Friday, June 29, 2012

Tumblr Redirects

Tumblr Redirects
Recently I’ve been seeing spams as shown below:

Your inbox is full of surprises from a special someone. You should go check it out now. To receive this special gift, View Here

Sent from Yahoo! Mail on Android


The “view here” goes to links such as (one used the t.co url shortening service however before going to Tumblr):
kmghoshk.tumblr.com
wcmxztol.tumblr.com

These links contain the below obfuscated javascript:
var dnc='http'; var ghmr='://e'; function ertryu(wnz,hfy){return wnz+hfy} var ndnkkl=ertryu(dnc,ghmr);var qvst='card'; var fcv='love'; function ikgofp(gtq,ojh){return gtq+ojh} var pdgfvt=ikgofp(qvst,fcv);var ymm='wis'; var zko='h.co'; function hgypvh(ocu,cln){return ocu+cln} var ehillv=hgypvh(ymm,zko);var jah='m/?'; var wlo='6QBc'; var ehjh='kb'; function iatyan(rcw,dgi,ygk){return rcw+dgi+ygk} var hjgfam=iatyan(jah,wlo,ehjh); var kwzkgy=ndnkkl+pdgfvt+ehillv+hjgfam; document.location = kwzkgy

var uvw='http'; var unn='://e'; function xoimr(qmn,cey){return qmn+cey} var opbsj=xoimr(uvw,unn);var jvgt='card'; var smo='lov'; function dbog(tzp,nqh){return tzp+nqh} var rvoa=dbog(jvgt,smo);var foi='ersw'; var rth='ish'; function qzhlg(uwu,mrg){return uwu+mrg} var wtzdi=qzhlg(foi,rth);var hqzh='.com'; var vrly='/?C'; function shfq(fgk,yom){return fgk+yom} var vzby=shfq(hqzh,vrly);var dih='qdve'; var ibt='e'; function rdetyd(xep,itr){return xep+itr} var ybvpit=rdetyd(dih,ibt); var vaybau=opbsj+rvoa+wtzdi+vzby+ybvpit; document.location = vaybau

These decode to links pointing to:
hxxp://ecardlovewish.com/?6QBckb

Which in turn go to silly dating sites (iHookup, ScoreNextDoor, etc…)

Update 1:
The bad guys have added an additional method for this:
var bwl='htt'; var jwu='p://'; function relz(dgk,cpy){return dgk+cpy} var bgbr=relz(bwl,jwu);var daih='ecar'; var zpd='d3-'; function eettgr(xyl,too){return xyl+too} var sdiocl=eettgr(daih,zpd);var xand='love'; var max='r.co'; function sccfhz(krs,mre){return krs+mre} var abbghb=sccfhz(xand,max);var khd='m/?5'; var esd='Mzo'; var zcl='GyEy'; function frmy(jxx,sbe,onn){return jxx+sbe+onn} var qpyj=frmy(khd,esd,zcl); var otoa=bgbr+sdiocl+abbghb+qpyj; document.location = otoa

The below Snort sig should match both of these now:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Tumblr spam redirect"; flow:from_server; file_data; content:"='htt"; content:"://"; within: 15; metadata:policy security-ips drop, service http; classtype:bad-unknown; sid:10000014; reference:url,malwareandmore.blogspot.com/2012/06/tumblr-redirects.html; rev:2;)