Archive for July, 2012


Billion Homepage

Originally found by avast! antivirus, a regular user reported the problem on the avast! forums here.

Yesterday, urlQuery reported 2 evals. The first one is the important one, so lets start there. CleanMX has the evidence in hex.

Billion Exploit In Hex

Which deobfuscates to something like this:
Billion Exploit Base 1 Decoded

That deobfuscates to this:

Billion Exploit Base 2 Decoded

That can be simplified like this:
Billion Exploit Base 3 DecodedNow that we got a good, clean image of the malware at hand, we see that it checks the document referrer, or how the site got to this site. If from a major search engine, create a cookie and redirect the user. Scanning the url at VirusTotal returns nothing, however URLVoid has issues. This also gives us information that sites with the IP of 66.199.231.59 should be considered suspicious.

The site is now under maintenance to remove the malicious content. Should update their Apache software, as latest is 2.4.2 while they use 1.3.37.

Keep your software up to date,
~!Donovan

SendSpace’s Pop-Up Algorithm

SendSpace Homepage

SendSpace is a great uploading site. It features a maximum filesize of 300mb, auto-destruction of the file after being inactive for 30 days, and gives the user a deletion link if needed. The downs of this site features its eccessive ads and pop-ups. The site also requires javascript in order to download files. Each time you download from this site, you will be forced a pop-up window.

SendSpace Pop-Up

Have you ever wondered why your average pop-up blocker (in this case Firefox’s built-in blocker) doesn’t prevent SendSpace’s pop-up ads? I wondered, so I sought out for the answer, directly from the source itself.

SendSpace HTML

Well now, it seems there is an anchor tag with the id of download_button. We can use this to our advantage later on. It also contains the following: onclick=”runad()”. Looks like SendSpace isn’t trying to hide its javascript.

SendSpace JavaScript

If we look more closely, we see that the script tries to use the _gaq.push([“trackPageview”]) function on “/file/downloadbutton”. Why would they do that? The syntax is correct as given here: Google Documentation.

SendSpace JavaScript Try

So what’s really going on? Does the file exist? Nope.

SendSpace File Not Valid

So they try _gaq.push() on something that does not exist, which would throw an error. So then, how do they handle the error?

SendSpace JavaScript Catch

It defines the date as a variable, then does an if statement with a cookie. There is likely another variable above, as it gets returned true in the end, despite trying to duplicate the case giving a false value. Tricky. Notice that newin.blur() and window.focus() are used on the window.open(). See the jsFiddle here.

So in summary, SendSpace’s Pop-Up Algorithm Is Like This:
try (bad) catch (window) where window.innerContents = (newin = window.open() && newin.blur() || (window.open()).blur() && window.focus)

Stay safe,
~!Donovan