I have been getting a bunch of spam through my contact form over the last couple of days, so I thought I would check out what they are trying to do.  The domain's contact information is protected by privacyprotect.org, so we can't know who they are, though I filled out a form showing them their customer is a spammer, we'll see if they actually do give me the contact information or not.

The code they use to get people to download stuff is pretty neat, though it scared me when the download box popped up on its own, without asking for my confirmation first.  It is claiming to be a video codec installer, though the virus scanner marks it as a "trojan downloader.zlob", whatever that is.  I quickly hit cancel on the download box, so it didn't actually download (or run, which I originally thought it was going to do).

Since I can't resist seeing how the automatic downloading worked, I went to Linux to use wget to download the file.  The results of the research are here: menu.txt.  I have commented their javascript, and removed the references to their site, so it is only looking at files from my site.  I guess it makes sense that spammers can hire coders like anyone else.

Posted by Jon Daley on December 13, 2007, 9:53 am | Read 3483 times
Category Programming: [first] [previous] [next] [newest]

Very clever. It seems that if your browser's strategy for blocking bad content is to filter the HTML its sent, it should also refilter after any document.write. I doubt that IE7 is any better than Firefox at this (and neither would do this normally, right?). Do you have some kind of blocking software installed? It's more likely that IE7 doesn't handle saving files correctly and that in this case, it's a feature :). Could you explain more clearly the behavior of both when accessing the starting page?

Posted by Mike on December 14, 2007, 1:30 am

My only objection to this whole thing is the automatic download of the file without asking. The rest of it is to presumably get by various sorts of filters, I am not sure what the purpose of all that is - I use a proxy based filter, so it filters based on URL, animations, image size, javascript content, etc. but it doesn't get everything - it seems to be about the right amount for me usually. I do forget how many popups and ads most people see on a daily basis.

I think IE7 is doing the right thing in this case. It brings up one of those pseudo-popups at the top of the screen alerting me to some specific behavior. Firefox 1.5 also handled it correctly, so this bug/feature is specific to Firefox 2.0.

I am not sure what you are asking me to describe. I didn't use IE to view the original page, since I generally don't trust it to not install stuff (and there are IE targeted activeX stuff on that site too, so I don't want IE to magically install an activeX component.

But, from firefox, (and presumably this part is on IE as well - the spammer seems to try a whole bunch of different mechanisms, hoping at least one will work) the page comes up and says, "to view this cool video, you need to download the codec by clicking here". Then there is a fake popup that is stylized like an XP dialog box that says basically the same thing, with "download", "cancel", and "never show this again", where all three buttons mean download (including any keystrokes pressed while that popup is in focus). Lastly, there are a couple different javascript timeouts that occur to automatically redirect you to the download.

Since the file is served by the server as an "application/msdownload", it doesn't go through the normal check that a .exe would get.

(by the way, did you see that I changed the file type that the test.txt gets served as? Normally, you'd expect that to be plain text, and so a safe link to click on, but I told apache to deliver test.txt as html, which then executes the javascript.

Posted by Jon Daley on December 14, 2007, 1:40 am

Oh, great. First my son-in-law learns to make bump keys, now he's in training to be a spammer.... ;)

Posted by SursumCorda on December 14, 2007, 7:36 am

When I saw the title of your post I immediately thought, "Spam: canned meat". I must admit that would have been more interesting to me :)

Posted by Theresa on December 14, 2007, 12:24 pm

Okay - for the less technically inclined, here's real fun with Spam Carving.

Posted by Jon Daley on December 14, 2007, 12:31 pm

I'm just asking what the definition of "saving automatically" is. You mean Firefox tries to save and asks you where you want it? You mean it asks you if want to save? Or does it save with absolutely no intervention from you?

Posted by Mike on December 15, 2007, 3:33 am

Saves without any intervention. On Linux, it asks, which isn't quite so bad.

And making it not even ask is probably not fixable, without breaking the sites like sourceforge that use javascript to download files from different mirrors (and leave the advertising page for you to see).

Posted by Jon Daley on December 15, 2007, 11:25 am

GO to prefs->Downloads and say "Ask me where to save every file" as opposed to "Download every file to "

Posted by Mike on December 18, 2007, 1:21 am

Ah yes, you're right. The funny thing is that it usually asks me first if I want to run or download it, and then if I picked download, where do I want to download it.

The application/msdownload file type skips the asking about whether to run it or not. I guess as long as there isn't an application/msrun file type, we'll do okay.

Posted by jondaley on December 18, 2007, 7:03 pm
Add Comment
Add comment
E-mail me when comments occur on this article