Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Brooks Li (Threats Analyst)

    Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil.

    We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that bypasses a Google security feature checks third party extensions.  For this blog entry, we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe.

    The Ins and Outs of the Browser Plugin

    The malicious Chrome plugin (detected as BREX_KILIM.LL)  is composed of two files, manifest.json and background.js. The file manifest.json will inform Chrome where to load background.js:


    Figure 1. Two files behind the malicious plugin

    The file background.js will execute the following routines:

    1. It prevents the removal of the malicious plugin. If  users open a tab to chrome://extensions to check for malicious browser extensions, the plugin will close this tab immediately.


    Figure 2. Code showing the closing of said tab

    2. It prevents access to antivirus websites. Any attempts to visit antivirus software websites will be blocked.


    Figure 3. Code showing the blocking of specific sites


    Figure 4. Notification showing access was blocked by the extension

    3. It removes the security option from HTTP response header. This security option is typically used to avoid cross site scripting attacks. The plugin removes this as it will will inject script that does not belong to Facebook.


    Figure 5. Code removing portions of the HTTP header

    4. It runs a JavaScript code when users visit Facebook. When users go on Facebook, the plugin will run a JavaScript code into the tab where the site is open. Doing so will allow the cybercriminals to control the users’ accounts; users will unwillingly follow, like, or subscribe to Facebook accounts as dictated by the cybercriminals behind this attack. These commands are performed automatically by the included JavaScript code. The affected users’ friends will also see these actions on their feed and may possibly inadvertently install the plugin as well.


    Figure 6. Screenshot of the malicious JavaScript that triggers users to follow, like, subscribe a Facebook account owned by cybercriminals

    Evasion Tactics

    To avoid having their extensions detected and removed from computers, cybercriminals are using the following evasion methods:

    1. They use malicious multi-script  files that work together.


    Figure 7. Malicious plugin using multi-script

    The malicious behavior is separated into multiple files. If each script file is analyzed independently, the overall malicious behavior may not be spotted and the files may be (mistakenly) thought to be clean.

    2. They encode the JavaScript content.

    Hackers use HEX to encode strings as seen in the screenshot below:


    Figure 8. Encoded strings via Hex

    After decoding the Hex string, they appear like in the screenshot below, showing that it’s the same as the original. This behavior helps to avoid detection by security products.


    Figure 9. Decoded string

    3. They use HTTPs and a known, good domain to host malicious JavaScript.


    Figure 10. A good domain used by the malicious plugin

    For instance, is a free cloud application platform where everyone can upload APP to it, and cybercriminals can use this site to host the malicious JavaScript. This tactic is also used to prevent URL detection and blocking by security solutions.

    4. They use Twitter to hide malicious URLs.


    Figure 11. Code communicating with Twitter servers


    Figure 12. Twitter profile that houses the URL

    A malicious plugin runs a JavaScript into the user’s browser tab and downloads content from a Twitter user’s profile. The cybercriminals use the affected Twitter user’s profile content to hide the malicious URL that  the plugin connects to. Once cybercriminals change the profile content, they can change the behavior of the malicious plugin.

    5. They use fake file extensions.


    Figure 13. The plugin uses .DLL as its supposed extension

    Infections and Protection

    Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.

    Figure 14. Top affected countries

    We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall to secure their systems from online threats, including those that may leverage or abuse Facebook.  Trend Micro and Facebook are working closely together to combat this threat.

    Below is the SHA1 hash of the malicious file:

    • 4733c4ea00137497daad6d2eca7aea0aaa990b46



    Exploit kits have long been part of a cybercriminal’s arsenal. One of the most notorious exploit kits in recent years is the Blackhole Exploit Kit. Coverage over this particular exploit kit reached a fevered pitch with the arrest of its author in 2013.

    The Blackhole Exploit Kit may have met its demise, but this hasn’t deterred cybercriminals from using other exploit kits for their schemes. In fact, other exploit kits are still in use, often with improvements or upgrades. An example is the Nuclear Exploit Kit.

    We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit).

    The Silverlight exploit

    Like other targeted software, the Nuclear Exploit Kit’s landing page will check if the victim’s system has Silverlight installed. If the check passes, it will then attempt to use the Silverlight exploit to drop malware into the system.


    Figure 1. The payload

    Upon closer analysis, it appears that an error exists in the version checking the JavaScript code. Read the rest of this entry »


    There are already many known ways by which cybercriminals target Facebook users. In the infographic we recently released, “The Geography of Social Media Threats,” we illustrated the different social networking features cybercriminals abused and the threats that these usually lead to.

    In the course of conducting research, we found one specific attack that targeted Facebook users through a different route—malvertisements.

    We encountered an infection chain wherein the user is led from a page within Facebook to a couple of ad sites then, finally, to a page that hosts exploits. When we traced the connection between the ad sites and Facebook, we found that the ad providers were affiliated with a certain Facebook application. We checked out the said application and found that it is indeed ad supported. We were able to come up with the likely infection chain based on this finding:

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice