Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Is this code malicious?


  • Please log in to reply

#1
CelestialTeardrop

CelestialTeardrop

    Member

  • Member
  • PipPipPip
  • 262 posts
Can someone please tell me if the source code for two pop-ups I got is malicious and whether it installs anything on one's computer without the user's knowledge (I use firefox 2.0.0.3)?

This pop-up got through firefox, but only flashed a blank, white box on the screen briefly before closing. I found it in my browsing history and clicked on the link to get its page source (was this a risky move?).
Source for: http://media.fastcli...c...d=4507&c=42

~~~~~~~~~~~~~~~~~~~~~~~

<html>
<BODY>

<script language="JavaScript">
<!--

function SymError()
{
return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script>
self.close();
</script>
</body>
</html>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
window.open = SymWinOpen;
if(SymRealOnUnload != null)
SymRealOnUnload();
}

function SymOnLoad()
{
if(SymRealOnLoad != null)
SymRealOnLoad();
window.open = SymRealWinOpen;
SymRealOnUnload = window.onunload;
window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~



The second appeared as a redirection page. It was white except for a dark blue band at the top saying something along the lines of please visit our sponsors; you will be redirected in ... seconds.
Source for http://media.fastcli...d...p;tp=6&url=

~~~~~~~~~~~~~~~~~~~~~~~~~~

<html>
<head>
<title>Get Cursors!</title>
<style>
.button2{font-family: Verdana; font-size: 10px; padding-right: 1; padding-left: 1; color: EEEEFF; vertical-align: middle; border: 1px solid FFFFFF; text-decoration: none; background-color: 000033;}
</style>

<script language="JavaScript">
<!--

function SymError()
{
return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script language="javascript">
// Copyright © 2004 Fastclick.com, Inc
var stop=1;
var time=10;
var iCK=0;
function rD(){
if(stop) location.href="";
}
function cD(){
if(time>0){
setTimeout('cD();',1000);
}
if(document.getElementById){
modify(time);
}
time=time-1;
}

function modify(timX){
var element=document.getElementById("txT");
if(stop==1){
if(time==0){
timX='Redirecting .........';
}else{
timX=timX+" seconds.";
}
}else{
timX=".... stopped ....";
}
if(element){
var newNode=document.createTextNode(timX);
element.replaceChild(newNode, element.firstChild);
}
}
</script>
</head>
<body bgcolor="ffffff" link="0033CC" vlink="0033CC" leftmargin=0 rightmargin=0 topmargin=0 bottommargin=0 marginheight=0 marginwidth=0>
<table cellpadding=3 cellspacing=1 border=0 bgcolor="000033" width="100%">
<tr>
<td>

&nbsp;<font style="font-family: Verdana; font-size: 11px;color: #dddddd;">Please take a moment to visit our sponsor. &nbsp;&nbsp;
<script language="javascript">
if(document.cookie.indexOf('fsH=1') < 0){
document.write('You will be redirected to <a href=""><font color="eeeeee"></font></a> in <a id="txT">a few seconds.</a></font>');
}
</script>
</td>
<td align="right">
<a href=""><span class="button2">Skip</span></a>&nbsp;
</td>
</tr>
</table>
<table cellpadding=0 cellspacing=0 border=0 width="100%" height="90%">
<tr>
<td align="center" valign="middle">

<script src="http://cdn.fastclick...></script></td>

</tr>
</table>

<script language="javascript">
// Copyright © 2004 Fastclick.com, Inc
for (i=0; i<40; i++){
setTimeout('loaded('+i+');',i*250);
}
function loaded(i){
if((document.pI.complete || i==39) && iCK==0){
if(document.cookie.indexOf('fsH=1') < 0){
setTimeout('rD();',10*1000);
cD();
var date_ob=new Date();
date_ob.setTime(date_ob.getTime()+70*1000);
document.cookie='rfsH=1; path=/; expires='+ date_ob.toGMTString();
}
iCK=1;
}
}
</script>
</body>
</html>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
window.open = SymWinOpen;
if(SymRealOnUnload != null)
SymRealOnUnload();
}

function SymOnLoad()
{
if(SymRealOnLoad != null)
SymRealOnLoad();
window.open = SymRealWinOpen;
SymRealOnUnload = window.onunload;
window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks in advance!
  • 0

Advertisements


#2
Michael

Michael

    Retired Staff

  • Retired Staff
  • 1,869 posts
I see noting malicious in it.

self.close(); this would be making the windows close as soon as they open.
  • 0

#3
CelestialTeardrop

CelestialTeardrop

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 262 posts
Fantastic, thanks so much for your reply Michael (and quick too)!

I was most worried about the second code, since (being new to web coding) I wasn't sure if
<script src="http://cdn.fastclick...></script></td>
would install something or do other damage (even though I didn't click on anything).
  • 0

#4
Michael

Michael

    Retired Staff

  • Retired Staff
  • 1,869 posts
No the script tag is just for including scripts into the document. 99% of them are non-malicious. And the other 1% are normally targeted at IE. Normally they might modify part of the page if you do something, or collect more info from a web server. Like the quick reply on this page.

Your not going to pick up most of the virus out there, since they target IE. IE is a very easy target you see :whistling:
  • 0

#5
CelestialTeardrop

CelestialTeardrop

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 262 posts
Ahh, good to know. ::sigh of relief:: I try to avoid IE for just about everything besides windows updates, but I don't want to get too relaxed with ff, just in case. :whistling:

Thanks again!
  • 0

#6
Michael

Michael

    Retired Staff

  • Retired Staff
  • 1,869 posts
I run windows updates in Firefox :whistling: http://ietab.mozdev.org/
  • 0

#7
CelestialTeardrop

CelestialTeardrop

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 262 posts
Sweet, thanks for sharing that! :whistling:
  • 0

#8
Michael

Michael

    Retired Staff

  • Retired Staff
  • 1,869 posts
Oh and for the odd site that will just not let you in if your not useing IE http://chrispederick...agent-switcher/
I have visited a number of sites that that say you need IE 6 or better. Well I am one Firefox 2, that is better right :blink:

Like I know my bank does not allow it, because other browsers are not secure enough :whistling:

Now back to writing my own extensions :help:
  • 0

#9
CelestialTeardrop

CelestialTeardrop

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 262 posts

Well I am one Firefox 2, that is better right :whistling:


Hahaha, exactly!

This is a bit off-topic, but it's about firefox-ness... I noticed that the option to search images, videos, etc on www.google.com has been moved to the top left of the page instead of being right under the google logo in the center, and that the google firefox start page no longer has the options to search images, etc. at all. Is it just my security settings preventing the extra search options in http://www.google.com/firefox or did they just change their page?
  • 0

#10
Michael

Michael

    Retired Staff

  • Retired Staff
  • 1,869 posts
I noticed the same thing, It is Google changing it.

I don't know, but maybe there will be an option in https://addons.mozil...refox/addon/743 to change it back soon.
  • 0

Advertisements


#11
CelestialTeardrop

CelestialTeardrop

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 262 posts
Ok, I found the script that was linked to in the second code (first post) at the address http: //cdn.fastclick.net/fastclick.net/v4flash.js.

If you enter that url, you'll be given an option to save the script.
I did not open/run the script but I did however open it with wordpad, and here's what I got:

click_url=escape(click_url);
var swf_url=swf_path+'?clickTag='+click_url;
var loaded=false;
var plugin=(navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"]) ? navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin : 0;
if(plugin){
plugin=parseInt(plugin.description.substring(plugin.description.indexOf(".")-1)) >= 5;
}
else if (navigator.userAgent && navigator.userAgent.indexOf("MSIE")>=0 && (navigator.userAgent.indexOf("Windows 95")>=0 || navigator.userAgent.indexOf("Windows 98")>=0 || navigator.userAgent.indexOf("Windows NT")>=0)) {
document.write('<SCR' + 'IPT LANGUAGE=VBScript\> \n');
document.write('on error resume next \n');
document.write('plugin=( IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.5")))\n');
document.write('</SCRIPT\> \n');
}
if(plugin){
document.write('<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"');
document.write('  codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5,0,0,0" ');
document.write(' ID=movie WIDTH='+width+' HEIGHT='+height+'>');
document.write(' <PARAM NAME=movie VALUE="'+swf_url+'"> <PARAM NAME=play VALUE=true> <PARAM NAME=loop VALUE=true> <PARAM NAME=quality VALUE=high> <PARAM NAME=bgcolor VALUE='+bcolor+'>  ');
document.write(' <EMBED name=movie src="'+swf_url+'" play=true loop=true quality=high bgcolor='+bcolor+'  ');
document.write(' swLiveConnect=TRUE WIDTH='+width+' HEIGHT='+height+'');
document.write(' TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">');
document.write(' </EMBED>');
document.write(' </OBJECT>');
}else{
document.write('<a target=_blank href="'+click_url2+'"><IMG SRC="'+img_path+'" WIDTH='+width+' HEIGHT='+height+'  BORDER=0></a>');
}

Does any of that look suspicious? And is there any way to actually check what is inside the script without running it?

Thanks.
  • 0

#12
Michael

Michael

    Retired Staff

  • Retired Staff
  • 1,869 posts
:whistling:

Just looks kind of stupid. Well you can just read it, so you don't have to run it. You don't seam concerned about all the code of mine you posted :blink:
  • 0

#13
CelestialTeardrop

CelestialTeardrop

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 262 posts
Haha, I was thinking either it's quite complex, or quite stupid, but if your expert opinion says it's stupid I'm inclined to agree. :whistling:

Sorry for not checking with you first (in answering to New Zealand's post), but since anyone with firefox could see your code and since I did say it was from your site, I thought you wouldn't be too offended. I can delete my post if you want.
  • 0

#14
Michael

Michael

    Retired Staff

  • Retired Staff
  • 1,869 posts
No, the more people that use it the better :blink:

It hardly looks complex to me :whistling:
  • 0

#15
CelestialTeardrop

CelestialTeardrop

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 262 posts
Oh, ok, good :blink: (about your code)

As for the other script...I must admit I'm pretty much a total freshman in regards to javascript, and anything from fastclick.com or casalemedia.com makes me suspicious. Who knows in what innocent package they pack their poison :whistling:

Thanks for putting up with my novice questions!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP