[SpamCop-List] Re: Encrypted Spammed sites
Philip Sewell
nobody at spamcop.net
Wed Feb 26 23:58:35 EST 2003
WizyWyg wrote:
> http://www.hirje.com/mp/
> Any wya of "decrypting" to find the real source?
This is "Dr. Fatburn". See http://spews.org/html/S1100.html.
http://www.hirje.com/mp/ decodes to a page advertising various quack
pills. Take your pick:
> <a href="gh/data/index.htm">
> <img border="0" src="lookandfeel.jpg" width="344" height="32"></a>
> <a href="phero/data/index.htm">
> <img border="0" src="attractwm.jpg" width="344" height="32"></a>
> <a href="ss3/index.htm">
> <img border="0" src="enhancelove.jpg" width="344" height="32"></a>
I looked at the images. They say "Look and Feel Younger", "Attract
Women or Men", and "Enhance your Love Life".
This page also has a "removal" popunder window. The popunder uses URL
http://optinmail-pro.com/dbremove.htm. That's through the anonymizing
proxy redirect.joker.com, by the way.
I followed the first link.
http://www.hirje.com/mp/gh/data/index.htm launches a new window. It
writes HTML for a frameset into the new window. The only visible frame
is loaded from dborder.htm.
http://www.hirje.com/mp/gh/data/dborder.htm is another frameset. The
visible frame is loaded from order.html.
http://www.hirje.com/mp/gh/data/order.html is still another frameset,
loading order2.html.
http://www.hirje.com/mp/gh/data/order2.html uses
> <META HTTP-EQUIV="REFRESH" CONTENT="2;URL=http://202.108.221.16/Power/sos/dbshopk.htm?ShopperID=GH-20030131">
to get to the next page. This META tag is placed after a lot of style
sheet nonsense to make it less visible. While waiting for the new page
to load, you are treated to a display of various things that JavaScript
knows about your web browser and operating system. Other text tries to
convince you that you are entering a secure ordering system -- not true,
of course.
http://202.108.221.16/Power/sos/dbshopk.htm?ShopperID=GH-20030131, like
a previous page, launches a new window and writes a frameset into the
new window. The frame loads order.html.
http://202.108.221.16/Power/sos/order.html is a frameset. It loads
orderform.html.
http://202.108.221.16/Power/sos/orderform.htm uses another META tag to
load http://207.44.186.52/orders/vcard/orderk.html. Once again, the tag
is obscured by extraneous style sheet junk.
http://207.44.186.52/orders/vcard/orderk.html is the initial order form,
at last. It's also the first page that's not encrypted. The form posts
data to vs.cgi?ord.
http://207.44.186.52/orders/vcard/vs.cgi handles all the ordering. It
says it is secure. It has fake VeriSign graphics.
http://207.44.186.52/orders/vcard/vs.cgi?ord confirms your order.
http://207.44.186.52/orders/vcard/vs.cgi?doorder takes your credit card
data.
This is the end of the trail. Spamless (over on NANAE) would start
feeding the form fake credit cards. I won't do that, however.
So, how are these pages encrypted?
Fortunately, for the purpose of writing an explanation, every page was
done exactly the same way. Let's choose the very first page. Inserting
a few newlines, it looks something like:
<html>
<head>
<script>
eval(unescape('%66%75%6E%63%74%69 ... '));
eval(e('66756E6374696F6E2064286F73 ... '));
/*EncryptHTML*/
</script>
<script Language='JavaScript'>
di('3p68746w6v3q20203w686561643p20 ... '));
</script>
</head>
</html>
The first eval( unescape( x ) ) URL-decodes string x, adding the result
to the JavaScript. Doing that, and reformatting a little, results in:
function m(s)
{
var c,n,z,i;
z='';
i=0;
while(i<s.length)
{
c=s.charAt(i);
if('u'==c)
{
c='%'+c;
c+=s.charAt(i+1);
c+=s.charAt(i+2);
c+=s.charAt(i+3);
c+=s.charAt(i+4);
n=5;
}
else
{
c='%'+c;
c+=s.charAt(i+1);
n=2;
}
z+=c;
i=i+n;
}
return z;
}
function e(s)
{
return unescape(m(s));
}
What does it do? e( x ) reconstructs a string from x, its hexadecimal
representation. So eval( e( x ) ) does that, and adds it to the
JavaScript. As it happens, my text editor does this easily:
function d(os)
{
var key="335544";
var ds;
ds='';
var kp,sp,s,kc,sc;
kp=0;
sp=0;
while(sp<os.length)
{
sc= os.charCodeAt(sp);
kc=key.charCodeAt(kp);
if(((sc^kc)==39)||((sc^kc)==92)||((sc^kc)<32)||((sc^kc)>126))
{
s=String.fromCharCode(sc);
}
else
{
s=String.fromCharCode((sc^kc));
}
ds+=s;
kp++;
sp++;
if(kp>=key.length)kp=0;
}
return ds;
}
function di(s)
{
s=d(s);
document.write(unescape(m(s)));
}
This one is a more serious attempt at encryption. I could figure out
exactly what it does, but it doesn't really matter. di( x ) does
something to its input string, then writes the result into the HTML,
using document.write. I can intercept document.write. Here is some
boilerplate HTML:
<form name=myform>
<textarea name="mytext" rows="24" cols="80"></textarea>
</form>
<script language="Javascript">
function __mywrite( x )
{
document.myform.mytext.value += x;
}
document.write = __mywrite;
</script>
<!-- Insert JavaScript here, including tags. -->
That's all it takes. The first page starts out:
>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
> <meta http-equiv="Content-Language" content="en-us">
> <title>Home</title>
> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
> <meta name="ProgId" content="FrontPage.Editor.Document">
> <meta name="Microsoft Theme" content="artsy 011, default">
> <meta name="Microsoft Border" content="none, default">
> <SCRIPT LANGUAGE="JavaScript">
> <!-- Begin
> var windowW=790 // wide
> var windowH=520 // high OLD 398
> var windowX = 30 // from left
> var windowY = 135 // from top OLD 135
> var urlPop = "http://optinmail-pro.com/dbremove.htm"
> var title = "Remove"
etc. As I said, all eight encrypted pages are done the same way.
More information about the SpamCop-List
mailing list