From The Erbo Files
Thursday, February 9, 2012

I got an odd E-mail from an old friend of mine the other night; no subject line, a number of other people on the To: line, and the text body consisting of just one thing: a URL from a site with a .cz domain (the Czech Republic).  Anyone who's been on the Internet for more than a week should either have alarm bells going off in their subconscious at this point, or shouldn't be allowed out without a keeper.  Best hypothesis: her machine or E-mail account was compromised somehow and is sending this mail out as an attempt to infect others.


Actually clicking on a link you get in an E-mail like this is about as wise as wandering down Skid Row, grabbing a hypodermic needle from a random junkie you find passed out on the sidewalk, and jamming that needle into your own arm. Fortunately, I have some techniques that are the equivalent of working from behind leaded glass and fishing at it with tongs, namely, using the wget command on a Linux box to fetch the contents at that URL to a file without executing it, and then using a text editor to open the file, again without executing it.


The contents of that first file I pulled from behind that URL were roughly like this:


<head>
<script type="text/javascript" src="(another Czech URL)"></script>
<meta HTTP-EQUIV="REFRESH" content="0; url=(a URL in Russia)">
</head>

Right away, it's obvious someone's trying to play games. That <meta> tag is trying to force the browser to read from another site almost immediately. Trying to pull from the Russian site, however, got no results; the site returned no data and timed out.


But what about that JavaScript?  Pulling it revealed some other trickery:


if (top.location.href==self.location.href) {
document.writeln('(an entire HTML document, pretty much)');
}
document.write('<script type="text/javascript" src="(a Google Analytics JavaScript URL)"></script>');
document.write('<script type="text/javascript" src="(a URL loading a script with the same name, but from a Czech site)"></script>');

More deliberate obfuscation, and what looks like an attempt to hijack Google Analytics, perhaps to make the site seem more popular than it is. (Any function declared in the presumably-legit Google Analytics script, but then re-declared in the Czech script, would use the latter definition.) The document being written in that first document.writeln() call contains a lot of obfuscation, too. (The most obvious obfuscation was that it was written all as one line, defying easy viewing; I had to pass the script text through fold -80 to get it into a state where I could read it.) It has a lot of CSS styles, both in an embedded stylesheet and inline; many of the styles are marked as !important, meaning they override any built-in stylesheet the user has set up in the browser. (This could also be a trick to divert attention from the rest of the contents of the file.) Some of the links in this file have code like this attached to them:


onmousedown="javascript:void(myImage = new Image());void(myImage.src = \'(a PHP URL with some query string parameters)\');"

This is pretty obviously click-tracking. Ignore the use of an Image object here; the important part is to generate a GET from the browser to that URL whenever someone clicks down on the link. There's also more conventional calls to a JavaScript function urchinTracker from within onClick handlers.


There are some foreign-language strings visible in the text, too: a quick check with Google Translate found that they were, indeed, in Czech, reading something like this:



  • Sports betting on the Internet - Get up 1000 Kc!

  • Original gifts and gadgets for men and women!

  • ACTION! From November 14, 2011 fantastic prizes domain!

  • Mona furniture co. - furniture and special offers with 40% discount

  • Dedicated server for 450 Kc

  • Download and send files for FREE!

  • File download FREE!


Various sales pitches, in other words. ("Kc" is most likely the abbreviation for the Czech koruna, the local currency.)


To sum up: Classic spam E-mail, with a lot of deliberate obfuscation to try and evade spam-detection schemes. And who knows what other stunts this site is likely to pull, with all that garbage in the way?


I sent an E-mail to my friend warning her that her machine had been compromised, and she should either check it out or get it checked out. This would be a good time to point out that downloading and running just two programs will clear up almost any malware installed on a Windows system: Malwarebytes, and Spybot Search & Destroy. Also, make sure your antivirus is up to date. The More You Know.™


"Surfing safety."
"Keep breathing."
Roadkill and Y.T., Snow Crash, Neal Stephenson

 

Comments

 
Copyright © 2012 Eric J. Bowersox, All Rights Reserved.
Made with Roller and Bootstrap. Social media icons by icondock.com.
Any and all trademarks used in the above text are owned by their respective owners.

Connect on Social Media

[About.me] [Facebook] [Twitter] [LinkedIn] [Google+] [Quora] [/.] [Pandora] [GitHub] [Amazon.com] [E-mail]

Calendar

« December 2014
SunMonTueWedThuFriSat
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
   
       
Today

Search


Recent Entries


Recent Comments


Erbosoft Blog Network

Blogroll


Categories


Feeds


Admin Controls