Obfuscated Javascript Spam

Recently I’ve been receiving phishing-spam in the form of official-looking Amazon.com invoices. Curiosity got the better of me and I clicked on the phishing link. The page that came up was blank. A quick source view revealed a bunch of obfuscated javascript.

I wanted to see how it worked.

Here is a sample line of the code:

mGdujq[‘euvLaulm'[VvIf](/[muzLc]/g, EWgUi)] \
(ltY(mGdujq[[‘uhnKehsKcKaKpleo'[VvIf](/[oKhlE]/g, EWgUi)]](IuO)));

Now what’s going on here?

Well, plain as day in the source I see a couple very important lines that will help decode this. The lines are:

var EWgUi = ”;
var mGdujq = this;
var VvIf = ” + ‘replace’;

Armed with this information the line decodes easily before our eyes to

this[‘euvLaulm'[replace](/[muzLc]/g,”) \
(ltY(this[[‘uhnKehsKcKaKpleo'[replace](/[oKhlE]/g,”)]](IuO)));

What’s left to decode is the use of shorthand regular expressions. For example let’s look at this piece of code

‘euvLaulm'[replace](/[muzLc]/g,”)

‘euvLaulm’ is just a regular old string. You can call the string’s replace function in many different ways such as:

var str = ‘euvLaulm’; str.replace();
‘euvLaulm’.replace();
‘euvLaulm'[replace]();

The regex /[muzLc]/g simply matches any character within the square brackets. The full line of code calls for every match to be replaced with ” (an empty string) or in other words, to delete those characters from the string.

euvLaulm

The result is the string ‘eval’.

So the fully interpreted line of javascript reads as follows:

this[eval](ltY(this[[unescape]](IuO)));

Or in code more readable to my own eyes:

this.eval( ltY( this.unnescape( IuO )));

Strewn throughout the javascript are lots of variable declarations that create strings of seemingly random letters and numbers. Upon close inspection you might notice that there’s a pattern to the strings; they consist of alternating hex and non-hex characters. (A hex character or value is 0-9 and a-f).

Near the end of the code all these strings are concatenated and a series of replace operations are performed to replace all the non-hex characters with ‘%<hex character>’. The result is a string of URL escape sequences (a percent symbol followed by 2 hex characters). This string is stored in the variable IuO.

The URL escaped data is then unescaped to create an array of bytes (aka, a string, except the bytes aren’t all printable characters, so I can’t call it a string). This data is passed to the ltY function which performs a ( <byte> XOR 13 ) operation on each byte of data. The result is a string of HTML that creates a hidden iframe to some porn referral page and a META refresh that redirects the user to a male supplements web site after 4 seconds.

That was fun. A little sleuthing and puzzle solving. But what is there to take away from all this?

First was myself learning new ways to use and abuse javascript syntax such as ‘string'[function].

Also curious was the large amount of superfluous statements in the code. Variables would be created without initialization. They they’d be initialized to an empty string. Then they’d be set to their real value. Three statements to perform an operation that could be done in one. I imagine this, along with the use of random upper and lowercase letters used as variables AND data make the code more difficult to parse by hand (or by eye). But a few minutes and a bit of perseverance will overcome that. However that shows these types of scams are designed with the user who tries to perform a cursory inspection of the underlying code in mind.

The multiple decoding steps to arrive at the final “attack” HTML indicates to me the code is designed to circumvent string-comparison spam filters. That there was more than one decoding step and that there’s a bunch of extra, useless javascript (if/else blocks with one assignment to an unused variable) makes me wonder if this code was also created to circumvent spam filters that are javascript-aware. It’s working so far. My institution’s normally solid spam filtering software has let this one slip by twice in the last week.

And it’s nice to see what kinds of tricks spammers have up their sleeves.

SharePoint Designer

I recently installed Office 2010 and, along with it, SharePoint Designer 2010.

SharePoint Designer was a child of Microsoft’s WYSIWYG HTML editor FrontPage. Many people cut their teeth in HTML with FrontPage and were promptly told (rightly so) to ditch it for something better. But SharePoint Designer 2007, which is free for any Windows user to download, might actually not completely suck! What a bargain then, a nice WYSIWYG HTML editor that was free for anyone who operates on a Windows OS.

But SharePoint Designer was not the only child of FrontPage to come out of Redmond. There is another WYSIWYG HTML editor called Expression Web. However one must purchase Expression Web; it is not free. I wonder why. SharePoint Designer 2010 answers this question.

SharePoint is a product from Microsoft that tries to solve a lot of business problems. It is perhaps best to think of it as a business intranet on a single server. It handles collaboration, web publishing, portals, wikis, blogs, etc. It’s not a product, it’s a platform. And SharePoint Designer is intended to be used to develop content on SharePoint servers. But SharePoint Designer 2007 lets you create and edit standalone web pages. In essence you could replace FrontPage with SharePont Designer 2007. And don’t forget that it’s free! So that’s what a lot of people did.

Enter SharePoint Designer 2010 which comes with it a very large, very problematic restriction. It only lets you develop content for SharePoint servers. No longer can you manage just any old HTML content; if it’s not on a SharePoint server you can’t touch it with SharePoint Designer 2010.

So all those folks who have looked to SharePoint Designer as their FrontPage replacement are in for a rude awakening.

What’s the Microsoft solution? Expression Web 2010, on sale now at the cut-rate price of US$149.00.

So what free alternatives are available? Well, SharePoint Designer 2007 is still available for download. Maybe stick with that for now. Or you could experiment with Apatana or KompoZer. Or stick to a plain text editor (my preferred choice).

But this post isn’t about evaluating alternative WYSWYG HTML editors. This post is a simple warning to those of you who thought you had found your FrontPage replacement in SharePoint Designer. You didn’t.

Apple’s Latest

First a follow-up to my previous post abot MPEG-LA. The current MPEG-LA license was renewed through 2015. That means any change in pricing wouldn’t occur until then. So we’ve got at least another 5 years where we don’t have to worry about web video. What happens then? Who knows. There’s a nice breakdown of the MPEG-LA licensing in this article over at ZDNet along with some numbers on just how many patents and from how many countries that are involved with MPEG-LA. It’s mind boggling.

Safari 5

Safari 5 was released today.  Among its new features is one called Safari Reader which will recognize a web page that contains an article (or blog post), pull out the content of just the article and format it in a way that’s easier to read. Essentially it’s a chrome and ad remover. (“Chrome” in the sense of pretty, but useless bits of a page layout, not the browser.) This feature has interesting implications, especially if it’s popular enough to be copied by the other major browsers (which I think it will). The obvious issues are, a) stripping presentation control away from the content publisher and b) stripping revenue-generating ads away from the page.

But are they really issues?

The page needs to load, inside its intended chrome, before the reader option kicks in. Page views will still be generated. However if the ad is animated or relies on user-interaction the ad will, essentially, be useless. It will also probably work around those particularly lame ads that pop up over the content you’re trying to read. This will probably piss advertisers off.

As for the stripping away of chrome, I have mixed opinions. It makes very busy web pages much easier to read by removing distractions that are outside the content of the article. It might even teach some web developers that perhaps some simple layouts without a lot of distraction are actually preferred by users.

One problem I do have with the reader feature is that it doesn’t do enough to distinguish links from regular text. The content is displayed as black text on a white background with links colored in a dark blue. There are no underlines and no mouseover action to provide feedback that your mouse is over a link. Low-contrast users will especially find it difficult to identify links among the text.

Another problem I have is that it removes chrome within the article itself. Perhaps you’ve done something to highlight certain terms or use color to visually represent some relationship in the textual content. All that is stripped away. Reader-fied pages may actually lose some of its meaning. On the other hand it’s web development best practice to avoid using colors alone to represent such relationships in textual content as vision-impaired users would not be able to use such information.

Still, switching to reader mode requires an act by the end-user. Meaning if you don’t want to use it you don’t have to.

Safari has also created APIs to allow developers to create extensions to Safari. Perhaps ad blocker and noscript (or equivalent extension) will soon find a home on Safari.

iPhone 4

You’re probably aware by now that Apple has announced its new iPhone this week. Prices will be equivalent to the iPhone 3GS when it was released. The hardware is all new including a special glass for the front and back which is scratch, fingerprint, and impact resistant. There are two cameras (front and rear facing) which means video chat or video phone calls. The case is smaller. There’s a new processor. There’s about a second microphone for the purpose of noise cancellation. The camera will record HD video (720p) and you’ll be able to edit video right on the iPhone. But the biggest feature is probably the new screen. The screen boasts 326dpi and it’s around 300dpi that our eyes become unable to distinguish individual pixels. This means text will look smoother, photos will look crisper, and more information can be packed into a single screen. It was also noted that all existing iPhone apps, because they use Apple’s APIs, will be scaled up automatically to work with the new, higher-resolution display.

But most of Steve Jobs’ keynote address at WWDC was focused (as it should) at developers. Lots of numbers about the kind of revenue generated by the App Store and the money developers make off the App Store. The introduction of a new feature called iAds which allows developers to identify a space within their app where ads can be placed. Apple will handle putting the actual add into the application and developers get a cut of the revenue. On the one hand, this is very cool for developers who want to offer free or trial apps without having to give their work away. On the other hand it’s annoying because Apple controls what % of revenue the developer gets and there’s no competition so Apple can set any price or percent it wants.

Which is my biggest problem with Apple: they are too controlling. AT&T does not have the best network and if I purchased an iPhone I would prefer to have it on another network. But that won’t happen with the iPhone (unless you jailbreak it, which has its own pros and cons).

I also wish there was a micro SD card slot on the iPhone. The $100 difference between the 16 and 32gb just doesn’t make sense. If there was a micro SD card slot I could buy the 16gb, buy a 16gb micro SD card for $30 and put the $70 I’ve saved towards something else. Beer, for example.

And, c’mon Apple, make the battery replaceable. It’s quite possible that in a year or two we’ll have better battery technology and I could swap out an old iPhone battery for a newer, longer-lasting one. That’s certainly something users of the new HTC EVO 4G are hoping for.

At least, it appears, tethering will come to the iPhone 4 (without the need to jailbreak it). But AT&T wants to charge you an extra $10 a month for this luxury. That’s pretty lame, especially on top of the 2gb/month limit that’s been imposed on all AT&T customers. If you have a cap in place and people pay if they go over that cap, why have a tethering fee? My guess is that AT&T’s network is still too fragile and they’re trying to dissuade average users from tethering to keep their networks as free from congestion as possible. Which brings me right back to the argument that the iPhone 4 should be allowed on other networks.

At the moment I don’t feel the new iPhone is worth the hassles and limitations that come with it. I really like the new screen and dual cameras and the HD video recording at a high bitrate and being able to edit and upload the video from the phone itself. All of that is very cool. And no other phone has that right now. But there will probably be a lot of them that do a year from now. Do I wait? Probably.