Thane wrote (in news.admin.net-abuse.email -which I can't cross-post to)
> So after several weeks of daily spammy redirect site morphs to a
> payload containing variants of Weelsof and Dofoil, spammy has upped
> the ante.
>
> The latest link on an American airlines spoof is
>
> hxxp://
vcalaw.com/images/wp_pageid.html?id=_
Warning - that site attempts a browser exploit of some sort - explore
with caution.
> This leads to the following script
> hxxp://
yob.newwaysys.com/ensure/origin-want_require.php");
>
> This is where I need the experts! I've tried wget and curl to
> determine the location of the redirect, but get 403 consistently.
> It could be my IP is blocked or another twist I haven't seen.
> Does anyone have any ideas?
On my win-98 system with Firefox 2.0, the first link ends up causing my
system to load the Java engine and process some java code, which in turn
tries to invoke acrord32.exe and render some sort of pdf file.
As I type this, Java and Acrord32 are each in a suspended mode,
displaying these error messages:
------
Application Error
General Exception (!)
java.lang.NullPointerException
(ok) (Details)
-------
And this:
-------
Acrobat plug-in
! This operation is not allowed
(ok)
-------
Looking at the Details for the Java error:
-------
java.lang.NullPointerException
at sun.net.www.ParseUtil.encodePath(Unknown Source)
at sun.misc.URLClassPath$Loader.getResource(Unknown Source)
at sun.misc.URLClassPath.getResource(Unknown Source)
at sun.applet.AppletClassLoader.getResourceAsResource(Unknown Source)
at sun.applet.AppletPanel$7.run(Unknown Source)
at sun.applet.AppletPanel$7.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.applet.AppletPanel.createSerialApplet(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
-------
Before I dismiss these error messages, I do a search for all
recently-created files.
I find:
Acr6392.TMP
Acr6390.TMP
Acr639C.TMP
Both in Windows/temp. The second and third files are zero bytes, but I
can't move or copy them (some process has control of them). The first
file is 426 bytes and contains this:
-----------
%PDF-1.5
%����
1 0 obj<</Pages 2 0 R/Type/Catalog>>
endobj
2 0 obj<</Count 0/Kids[]/Type/Pages>>
endobj
3 0
obj<</ModDate(D:20130502193858-04'00')/CreationDate(D:20130502193858-04'00')>>
endobj
xref
0 4
0000000000 65535 f
0000000016 00000 n
0000000060 00000 n
0000000105 00000 n
trailer
<</Size 4/Root 1 0 R/Info 3 0
R/ID[<3f6eedc550804941a9bcaebd0ac8c61b><3f6eedc550804941a9bcaebd0ac8c61b>]>>
startxref
195
%%EOF
-----------
I find this file in windows/application
data/sun/java/deployment/cache/6.0/host
31ba0019-40d9db35.hst
It is a text file that contains this: 184.82.108.82
I have this file in my firefox cache directory:
10D13CC8d01
Its 105 kb in size and begins with this:
<body fwqr=a41><b style="display:none;">
And then followed by a long sequence of hex digits separated by periods,
like this:
59,96,111,111,107,100,115,31,118,104,99,115,103,60,33,48,33,31,103, ...
And then ends with this:
==================
</div><script>
nul="0"+"x";
function zz(){s+=(ss.fromCharCode(-37+z(nul+a[i])));}
try{document.body-=12;}catch(q){a=document[gg]("div");}
a=a[0].innerHTML;
a=a.split(".");
s="";
az=1;try{caewbtew=~2;}catch(qw){az=0;}
vq();
u=z;uu=s;
if(az)u(uu);
</script></body>
===================
I dismiss the java error, and then the adobe error. Immediately another
Acrord error pops up (same as the first). I dismiss it. Firefox then
comes back to life and displays this page:
http://www.google.com/search?q=404%20error
I still can't access the two zero-length ACR temp files. Acrord32.exe
is still running. I kill it, and this releases the files. One of them
is not zero-length any more. The file Acr6390.TMP is 179 bytes and
contains this:
=================
1 0 obj<</Pages 2 0 R/Type/Catalog>>
endobj
2 0 obj<</Count 0/Kids[]/Type/Pages>>
endobj
3 0
obj<</ModDate(D:20130502193858-04'00')/CreationDate(D:20130502193858-04'00')>>
endobj
=================
And at this point we seem to be done, with no lasting effects.
This lame attempt at a browser/java/pdf exploit just bounced off my
win-98 system.