Video Screencast Help
Symantec Intelligence

Spammers Abuse Free Hosting Sites with JavaScript Redirects

Created: 10 Dec 2010 • Updated: 13 Dec 2010
MarissaVicario's picture
0 0 Votes
Login to vote

Posted on behalf of Nicholas Johnston, Senior Software Engineer, Symantec Hosted Services

Spammers abusing free hosting sites by using them for hosting spam-related content is nothing new, but this abuse has turned into much more sophisticated, multi-layer abuse.

Instead of just including a link to a free hosting site, and hosting spam-related content there, spammers are increasingly using URL shortening services. These services allow spammers to create an almost unlimited number of links, allowing each individual spam message sent to contain a new link. Increasingly, these links do not point directly to a spam-related site. Instead, they point to a free hosting site, often with extra randomized "junk" parameters added to the end of the URL like this:

 http://fipxmdmzp.REDACTED.com/?iyzdm=yngqsa
 http://qgjmcgpez.REDACTED.com/?cwzxw=trbqe
 http://qczmtcxykng.REDACTED.com/?dxf=dasgs
 http://gspezqpb.REDACTED.com/?wcabki=zteomo

The above sites do not contain any spam-related content. They simply contain a JavaScript-based redirect to the spammer's actual web site.

However, rather than using a plain JavaScript redirect, they go to considerable lengths to hide or conceal the URL redirect by using obfuscation techniques.

MessageLabs Intelligence has seen JavaScript like this being used:

var pcr= "var dilettante='http://';var m3='redacted.';var z1='com'; var lod=m3+z1;location";var fmd =".replace(dilettante+lod);"; eval(pcr+fmd);

Previously JavaScript obfuscation has worked by splitting the URL into different parts, joining the parts together and then applying various character substitutions to get the correct URL. For example, all "z" letters might be replaced "k" letters.

This gang (associated with the Cutwail botnet) uses slightly different JavaScript. This JavaScript is assigned to the "pcr" variable:

var dilettante='http://';var m3='redacted.';var z1='com'; var lod=m3+z1;location";

This code is relatively simple. The "dilettante" variable name is randomized. It is set to "http://", i.e. the start of the URL. The "m3" variable is set to "redacted." (as in "redacted.com"). The "z1" variable is set to "com", and a new variable, "lod", is set to the values of "m3" and "z1" joined together, i.e. "redacted.com".

Another variable, "fmd", is then created, and set to ".replace(dilettante+lod);". It is then passed to the JavaScript eval
(evaluate) function, which runs JavaScript code at runtime, along with the "pcr" variable. In other words, this code gets run:

 var dilettante='http://';
 var m3='redacted.';
 var z1='com';
 var lod=m3+z1;
 location.replace("http://redacted.com")

The process seems complex but is executed almost instantly by a web browser, and the user is then redirect to a spam site (with Christmas branding):

The overall process works as follows:

Redirecting users in this way shows that spammers are going to considerable lengths to hide the addresses of their actual spam sites, and actively trying to make more difficult detection by anti-spam companies.