’d something else.

Digging deeper into this scam it seems unlikely that this is the only instance of this on Facebook.  I did a quick look-up on the images hosted at and found that it was uploaded 7 months ago and has been seen 2,439,013 times at a combined bandwidth of 187.45 GB.

I’m no affiliate marketer, but I did some research and found that the common payout method for a pay-per-click offering should yield $290.35 a day given the time this scam has been running and the amount of views.

Friday, March 15, 2013

Guess who am I? PE or APK

Update: I happened to find this sample. However, it was corrupted.  So I made a demo file by myself. Notepad.exe was used as PE stub, and I embedded a MALICIOUS APK sample into it. So the magic number was also MZ. It ran better than the previous sample since it bypassed and you can see its internal apk information. 

If you need this sample, leave your email or drop me a line. You are welcomed to polish its PE structure to make it runnable. Don't forget to let me know if you make it. Good luck!
Does "zipfile.BadZipfile: Bad magic number for file header" sound familiar?
This error message is caused up by when a file fails in the ZipFile parsing.
Normally, the magic signature for a zip file is 1)"PK\003\004" , 2) "PK\005\006" (empty archive), or "PK\007\008" (spanned archieve).

Here is an android example which triggers the above message. Guess what is its magic number? - 4D 5A 90 90   Yes, you are right. It is "MZ", the PE magic number.

The author faked DOS header, PE header, section table, and even import table structure at the very beginning of this file so that quite a few AV engines and tools are bypassed.



 Here is the snapshot from VT:


7-zip unpacked partial contents including the classes.dex and Manifest files. The classes.dex is valid. There were some ADMOB SDK APIs called, and the android payload was hidden inside .text section.
This sample ran "su" command to get the root privilege. Afterwards, it visited the following websites:

This is the only sample of trying to hide APK contents inside PE format I can find so far. I am expecting more in the near future.