Help - Search - Members - Calendar
Full Version: Blogspot spam using javascript for redirection
B.I.S.S. Forums > Malware Research Forum > Malware IP Research Section
jfrankparnell
Mar 19 2009, 04:53 PM
hi -

I found your forum doing a little 'research' on a Blogspot spam I received.

CODE
You Have Been Selected to Try Acai Burn For *Free* http://computronmeritoriousnessnj.blogspot.com/?id=73fhkr3q


The blog fits the pattern of redirection we've seen in blogspot spam - and if you were to load this into IE, you get redirected to a My Pure Acai spam page.

What's interesting - if you load in Firefox with NoScript, nothing happens UNTIL you start enabling Javascript. And in fact, you'll notice that one of the domains to be enabled is myadslink.com

In fact, this bit of code in the Blogspot HTML got my eye:
CODE
http://myadslink.com/adsense/show_ads.js


I found this topic here:
Info on myadslink.com and Malware

So I looked at the javascript. I couldn't find the website the blogspot redirects to.

I'm blocked from myadslink.com right now, but I think this snippet of javascript is the right source.

Do you have tools for parsing javascript? I'm curious if spammy has a list of spamvertized sites on myadslink, or if he's somehow hiding the info on the Blog.

Here's the code - and thanks in advance:

CODE
(function(){
var g=document,j=navigator,m=window;function da(){var a=g.cookie,c=Math.round((new Date).getTime()/1000),b=a.indexOf("__utma=")>-1,d=a.indexOf("__utmb=")>-1,e=a.indexOf("__utmc=")>-1,f,i={};if(b){f=a.split("__utma=")[1].split(";")[0].split(".");i.sid=(!d||!e?c:f[4])+"";i.vid=f[1]+"."+f[2];i.from_cookie=true}else{i.sid=m&&m.gaGlobal&&m.gaGlobal.sid?m.gaGlobal.sid:c+"";i.vid=m&&m.gaGlobal&&m.gaGlobal.vid?m.gaGlobal.vid:(r()^ea())*2147483647+"."+c;i.from_cookie=false}i.hid=m&&m.gaGlobal&&m.gaGlobal.hid?
m.gaGlobal.hid:r();m.gaGlobal=i;return i}function r(){return Math.round(Math.random()*2147483647)}function ea(){var a=g.cookie?g.cookie:"",c=m.history.length,b,d,e=[j.appName,j.version,j.language?j.language:j.browserLanguage,j.platform,j.userAgent,j.javaEnabled()?1:0].join("");if(m.screen)e+=m.screen.width+"x"+m.screen.height+m.screen.colorDepth;else if(m.java){d=java.awt.Toolkit.getDefaultToolkit().getScreenSize();e+=d.screen.width+"x"+d.screen.height}e+=a;e+=g.referrer?g.referrer:"";b=e.length;
while(c>0)e+=c--^b++;return fa(e)}function fa(a){var c=1,b=0,d,e;if(!(a==undefined||a=="")){c=0;for(d=a.length-1;d>=0;d--){e=a.charCodeAt(d);c=(c<<6&268435455)+e+(e<<14);b=c&266338304;c=b!=0?c^b>>21:c}}return c};var u={google_ad_channel:"channel",google_ad_host:"host",google_ad_host_tier_id:"ht_id",google_ad_region:"region",google_ad_section:"region",google_ad_type:"ad_type",google_adtest:"adtest",google_alternate_ad_url:"alternate_ad_url",google_alternate_color:"alt_color",google_bid:"bid",google_city:"gcs",google_color_bg:"color_bg",google_color_border:"color_border",google_color_line:"color_line",google_color_link:"color_link",google_color_text:"color_text",google_color_url:"color_url",google_contents:"contents",
google_country:"gl",google_cust_age:"cust_age",google_cust_ch:"cust_ch",google_cust_gender:"cust_gender",google_cust_id:"cust_id",google_cust_interests:"cust_interests",google_cust_job:"cust_job",google_cust_l:"cust_l",google_cust_lh:"cust_lh",google_cust_u_url:"cust_u_url",google_disable_video_autoplay:"disable_video_autoplay",google_ed:"ed",google_encoding:"oe",google_feedback:"feedback_link",google_flash_version:"flash",google_gl:"gl",google_hints:"hints",google_kw:"kw",google_kw_type:"kw_type",
google_language:"hl",google_referrer_url:"ref",google_region:"gr",google_reuse_colors:"reuse_colors",google_safe:"adsafe",google_targeting:"targeting",google_ui_features:"ui"},w={google_ad_format:"format",google_ad_output:"output",google_ad_callback:"callback",google_ad_override:"google_ad_override",google_ad_slot:"slotname",google_analytics_uacct:"ga_wpids",google_correlator:"correlator",google_cpa_choice:"cpa_choice",google_image_size:"image_size",google_last_modified_time:"lmt",google_max_num_ads:"num_ads",
google_max_radlink_len:"max_radlink_len",google_num_radlinks:"num_radlinks",google_num_radlinks_per_unit:"num_radlinks_per_unit",google_only_ads_with_video:"only_ads_with_video",google_page_location:"loc",google_page_url:"url",google_rl_dest_url:"rl_dest_url",google_rl_filtering:"rl_filtering",google_rl_mode:"rl_mode",google_rt:"rt",google_skip:"skip"};function y(a){return u[a]||w[a]||null};function C(){}C.prototype.c=function(){};C.prototype.e=function(){};C.prototype.o=function(){};var G=null;function H(){this.b=this.m();this.g=false;if(!this.b){this.g=this.i();if(!this.g)G.e("Browser does not allow cookies")}}H.prototype.f="__gads=";H.prototype.d="GoogleAdServingTest=";H.prototype.l=function(){return this.b};H.prototype.setCookieInfo=function(a){this.a=a._cookies_[0];if(this.a!=null){this.b=this.a._value_;this.n()}};H.prototype.k=function(a){var c=(new Date).valueOf(),b=new Date;
b.setTime(c+a);return b};H.prototype.j=function(a){if(this.b!=null||!this.g){G.c("Skipping fetch cookie call");return}var c=document.domain,b="http://partner.googleadservices.com/gampad/cookie.js?callback=_GA_googleCookieHelper.setCookieInfo&client="+I(a)+"&domain="+I(c);G.c("Issuing a fetch cookie call with <a href='"+b+"'>"+b+"</a>");document.write("<script src = '"+b+"'><\/script>")};H.prototype.i=function(){document.cookie=this.d+"Good";var a=this.h(this.d),c=a=="Good";if(c){var b=this.k(-1);
document.cookie=this.d+"; expires="+b.toGMTString()}return c};H.prototype.m=function(){var a=this.h(this.f);if(a!=null)G.c("Read first party cookie: "+a);else G.e("No first party cookie found");return a};H.prototype.h=function(a){var c=document.cookie,b=c.indexOf(a),d=null;if(b!=-1){var e=b+a.length,f=c.indexOf(";",e);if(f==-1)f=c.length;d=c.substring(e,f)}return d};H.prototype.n=function(){if(this.a==null)G.e("Skipping cookie creation: no cookie info");else if(this.b==null)G.o("Skipping cookie creation: no cookie value");
else{var a=new Date;a.setTime(1000*this.a._expires_);var c=this.a._domain_,b=this.f+this.b+"; expires="+a.toGMTString()+"; path="+this.a._path_+"; domain=."+c;document.cookie=b;G.c("Written cookie: "+b)}};window.IDICommon=window.IDICommon||(function(){return{getHash:function(a){var c=a.indexOf("#")+1;return c?a.substr(c):""},htmlEscape:function(a){return/[&<>\"]/.test(a)?a.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/\"/g,"&quot;"):a},makeIframeTag:function(a){var c="<iframe";for(var b in a)c+=" "+b+'="'+IDICommon.htmlEscape(a[b])+'"';return c+"></iframe>"},getIframe:function(a,c){try{return a.frames[c]}catch(b){return null}},makeIframeNode:function(a){var c=document.createElement("iframe");
for(var b in a)c.setAttribute(b,a[b]);return c},appendHiddenIframe:function(a,c){setTimeout(function(){document.body.appendChild(IDICommon.makeIframeNode({id:a,name:a,src:c,width:0,height:0,frameBorder:0}))},0)},writeHiddenIframe:function(a,c){document.write(IDICommon.makeIframeTag({id:a,name:a,src:c,width:0,height:0,frameBorder:0}))},splitURIComponent:function(a,c){var b=[],d=a.length,e=0;while(e<d){var f=a.substr(e,c),i=f.length;if(e+i<d)for(var l=1;l<3;++l)if(f.charAt(i-l)=="%")f=f.substr(0,i-=
l);b.push(f);e+=i}return b},MAX_URL_LENGTH:4095,IDI_DEFAULT_POLLING_INTERVAL:1000}})();window.IDIHost=window.IDIHost||(function(){var a=window.location.href.replace(/([^:\/])\/.*$/,"$1/robots.txt"),c="",b={},d={},e={},f={},i={};function l(h,k){for(var p in k)h[p]=k[p]}function D(h,k){var p=window.frames[h];if(p){var z;while(z=IDICommon.getIframe(p,h+"_"+b[h])){try{if(z.location.href=="about:blank")break}catch(v){break}e[h]+=IDICommon.getHash(z.location.href);++b[h]}var s=e[h].split("$"),A=s.length-1;if(A>0){e[h]=s[A];for(var B=0;B<A;++B)k(decodeURIComponent(s[B]),h)}}}function o(h){return c||
h.replace(/([^:\/]\/).*$/,"$1ig/idi_relay")}function q(h){window.clearInterval(i[h]);i[h]=0}function n(h){a=h}function t(h){c=h}function N(h,k,p){q(h);i[h]=window.setInterval(function(){D(h,k)},typeof p=="object"&&p.pollingInterval||IDICommon.IDI_DEFAULT_POLLING_INTERVAL)}function O(h,k,p){var z;if(typeof p=="object")z=p.moduleRelayUrl;var v=d[h];if(isNaN(v))throw new Error("Invalid module id");else{var s=typeof z=="string"?z:o(f[h]),A=encodeURIComponent(k)+"$",B=IDICommon.MAX_URL_LENGTH-1-s.length,
E=IDICommon.splitURIComponent(A,B),P=E.length;for(var x=0;x<P;++x)IDICommon.appendHiddenIframe(h+"_"+(v+x),s+"#"+E[x]);d[h]+=P}}function J(h,k,p,z,v){var s={frameBorder:0,scrolling:"no"},A,B,E,P,x;if(typeof v=="object"){A=v.iframeAttrs;B=v.callback;E=v.userPrefs;P=v.pollingInterval;x=v.parentDi
vId}if(typeof A=="object")l(s,A);l(s,{id:k,name:k,src:h,width:p,height:z});b[k]=0;d[k]=0;e[k]="";f[k]=h;var Q=[];if(typeof E=="object")for(var F in E)Q.push(encodeURIComponent(F)+"="+encodeURIComponent(E[F]));
if(typeof B=="function"){Q.push("idi_hr="+encodeURIComponent(a));window.IDIHost.registerListener(k,B,v)}if(Q.length){var K=Q.join("&");if(s.src.length+1+K.length>IDICommon.MAX_URL_LENGTH){K+="$";var $=o(h),pa=IDICommon.MAX_URL_LENGTH-1-$.length,aa=IDICommon.splitURIComponent(K,pa),ba=aa.length;for(var F=0;F<ba;++F){var U=k+"_"+F,ca=$+"#"+aa[F];if(x){var V=document.getElementById(x);V.innerHTML+=IDICommon.makeIframeTag({id:U,name:U,src:ca,width:0,height:0,frameBorder:0})}else IDICommon.writeHiddenIframe(U,
ca)}d[k]+=ba;K=""}s.src+="#"+K}if(x){var V=document.getElementById(x);V.innerHTML+=IDICommon.makeIframeTag(s)}else document.write(IDICommon.makeIframeTag(s))}return{setHostRelayUrl:n,setModuleRelayUrl:t,getModuleRelayUrl:o,registerListener:N,unregisterListener:q,postMessageToModule:O,createModule:J}})();var ga=ga||{},ha=this;if(Object.prototype.propertyIsEnumerable);if(!Function.prototype.apply)Function.prototype.apply=function(a,c){var b=[],d,e;if(!a)a=ha;if(!c)c=[];for(var f=0;f<c.length;f++)b[f]="args["+f+"]";e="oScope.__applyTemp__.peek().("+b.join(",")+");";if(!a.__applyTemp__)a.__applyTemp__=[];a.__applyTemp__.push(this);d=eval(e);a.__applyTemp__.pop();return d};;;var ia=function(a,c){var b=c.length;for(var d=0;d<b;d++){var e=b==1?c:c.charAt(d);if(a.charAt(0)==e&&a.charAt(a.length-1)==e)return a.substring(1,a.length-1)}return a};var ja,ka,la,ma;(function(){var a=false,c=false,b=false,d=false,e=false,f=false,i=false,l=false,D=false,o="";if(ha.navigator){var q=navigator.userAgent;a=typeof opera!="undefined";c=!a&&q.indexOf("MSIE")!=-1;b=!a&&q.indexOf("WebKit")!=-1;D=b&&q.indexOf("Mobile")!=-1;d=!a&&navigator.product=="Gecko"&&!b;e=d&&navigator.vendor=="Camino";var n,t;if(a)n=opera.version();else{if(d)t=/rv\:([^\);]+)(\)|;)/;else if(c)t=/MSIE\s+([^\);]+)(\)|;)/;else if(b)t=/WebKit\/(\S+)/;if(t){t.test(q);n=RegExp.$1}}o=navigator.platform;
f=o.indexOf("Mac")!=-1;i=o.indexOf("Win")!=-1;l=o.indexOf("Linux")!=-1}ja=a;ka=d;la=b;ma=l})();;;var na=function(a){return typeof a=="string"?document.getElementById(a):a},oa=na;var qa=function(a){return a.nodeType==9?a:a.ownerDocument||a.document};;;var ra=function(a,c){var b=qa(a);if(b.defaultView&&b.defaultView.getComputedStyle){var d=b.defaultView.getComputedStyle(a,"");if(d)return d[c]}return null};var sa=function(a){var c=qa(a),b="";if(c.createTextRange){var d=c.body.createTextRange();d.moveToElementText(a);b=d.queryCommandValue("FontName")}if(!b){b=ra(a,"fontFamily")||(a.currentStyle?a.currentStyle.fontFamily:null)||a.style.fontFamily;if(ja&&ma)b=b.replace(/ \[[^\]]*\]/,"")}var e=b.split(",");if(e.length>1)b=e[0];return ia(b,"\"'")};function L(a){return a!=null?'"'+a+'"':'""'}function I(a){return typeof encodeURIComponent=="function"?encodeURIComponent(a):escape(a)}function M(a,c){if(a&&c)window.google_ad_url+="&"+a+"="+c}function R(a){var c=window,b=y(a),d=c[a];M(b,d)}function S(a,c){if(c)M(a,I(c))}function T(a){var c=window,b=y(a),d=c[a];S(b,d)}function W(a,c){var b=window,d=y(a),e=b[a];if(d&&e&&typeof e=="object")e=e[c%e.length];M(d,e)}function ta(a,c){var b=a.screen,d=navigator.javaEnabled(),e=-c.getTimezoneOffset();if(b){M("u_h",
b.height);M("u_w",b.width);M("u_ah",b.availHeight);M("u_aw",b.availWidth);M("u_cd",b.colorDepth)}M("u_tz",e);M("u_his",history.length);M("u_java",d);if(navigator.plugins)M("u_nplug",navigator.plugins.length);if(navigator.mimeTypes)M("u_nmime",navigator.mimeTypes.length)}function ua(a){if(!a.google_enable_first_party_cookie)return;if(G==null)G=new C;if(a._GA_googleCookieHelper==null)a._GA_googleCookieHelper=new H;if(!a._google_cookie_fetched){a._google_cookie_fetched=true;a._GA_googleCookieHelper.j(X(a.google_ad_client))}}
function X(a){if(a){a=a.toLowerCase();if(a.substring(0,3)!="ca-")a="ca-"+a}return a}function va(a){if(a){a=a.toLowerCase();if(a.substring(0,9)!="dist-aff-")a="dist-aff-"+a}return a}function wa(a,c){var b=document.getElementById(a);b.style.height=c+"px"}function xa(a,c,b){window.clearTimeout(b);var d=/^google_resize_flash_ad_idi\((\d+)\)/,e=a.match(d);if(e)wa(c,e[1])}function ya(a,c,b,d){b=b.substring(0,2000);b=b.replace(/%\w?$/,"");if((a.google_ad_output=="js"||a.google_ad_output=="json_html")&&(a.google_ad_request_done||
a.google_radlink_request_done))c.write('<script language="JavaScript1.1" src='+L(b)+"><\/script>");else if(a.google_ad_output=="html"){if(a.name!="google_ads_frame"){if(d!=null)c.write('<div id="'+d+'">');if(za(a.google_ad_output,a.google_ad_client)){IDIHost.setModuleRelayUrl("http://pagead2.googlesyndication.com/pagead/idi_relay.html");var e=0;if(a.google_num_0ad_slots)e+=a.google_num_0ad_slots;if(a.google_num_ad_slots)e+=a.google_num_ad_slots;if(a.google_num_sdo_slots)e+=a.google_num_sdo_slots;
var f="google_inline_div"+e,i="<div id="+L(f)+' style="position:relative;width:'+a.google_ad_width+'px"></div><div style="position:relative;width:'+a.google_ad_width+"px;height:"+a.google_ad_height+'px;z-index:-1"></div>';c.write(i);var l="google_frame"+e,D=a.setTimeout(function(){IDIHost.unregisterListener(l)},5000);IDIHost.createModule(b,l,a.google_ad_width,a.google_ad_height,{callback:function(o,q){xa(o,q,D)},pollingInterval:500,iframeAttrs:{style:"position: absolute;left:0px",marginWidth:"0",
marginHeight:"0",vspace:"0",hspace:"0",allowTransparency:"true"},parentDivId:f})}else{c.write('<iframe name="google_ads_frame" width='+L(a.google_ad_width)+" height="+L(a.google_ad_height)+" frameborder="+L(a.google_ad_frameborder)+" src="+L(b)+' marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no">');c.write("</iframe>")}if(d!=null)c.write("</div>")}}else if(a.google_ad_output=="textlink")c.write('<script language="JavaScript1.1" src='+L(b)+"><\/script>")}
function Aa(a){for(var c in u)a[c]=null;for(var c in w){if(c=="google_correlator")continue;a[c]=null}}function Ba(a){if(a.google_ad_format)return a.google_ad_format.indexOf("_0ads")>0;return a.google_ad_output!="html"&&a.google_num_radlinks>0}function Y(a){return a&&a.indexOf("_sdo")!=-1}function Ca(a){var c=null,b=window,d=document,e=new Date,f=e.getTime(),i=b.google_ad_format;if(b.google_cpa_choice!=c){b.google_ad_url="http://pagead2.googlesyndication.com/cpa/ads?";b.google_ad_url+="client="+escape(X(b.google_ad_client));
b.google_ad_region="_google_cpa_region_";R("google_cpa_choice");if(typeof d.characterSet!="undefined")S("oe",d.characterSet);else if(typeof d.charset!="undefined")S("oe",d.charset)}else if(Y(i)){b.google_ad_url="http://pagead2.googlesyndication.com/pagead/sdo?";b.google_ad_url+="client="+escape(va(b.google_ad_client))}else{b.google_ad_url="http://pagead2.googlesyndication.com/pagead/ads?";b.google_ad_url+="client="+escape(X(b.google_ad_client))}R("google_ad_host");R("google_ad_host_tier_id");var l=
b.google_num_slots_by_client,D=b.google_num_slots_by_channel,o=b.google_prev_ad_
formats_by_region,q=b.google_prev_ad_slotnames_by_region;if(b.google_ad_region==c&&b.google_ad_section!=c)b.google_ad_region=b.google_ad_section;var n=b.google_ad_region==c?"":b.google_ad_region;if(Y(i)){b.google_num_sdo_slots=b.google_num_sdo_slots?b.google_num_sdo_slots+1:1;if(b.google_num_sdo_slots>4)return false}else if(Ba(b)){b.google_num_0ad_slots=b.google_num_0ad_slots?b.google_num_0ad_slots+1:1;if(b.google_num_0ad_slots>
3)return false}else if(b.google_cpa_choice==c){b.google_num_ad_slots=b.google_num_ad_slots?b.google_num_ad_slots+1:1;if(b.google_num_slots_to_rotate){o[n]=c;q[n]=c;if(b.google_num_slot_to_show==c)b.google_num_slot_to_show=f%b.google_num_slots_to_rotate+1;if(b.google_num_slot_to_show!=b.google_num_ad_slots)return false}else if(b.google_num_ad_slots>6&&n=="")return false}M("dt",e.getTime());R("google_language");if(b.google_country)R("google_country");else R("google_gl");R("google_region");T("google_city");
T("google_hints");R("google_safe");R("google_encoding");R("google_last_modified_time");T("google_alternate_ad_url");R("google_alternate_color");R("google_skip");R("google_targeting");var t=b.google_ad_client;if(!l[t]){l[t]=1;l.length+=1}else l[t]+=1;if(o[n])if(!Y(i)){S("prev_fmts",o[n].toLowerCase());if(l.length>1)M("slot",l[t])}if(q[n])S("prev_slotnames",q[n].toLowerCase());if(i&&!b.google_ad_slot){S("format",i.toLowerCase());if(!Y(i))o[n]=o[n]?o[n]+","+i:i}if(b.google_ad_slot)q[n]=q[n]?q[n]+","+
b.google_ad_slot:b.google_ad_slot;R("google_max_num_ads");M("output",b.google_ad_output);R("google_adtest");R("google_ad_callback");R("google_ad_slot");T("google_correlator");if(b.google_ad_channel){T("google_ad_channel");var N="",O=b.google_ad_channel.split(/[+, ]/);for(var J=0;J<O.length;J++){var h=O[J];if(!D[h])D[h]=1;else N+=h+"+"}S("pv_ch",N)}if(b.google_enable_first_party_cookie)S("cookie",b._GA_googleCookieHelper.l());T("google_page_url");W("google_color_bg",f);W("google_color_text",f);W("google_color_link",
f);W("google_color_url",f);W("google_color_border",f);W("google_color_line",f);if(b.google_reuse_colors)M("reuse_colors",1);else M("reuse_colors",0);R("google_kw_type");T("google_kw");T("google_contents");R("google_num_radlinks");R("google_max_radlink_len");R("google_rl_filtering");R("google_rl_mode");R("google_rt");T("google_rl_dest_url");R("google_num_radlinks_per_unit");R("google_ad_type");R("google_image_size");R("google_ad_region");R("google_feedback");T("google_referrer_url");T("google_page_location");
M("frm",b.google_iframing);R("google_bid");R("google_cust_age");R("google_cust_gender");R("google_cust_interests");R("google_cust_id");R("google_cust_job");R("google_cust_u_url");R("google_cust_l");R("google_cust_lh");R("google_cust_ch");R("google_ed");T("google_ui_features");T("google_only_ads_with_video");T("google_disable_video_autoplay");if(a)S("ff",sa(a));if(Da(b,d)&&d.body){var k=d.body.scrollHeight,p=d.body.clientHeight;if(p&&k)S("cc",Math.round(p*100/k))}da();M("ga_vid",b.gaGlobal.vid);M("ga_sid",
b.gaGlobal.sid);M("ga_hid",b.gaGlobal.hid);M("ga_fc",b.gaGlobal.from_cookie);T("google_analytics_uacct");R("google_ad_override");R("google_flash_version");ta(b,e);return true}function Ea(){var a=window,c=document;ua(a);var b;if(Math.random()<0.01){var d="google_temp_span";if(!oa(d)){c.write("<span id="+d+"></span>");b=oa(d)}}var e=Ca(b);if(b)b&&b.parentNode?b.parentNode.removeChild(b):null;if(!e)return;ya(a,c,a.google_ad_url,null);Aa(a)}function Fa(){Ea();return true}function Da(a,c){return a.top.location==
c.location}function Ga(a,c){var b=c.documentElement;if(Da(a,c))return false;if(a.google_ad_width&&a.google_ad_height){var d=1,e=1;if(a.innerHeight){d=a.innerWidth;e=a.innerHeight}else if(b&&b.clientHeight){d=b.clientWidth;e=b.clientHeight}else if(c.body){d=c.body.clientWidth;e=c.body.clientHeight}if(e>2*a.google_ad_height||d>2*a.google_ad_width)return false}return true}function Ha(a){var c=window,b=null,d=c.onerror;c.onerror=a;if(c.google_ad_frameborder==b)c.google_ad_frameborder=0;if(c.google_ad_output==
b)c.google_ad_output="html";if(Y(c.google_ad_format)){var e=c.google_ad_format.match(/^(\d+)x(\d+)_.*/);if(e){c.google_ad_width=parseInt(e[1],10);c.google_ad_height=parseInt(e[2],10);c.google_ad_output="html"}}if(c.google_ad_format==b&&c.google_ad_output=="html")c.google_ad_format=c.google_ad_width+"x"+c.google_ad_height;Ia(c,document);if(c.google_num_slots_by_channel==b)c.google_num_slots_by_channel=[];if(c.google_num_slots_by_client==b)c.google_num_slots_by_client=[];if(c.google_prev_ad_formats_by_region==
b)c.google_prev_ad_formats_by_region=[];if(c.google_prev_ad_slotnames_by_region==b)c.google_prev_ad_slotnames_by_region=[];if(c.google_correlator==b)c.google_correlator=(new Date).getTime();if(c.google_adslot_loaded==b)c.google_adslot_loaded={};if(c.google_adContentsBySlot==b)c.google_adContentsBySlot={};if(c.google_flash_version==b)c.google_flash_version=Ja();c.onerror=d}function Ka(a){if(a in Z)return Z[a];return Z[a]=navigator.userAgent.toLowerCase().indexOf(a)!=-1}var Z={};function za(a,c){if(a!=
"html")return false;var b={};b["ca-pub-7027491298716603"]=true;b["ca-pub-8344185808443527"]=true;b["ca-google"]=true;return b[X(c)]!=null}function La(a){var c={},b=a.split("?"),d=b[b.length-1].split("&");for(var e=0;e<d.length;e++){var f=d[e].split("=");if(f[0])try{c[f[0].toLowerCase()]=f.length>1?(window.decodeURIComponent?decodeURIComponent(f[1].replace(/\+/g," ")):unescape(f[1])):""}catch(i){}}return c}function Ma(){var a=window,c=La(document.URL);if(c.google_ad_override){a.google_ad_override=
c.google_ad_override;a.google_adtest="on"}}function Ja(){if(navigator.plugins&&navigator.mimeTypes.length){var a=navigator.plugins["Shockwave Flash"];if(a&&a.description)return a.description.replace(/([a-zA-Z]|\s)+/,"").replace(/(\s)+r/,".")}else if(navigator.userAgent&&navigator.userAgent.indexOf("Windows CE")>=0){var c=3,b=1;while(b)try{b=new ActiveXObject("ShockwaveFlash.ShockwaveFlash."+(c+1));c++}catch(d){b=null}return c.toString()}else if(Ka("msie")&&!window.opera){var b=null;try{b=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.7")}catch(d){var c=
0;try{b=new ActiveXObject("ShockwaveFlash.ShockwaveFlash.6");c=6;b.AllowScriptAccess="always"}catch(d){if(c==6)return c.toString()}try{b=new ActiveXObject("ShockwaveFlash.ShockwaveFlash")}catch(d){}}if(b!=null){var c=b.GetVariable("$version").split(" ")[1];return c.replace(/,/g,".")}}return"0"}function Na(a,c){for(var b in c)a["google_"+b]=c[b]}function Oa(a,c){if(!c)return a.location;return a.referrer}function Pa(a,c){if(!c&&a.google_referrer_url==null)return"0";else if(c&&a.google_referrer_url==
null)return"1";else if(!c&&a.google_referrer_url!=null)return"2";else if(c&&a.google_referrer_url!=null)return"3";return"4"}function Qa(a,c,b,d){a.page_url=Oa(b,d);a.page_location=null}function Ra(a,c,b,d){a.page_url=c.google_page_url;a.page_location=Oa(b,d)||"EMPTY"}function Sa(a,c){var b={},d=Ga(a,c);b.iframing=Pa(a,d);if(!(!a.google_page_url))Ra(b,a,c,d);else Qa(b,a,c,d);b.last_modified_time=c.location==b.page_url?Date.parse(c.lastModified)/1000:null;b.referrer_url=d?a.google_referrer_url:(a.google_page_url&&
a.google_referrer_url?a.google_referrer_url:c.referrer);return b}function Ta(a){var c={},b=a.URL.substring(a.URL.lastIndexOf("http"));c.iframing=null;c.page_url=b;c.page_location=a.location;c.last_modified_tim
e=null;c.referrer_url=b;return c}function Ia(a,c){var b;b=a.google_page_url==null&&Ua[c.domain]?Ta(c):Sa(a,c);Na(a,b)}var Ua={};Ua["ad.yieldmanager.com"]=true;Ma();Ha(Fa);Ea();
})()
jfrankparnell
Mar 19 2009, 09:05 PM
An update:
If you remove the ID from the spamvertized URL, the Javascript will not load myacaiburn6.com.

For the spam I received:
ID=73fhkr3q
URL=myacaiburn6.com

A quick reverse IP shows:
Domaintools reverse IP
that spammy created 24 sites - of the form myacaiburn#.com (from 1 to 23, along with my acaiburn.com)

Somehow the ID is encoded back to a website name. I noticed a random number generator in the code, so it's possible that the ID is converted to "acaiburn"; the prefix "my" could be appended, and the random # generator could be used to generate 1-24 at random

Note: I formatted the javascript to make it readible - shall I re-post this?
Kimberly
Mar 19 2009, 09:27 PM
Hi jfrankparnell,

myadslink.com/adsense/show_ads.js is indeed the page refering to the ad. The snipit you did post is related to google, not the show_ads.js

CODE
HTTP/1.1 200 OK
Date: Thu, 19 Mar 2009 13:15:09 GMT
Server: Apache
~~~~~~~~~~~~~~: ~~~~
Connection: close
Content-Type: text/html; charset=so-8859-1
Content-Length: 1146

function queryString(parameter) {
  var loc = location.search.substring(1, location.search.length);
  var param_value = false;

  var params = loc.split("&");
  for (i=0; i<params.length;i++) {
      param_name = params[i].substring(0,params[i].indexOf('='));
      if (param_name == parameter) {
          param_value = params[i].substring(params[i].indexOf('=')+1)
      }
  }
  if (param_value) {
      return param_value;
  }
  else {
      return false;
  }
}

//alert('http://myacaiburn6.com/');
//alert('JS CALLED');

    var url = 'http://myacaiburn6.com/';
    var aid = queryString("a_aid");
    var bid = queryString("a_bid");
    
    if (aid == false) {
        var loc = url;
    }else if (bid == false) {
        var loc = url;
    }else{
        var loc = url + '?a_aid=' + aid + '&a_bid=' + bid;
    }
    
//alert(loc);    

//document.write("<br> READ MORE... <br><form name=subm id=subm action='"+loc+"' target=_top method=POST>");
document.write("<br><br><form name=subm id=subm action='"+loc+"' target=_top method=POST>");
document.write("</form>");

subid=document.getElementById('subm');
subid.submit();

window.status="Done";

myacaiburn6.com is the "My Pure Acai spam"

myacaiburn6.com IP:

24.193.69.243
71.140.203.75
75.4.218.155
82.143.216.178
83.217.2.171
85.54.241.186
99.33.113.205
99.228.191.157
137.49.17.86
190.46.85.81

Registrar: XIN NET TECHNOLOGY CORPORATION
Name Server: NS1.AMDNAMESERVER.COM
Name Server: NS2.AMDNAMESERVER.COM
Name Server: NS3.HARDNAMESERVER.COM
Name Server: NS4.AMDNAMESERVER.COM
Name Server: NS5.HARDNAMESERVER.COM
Name Server: NS6.HARDNAMESERVER.COM
Updated Date: 17-mar-2009
Creation Date: 05-mar-2009

QUOTE
Do you have tools for parsing javascript?
I use wireshark or FiddlerCap to capture the network traffic, Malzilla to decode / deobfuscate JavaScript.
jfrankparnell
Mar 19 2009, 10:10 PM
QUOTE (Kimberly @ Mar 19 2009, 05:27 PM) *
Hi jfrankparnell,

myadslink.com/adsense/show_ads.js is indeed the page refering to the ad. The snipit you did post is related to google, not the show_ads.js


I use wireshark or FiddlerCap to capture the network traffic, Malzilla to decode / deobfuscate JavaScript.


Thanks a lot, Kimberly - I have the feeling we haven't seen the last of these, so those tool recommendations will be handy.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.