Home New Focus for Blog Spam: Spreading Spyware

New Focus for Blog Spam: Spreading Spyware

Historically, blog spam has been used to raise search engine rankings. However, with the recent introduction of the "nofollow" directive this avenue of profit has been essentially killed off. So now comment spammers are moving over to a new area of profit: spyware (phishing and other similar stuff will probably follow). While there have been reports of spyware in Google's Blogger service, triggered by the "next blog" feature; I haven't yet seen reports of trackback or comment spam doing the same. Well until now.

The original spam comment to my blog came from some IP address in the Ukraine, most likely to be a hijacked machine. It pointed to a site hosted on a free provider under the URL "http://www.freewebs.com/baby-names/" (DO NOT GO THERE UNLESS YOU ARE SECURE). After getting the page source with wget, I was suprised to see that's its mainly empty. It consisted of a Javascript include in the beginning, a set of font size "2" HR tags in the middle which are basically invisible to normal users, and a stats tracker in the end. The page is still up at the time of writing but I reported it to the ISP so its probably going to be taken down soon.

Now what value does an empty page serve? After looking at the Javascript include located in the beginning of the file, it seems a lot. The javascript file comes from a site called "ysbweb.com" which is owned by "Interactive Search Technologies" or IST. They market a search toolbar which seems to be spyware. NOW, keep in mind that this Javascript file DOES NOT come from the "free" page that was originally refered to via the trackback. Rather it is a file provided by the spyware vendor themselves, and therefore all of the bad stuff that it does is directly caused by them not by some hacker.

Before looking at the actual JavaScript file, I also saw an interesting warning from wget: "Cookie coming from www.ysbweb.com attempted to set domain to xxxtoolbar.com". Upon looking at the headers, it seems that while the script is being retreived, the website tries to set a cookie to "xxxtoolbar.com" site. What the purpose of that I do not know, but the "xxxtoolbar.com" site contains another IST toolbar which installs automatically. However, I didn't see how the site I was looking at, "www.ysbweb.com", redirected to the other one, "www.xxxtoolbar.com".

Anyway, back to the actual javascript file, it seems to be full of goodies. The first step in the file is a check for Windows XP Service Pack 2. If in fact the browser is running under SP2, the script retreives a rather nice Flash movie telling the user how to bypass the SP2 safeguards and install the control. Now considering that all of this is originating from an empty site, which is rather a convincing argument for the user to install something to make it work. There is also a function which gives the user a prompt "You must click YES to have access" if the install fails, similar to the Flash movie.

What follows is something very interesting. The main download function in this file, checks for Internet Explorer SP2 and not, AND for Netscape/Firefox. For IE, an ActiveX control is loaded which presumingly downloads and installs the toolbar (I am running Linux so I can't test it). The file download is called "ysb_regular.cab" and contains a single DLL file called "ysbactivex.dll" which is probably the toolbar itself.

When Netscape or Firefox is used, a signed Java applet is provided which presumingly uses the recent published hole to infect IE. However as Larry Seltzer says in his blog:

Is there an exploit here? I don't see it. After more than adequate warning, Java allowed the user to run arbritrary code. Arbitrary code can do, well, arbitrary things.

What was interesting to me is that they use the Firefox/Netscape Install API among other things to try to install it. However, at least on my install of Firefox I had to add the site to the list of allowed site before the install could even take place. So even safeguards are in place for this.

Moving along to the actual Java installer, I uncompressed it and decompiled it with JAD. The actual installer creates a temporary file, downloads something into it and then executes it. The applet is signed by Thawte and I assume that saying "Yes" to the Java warning will give it full permissions to do its dirty work.

This post is licensed under CC BY 4.0 by the author.