Referrer Bot

Note: This entry has been restored from old archives.

This is a quick addition to my previous post: Bot or Not?. Curiosity got the better of me so, through roundabout means, I got samples of some of the pages. First note is that the ‘hyml’ pages are 404s, so probably a typo.

Next note is that there is some dodgey looking script in some of the pages. My first thought was: Oh, this is just another botnet propogation setup. There’s two layers of encode in the snippet, first the data is URI-decoded, then each byte has 1 subtracted from it to get the real code, this is then eval()ed. This shows that the decoded content is short and simple, not a bot infester:

var r=escape(document.referrer), t="", q;
document.write("<script src=\"http://www.Z-ZZZZZ-Z.com/counter.php?id=ambien&r="+r+"\"></script>");

URL obscured, but points to what looks like a front with no links and the text “See How The Traffic Is Driven To Your Site” (the page is nothing but an image with no links). So this looks like just a route to grabbing referrer dollars from a dodgey advertising site. Note how the target script will neatly get both the spammy page and the URL of the page that was spammed.

So what about counter.php? More redirection! The script imported looks like this (reformatted for readability):

<!-- document.write(
    '<script language="JavaScript">
        function f() {
            document.location.href = "http://www.XXXXXXXXX.com/ambien.html";
        } window.onFocus =  f(); </'+'script>'); // -->
<script>
    document.write(
        '<script language="JavaScript">
            function f() {
                document.location.href = "http://www.XXXXXXXXX.com/ambien.html";
            } window.onFocus =  f(); </'+'script>');
</script>

We’ve reached the end of the road. The real URL in this code goes to an “Online Pharmacy” at a domain registered since February this year. The page contains little javascript, no exploits. A function for adding to bookmarks, some “menu” code, and it imports “urchin.js” from Google Analytics.

So yeah, everyday, regular spam.