Friday, December 02, 2005

Anatomy of a Geocities redirection spam

There's been a recent rash of spams that work by using Geocities web pages that contain encoded Javascript that jumps off to another web page. Here's an example of an actual spam that uses this technique (I've stripped the headers and some irrelevant details):
Subject: Highest Quality Branded Watches qy7

World Top10 Branded Watches at 90% off
the original price. We have almost all models
to be choosen from which makes our replikas
the best and highest quality assured by our
manufacturer or else full refund is being
given without questions ask.

Check us out toooday..

http://de.geocities.com/Timothea33494Fair60425/
The web site to which the spam entices you is a page on the German Geocities that looks like this (again some irrelevant details were removed):
<body>
<p align="center"><font size="7">Please Wait as Site Loads</font></p>
<p>A high-end rolex very often costs too much money for the average person, that
is why they want a GENUINE Swiss-Made replica, which costs only 1/100 to 1/300
of the actual watch.. A high-end rolex for example shows wealth, power and status.
Yet, very often people who are trying to get ahead need to give the appearance
that they have achieved wealth, power and status. That is when a replica watch
is an inexpensive and effective solution. It gives the impression that you are
wearing the genuine Rolex while you are attending the posh cocktail party or
signifigant business meeting. </p>
<p>Many different people purchase replica Rolex watches, it is not always about
business or getting ahead. Sometimes it is about simply wanting to give somebody
you love a truly nice gift - a gift over and above what they had hoped for,
yet still affordable. Some already own a Rolex but prefer to keep it in a safe
tucked away and want an imitation for when they go out. For others, they like
the look of a genuine brand and want the replica without spending thousands
of dollars that a real Rolex may cost. Although it sounds like an oxymoron there
are genuine Rolex replicas. In other words, there is a lot of variance in the
quality of replica Rolex watches ranging from the Swiss high quality replicas,
to the lesser Chinese replicas. If you are in the market for a real Rolex, or
are interested in a quality replica Rolex, you will need to take a close look
at a few things first.</p>
<p>This website offers invaluable information for the interested or just plain
curious about replica watches. Even if you are not in the market for a replica
or real Rolex watch, you will find a wealth of information on popular watch
manufacturers such as Omega and Tag Heuer. For what ever watch-related reason
you are here, this website is for you.</p>
</body>
<SCRIPT LANGUAGE="JavaScript">
<!--
eval(unescape("\x76\x61\x72\x25\x32\x30\x74\x25\x33\x44\x77\x69\x6E\x64\x6F\x77\x2E\x74\x6F
\x70\x25\x33\x42\x25\x30\x44\x25\x30\x41\x66\x75\x6E\x63\x74\x69\x6F\x6E\x25\x32\x30\x72\x69
\x61\x25\x32\x38\x61\x25\x32\x39\x25\x32\x30\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39
\x72\x65\x74\x75\x72\x6E\x25\x32\x30\x4D\x61\x74\x68\x2E\x66\x6C\x6F\x6F\x72\x25\x32\x38\x4D
\x61\x74\x68\x2E\x72\x61\x6E\x64\x6F\x6D\x25\x32\x38\x25\x32\x39\x25\x32\x30\x2A\x25\x32\x30
\x61\x2E\x6C\x65\x6E\x67\x74\x68\x25\x32\x39\x25\x33\x42\x25\x32\x30\x25\x32\x30\x25\x32\x30
\x25\x32\x30\x25\x30\x44\x25\x30\x41\x25\x37\x44\x25\x30\x44\x25\x30\x41\x66\x75\x6E\x63\x74
\x69\x6F\x6E\x25\x32\x30\x78\x6C\x25\x32\x38\x75\x25\x32\x39\x25\x37\x42\x25\x30\x44\x25\x30
\x41\x25\x30\x39\x74\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x25\x33\x44\x75
\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x37\x44\x25\x30\x44\x25\x30\x41\x66\x75\x6E\x63\x74
\x69\x6F\x6E\x25\x32\x30\x68\x6F\x6D\x65\x70\x61\x67\x65\x25\x32\x38\x25\x32\x39\x25\x37\x42
\x25\x30\x44\x25\x30\x41\x25\x30\x39\x78\x6C\x25\x32\x38\x70\x72\x65\x66\x69\x78\x25\x32\x30
\x2B\x25\x32\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x74\x6F\x25\x32\x30\x2B\x25\x32\x30\x66\x6F\x6C
\x64\x65\x72\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x37\x44\x25\x30\x44\x25\x30
\x41\x66\x75\x6E\x63\x74\x69\x6F\x6E\x25\x32\x30\x67\x6F\x75\x6E\x73\x75\x62\x25\x32\x38\x25
\x32\x39\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x78\x6C\x25\x32\x38\x70\x72\x65\x66
\x69\x78\x25\x32\x30\x2B\x25\x32\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x74\x6F\x25\x32\x30\x2B\x25
\x32\x30\x25\x32\x32\x2F\x72\x25\x32\x32\x2B\x25\x32\x30\x25\x32\x32\x73\x75\x70\x70\x6F\x72
\x74\x2F\x25\x32\x32\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x37\x44\x25\x30\x44
\x25\x30\x41\x76\x61\x72\x25\x32\x30\x70\x72\x65\x66\x69\x78\x25\x32\x30\x25\x33\x44\x25\x32
\x30\x25\x32\x37\x68\x74\x74\x70\x25\x33\x41\x2F\x2F\x72\x77\x73\x2E\x25\x32\x37\x25\x33\x42
\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32\x30\x74\x64\x73\x25\x32\x30\x25\x33\x44\x25\x32
\x30\x6E\x65\x77\x25\x32\x30\x41\x72\x72\x61\x79\x25\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30
\x44\x25\x30\x41\x74\x64\x73\x25\x35\x42\x74\x64\x73\x2E\x6C\x65\x6E\x67\x74\x68\x25\x35\x44
\x25\x33\x44\x25\x32\x37\x25\x32\x37\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32
\x30\x64\x5F\x69\x25\x32\x30\x25\x33\x44\x25\x32\x30\x72\x69\x61\x25\x32\x38\x74\x64\x73\x25
\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32\x30\x64\x6F\x6D\x61\x69\x6E
\x5F\x74\x6F\x25\x32\x30\x25\x33\x44\x25\x32\x30\x74\x64\x73\x25\x35\x42\x64\x5F\x69\x25\x35
\x44\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32\x30\x66\x64\x73\x25\x32\x30\x25
\x33\x44\x25\x32\x30\x6E\x65\x77\x25\x32\x30\x41\x72\x72\x61\x79\x25\x32\x38\x25\x32\x39\x25
\x33\x42\x25\x30\x44\x25\x30\x41\x66\x64\x73\x25\x35\x42\x66\x64\x73\x2E\x6C\x65\x6E\x67\x74
\x68\x25\x35\x44\x25\x33\x44\x25\x32\x32\x65\x78\x61\x63\x74\x6E\x65\x73\x73\x74\x6F\x73\x75
\x63\x63\x65\x73\x73\x2E\x63\x6F\x6D\x25\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x66\x64
\x73\x25\x35\x42\x66\x64\x73\x2E\x6C\x65\x6E\x67\x74\x68\x25\x35\x44\x25\x33\x44\x25\x32\x32
\x61\x74\x74\x65\x6E\x74\x69\x6F\x6E\x61\x6E\x64\x66\x6F\x63\x75\x73\x2E\x63\x6F\x6D\x25\x32
\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x66\x64\x73\x25\x35\x42\x66\x64\x73\x2E\x6C\x65\x6E
\x67\x74\x68\x25\x35\x44\x25\x33\x44\x25\x32\x32\x63\x6F\x6C\x6C\x65\x63\x74\x6F\x72\x74\x72
\x75\x65\x62\x65\x6E\x65\x66\x69\x74\x73\x2E\x63\x6F\x6D\x25\x32\x32\x25\x33\x42\x25\x30\x44
\x25\x30\x41\x66\x64\x73\x25\x35\x42\x66\x64\x73\x2E\x6C\x65\x6E\x67\x74\x68\x25\x35\x44\x25
\x33\x44\x25\x32\x32\x63\x6F\x6D\x62\x69\x6E\x61\x74\x69\x6F\x6E\x73\x66\x6F\x72\x64\x65\x61
\x6C\x2E\x63\x6F\x6D\x25\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32\x30
\x66\x5F\x69\x25\x32\x30\x25\x33\x44\x25\x32\x30\x25\x32\x30\x72\x69\x61\x25\x32\x38\x66\x64
\x73\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32\x30\x66\x6F\x6C\x64
\x65\x72\x25\x32\x30\x25\x33\x44\x25\x32\x30\x66\x64\x73\x25\x35\x42\x66\x5F\x69\x25\x35\x44
\x25\x33\x42\x25\x30\x44\x25\x30\x41\x74\x2E\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x74\x69\x74
\x6C\x65\x25\x32\x30\x25\x33\x44\x25\x32\x30\x25\x32\x32\x52\x65\x70\x6C\x69\x63\x61\x25\x32
\x30\x57\x61\x74\x63\x68\x25\x32\x30\x53\x74\x6F\x72\x65\x2E\x2E\x2E\x2E\x2E\x25\x32\x32\x25
\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x44\x25\x30\x41\x68\x6F\x6D\x65\x70\x61\x67\x65\x25
\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E
\x62\x6F\x64\x79\x2E\x6F\x6E\x6C\x6F\x61\x64\x25\x33\x44\x68\x6F\x6D\x65\x70\x61\x67\x65\x25
\x33\x42"));
//-->
</SCRIPT>
</body>
All the interesting stuff is in the block of Javascript at the end which unescapes the encoded information and than uses the eval to run it. The actual program which will be run is (I cleaned up the code so that it's readable):
var t=window.top;
function ria(a) {
return Math.floor(Math.random() * a.length);
}
function xl(u) {
t.location.href=u;
}
function homepage() {
xl(prefix + domain_to + folder);
}
function gounsub()
{
xl(prefix + domain_to + "/r"+ "support/");
}
var prefix = 'http://rws.';
var tds = new Array();
tds[tds.length]='';
var d_i = ria(tds);
var domain_to = tds[d_i];
var fds = new Array();
fds[fds.length]="exactnesstosuccess.com";
fds[fds.length]="attentionandfocus.com";
fds[fds.length]="collectortruebenefits.com";
fds[fds.length]="combinationsfordeal.com";
var f_i = ria(fds);
var folder = fds[f_i];
t.document.title = "Replica Watch Store.....";
homepage();
document.body.onload=homepage;
The script redirects to one of four web sites (all of which have the prefix http://rws.) which are stored in the array fds. The web site is chosen randomly by the ria function. Oddly this code seems to contain a number of seemingly useless parts. The tds is initialized with just one empty entry and then a random entry is chosen; all of which does nothing. The gounsub function is not referenced.

No comments: