Monday, April 24, 2006

What's behind link spam

Chances are that if you ever created a weblog or a guestbook, you've come know that "nice" phenomenon known as link spam. I'll show you who the people behind this typically are, and they are not nice people.

Here's an example:

Lots of crappy links. Ever wondered what clicking on one does (note: DON'T). Well, it brings you to a page like this:

Nothing but a bunch of nonsense and pasted text. So why would anyone bring anybody to a page like that? Unfortunately, there's more than meets the eye. Notice that red circle on the top-left. In the center, you can see a small square. That's an iframe, one of the two idiotic techniques that people behind malware use when trying not to be seen.

The iframe itself, of course, uses the other idiotic technique: javascript obfuscation. Considering how easy it is to deobfuscate this things, I wonder why the bother in the first place. Oh, maybe because antivirus link checkers are completely fooled by something this simple. Heh.

So what's in the iframe? Well, this one for instance has:

That, in mechanism that took me the amazing incredible time of 2 minutes to decrypt, is something like this:

Note that I snipped the image, as the code extended way beyond: click to see the image with the whole code... and don't try that code at home... ;)

And what's that? Nothing but a series of exploits that attempt to break the visitor's machine as much as possible. This is the what the whole scam tries to do:

- determine whether you have Norton or McAfee antivirus through the use of an ActiveX object; if yes, they avoid loading some exploits that they know Norton and McAfee recognize; yes, IE, Norton and McAfee are such amazing products that they let the malware people directly manage what kind of exploits or malware it's safer to load. Wow

- it might determine (server-side) whether you are using Internet Explorer (if not, some of these iframes won't load anything); I wouldn't visit any of these links with the swiss cheese known as IE if I were you (then again I wouldn't visit ANY site with that swiss cheese anyway). But if you want to explore the actual "full exploits" page you can always download these through wget with the --user-agent option; you don't know what wget is or how to set the --user-agent? Don't bother in the first place.

- load, of course, a series of exploits and malware, such as this trojan (

and this (

and this (

and this (

and this (

and this (

Weird, they didn't use the CreateTextRange exploit, maybe they're slipping, huh?

And of course, who are these people? You guessed it, Coolwebsearch.

So, for the love of God, fix your guestbooks and blogs. Please. Don't let this criminals make money by infecting more people.


Blogger TNT said...

Never mind checking. These people are soooo "clever", they changed the iframe script already.

Oh, and if you use wget with do download the iframe, with no custom user agent, there is a "FUCK OFF!!!!" before the script. Uh uh.

2:31 AM  

Post a Comment

<< Home