Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

s_ta_ts.js, anyone?

Published: 2005-09-21
Last Updated: 2005-09-21 15:32:35 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
If your users are accessing the european versions of the more popular search engines, chances are you have come across a file named "s_ta_ts.js" recently. The file contains about 2000 bytes of triple-encoded JavaScript, recognized by virus vendors variably as "JS_WONKA.A" or "Java/Dldr.Movie.A".

If you're curious, you can get your copy off hxxp://othersearch_dot_info/s_ta_ts.js or hxxp://bizfree_dot_org/s_ta_ts.js, but dont complain if you get burnt playing with fire.  For the sensibly less curious, the decoded version is shown below, as an image so as not to scare your Antivirus that might nor might not have coverage for this sort of thing.



The file doesn't do much (yet), it invokes Shockwave Flash in an attempt to get a pop-up past the pop-up blocker that most browsers nowadays have. But that's only one half of the story.

The origin of these goodies seem to be pages that have been successfully spammed into various search engines over the past month or so. Users searching, as an example, for completely benign things like "writing business letters" can get a search result that ranks two or three of these fake/spammed pages on top.  Clicking on any of the search results then leads the user to the never-never land of pop-ups, and, yes, his/her personal copy of s_ta_ts.js.

In the meantime, we've identified thousands of web pages that only exist with the dual purpose of improving each other's search engine rating (by heavy cross linking) and of course to trick unsuspecting users into clicking themselves to never-never land.

Following up on the DNS domains involved in all these scams, it turns out that all the (pyhsical world) addresses used for registering are completely and obviously bogus and made up. It seems as long as the credit card used to pay for the domain doesn't bounce, it isn't overly important to most registrars if the address is anywhere near legit.




Keywords:
0 comment(s)
Diary Archives