Knujon - The Geocities Redirection

The Geocities Redirection

Spammers use redirection and cipher scripts to load Geocities with junk

If you received junk email with links like these:

http://www.geocities.com/bovusanu
http://www.geocities.com/pukerixa
http://www.geocities.com/sitoraxa
http://www.geocities.com/xapypogi
http://geocities.com/dqdiynxtm18
http://geocities.com/dgpmvwpo5fu
http://www.geocities.com/lekydudo

then you are probably familiar with the redirection spam that is plaguing Geocities. The free Geocities pages actaully contain scripting that conceals the destiniation of the browser redirect. The spammers hide the real site name to prevent Geocities from conducting a simple scan to look for spammer pages. Below is one of the scripts:


var pbjbogbydt="lmwakwsxjkdtaunmliizobou";
var meygestqeb=0;
var eqaslfinby,lzcrbbuv,gzvneoguth="501e1413020707584a...
lzcrbbuv='';
var yyvqjazwb;
for( eqaslfinby=0;eqaslfinby< gzvneoguth.length;eqaslfinby+=2){
yyvqjazwb=unescape( '%'+gzvneoguth.substr( eqaslfinby,2));
lzcrbbuv+= String.fromCharCode( yyvqjazwb.charCodeAt(0) ^ pbjbogbydt.charCodeAt(meygestqeb++) );
if ( meygestqeb >= pbjbogbydt.length ) meygestqeb = 0;
}
document.write(lzcrbbuv);

Yikes! What is all this garbage? First, let's reduce the confusion by replacing the wierd variable names with simple ones:


var s1="lmwakwsxjkdtaunmliizobou";
var i1=0;
var i2,s2,s3="501e1413020707584a07051a...
var myS
s2='';
var s4;
for( i2=0;i2 < s3.length;i2+=2){
s4=unescape( '%'+s3.substr( i2,2));
s2+= String.fromCharCode( s4.charCodeAt(0) ^ s1.charCodeAt(i1++) );
if ( i1 >= s1.length ) i1 = 0; 
}
document.write(s2);

What is going on in this script?

s1="lmwakwsxjkdtaunmliizobou"; is the key for this cipher.

s3="501e1413020707584a07051a06000f 0a09544b300e140e260f1f1e111f554d0f 0305001b165b1a021c4705150c031b1c03 035909191215584a4b44544155534d4b01 1d0e1f58405a1f0211150312011a0b0717 5a021a034a575546090c1006051853"; is the encoded string. These are hex values.

unescape( '%'+s3.substr( i2,2)) turns each pair of hex values into the ASCII equivalent. s4.charCodeAt(0) ^ s1.charCodeAt(i1++) Uses the bitwise exclusive OR to to generate a new number for the ASCII value of the coded string and the ASCII value of the key

s2+= String.fromCharCode Converts the XORed value back into a character.

For example the first pair/hex number in the coded string is 50. This becomes %50 and is unescaped to P. P and the first letter of the key string, l are converted into ascii numbers: 80 and 108, respectively. If we XOR ^ 80 and 108 the result is 60. Converting this back to an character value produces <.

The fully converted string is:
<script language="JavaScript">window.top.location.href='http://softherbals.com';</script>
which launches the browser redirect.

Other Recent Examples

http://www.geocities.com/Eldridgeuas29177
var i,y,x="3c7363726970743e0d0a77696e646f772e746f702e6c6f636174696f6e2e687265663d22687474703a2f2f616e68657262616c2e636f6d223b0d0a3c2f7363726970743e";y='';for(i=0;iis anherbal.com, redirects to herbal-land.com

http://www.geocities.com/ecyxadpuu
var xwxgufq="jkrueqbpbsiyjrmhjiiig";var xkknmz=0;var finozzvi,dqpwoki,hfsblih="561811070c011650425349594a520109040e1c08000f56503f04070323010100091e50531f03070d0610441f1d054b1d0d1303070016045c051a0f0f4949474a4b525545515f50425349594a524d484d011d1d1750445d060a17161807010b180601430b05044e525b451811070c01164e" ; dqpwoki='' ; var trxfqml ; for( finozzvi=0 ; finozzvi< hfsblih.length ; finozzvi+=2){trxfqml=unescape( '%'+hfsblih.substr( finozzvi,2)); dqpwoki+= String.fromCharCode( trxfqml.charCodeAt(0) ^ xwxgufq.charCodeAt(xkknmz++) ); if ( xkknmz >= xwxgufq.length ) xkknmz = 0; }
is softherbals.com, redirects to herbal-land.com

http://www.geocities.com/kdzidnbdc
var i,y,x="3c7363726970743e0d0a3c212d2d0d0a646f63756d656e742e777269746528756e65736361706528222533437363726970742532306c616e67756167652533442532324a61766153637269707425323225334525304425304177696e646f772e746f702e6c6f636174696f6e2e68726566253344253237687474702533412f2f736f667468657262616c732e636f6d2532372533422530442530412533432f7363726970742533452229293b0d0a2f2f2d2d3e0d0a3c2f7363726970743e" ; y='';for( i=0 ; i< x.length; i+=2){y+=unescape('%'+x.substr(i,2)) ; }
is softherbals.com, redirects to herbal-land.com

http://www.geocities.com/lysybuko
var jhgmgbypo="amdzvmjndwdgkbfdwywxsjabzg";var lsiwu=0;var zqlvoefo,eudxbx,idtpfr="5d1e07081f1d1e4e445744474b42464457151616141f00051f5a4327050c173e091c0d07104555150f0a131600560705114c1608020c101319034406161202474b42464457595745534a41451213151d5e55591a051c081307121b50565d4e5714171e4d5a5e5514021f0d0a0253" ; eudxbx='' ; var utrmbn; for( zqlvoefo=0 ; zqlvoefo< idtpfr.length ; zqlvoefo+=2){utrmbn=unescape( '%'+idtpfr.substr( zqlvoefo,2)); eudxbx+= String.fromCharCode( utrmbn.charCodeAt(0) ^ jhgmgbypo.charCodeAt(lsiwu++) ) ; if ( lsiwu >= jhgmgbypo.length ) lsiwu = 0; }
is softherbals.com, redirects to herbal-land.com

http://www.geocities.com/pwyzyoek
var i,y,x="3c7363726970743e0d0a3c212d2d0d0a646f63756d656e742e777269746528756e65736361706528222533437363726970742532306c616e67756167652533442532324a61766153637269707425323225334525304425304177696e646f772e746f702e6c6f636174696f6e2e68726566253344253237687474702533412f2f736f667468657262616c732e636f6d2532372533422530442530412533432f7363726970742533452229293b0d0a2f2f2d2d3e0d0a3c2f7363726970743e"; y=''; for( i=0; i< x.length; i+=2){y+=unescape('%'+x.substr(i,2)) ; }
is softherbals.com, redirects to herbal-land.com

Sample full conversion:

50	l	80	108	60	<
1e	w	30	97	115	s
14	a	20	119	99	c
13	k	19	120	114	r
02	w	2	107	105	i
07	s	7	116	112	p
07	x	7	117	116	t
58	j	88	109	32	SPACE
4a	k	74	105	32	SPACE
07	d	7	122	108	l
05	t	5	98	97	a
1a	a	26	117	110	n
06	u	6	119	103	g
00	n	0	107	117	u
0f	m	15	115	97	a
0a	l	10	106	103	g
09	i	9	100	101	e
54	i	84	97	61	=
4b	z	75	110	34	"
30	o	48	108	74	J
0e	b	14	105	97	a
14	o	20	111	118	v
0e	u	14	111	97	a
26	l	38	108	83	S
0f	w	15	97	99	c
1f	a	31	119	114	r
1e	k	30	120	105	i
11	w	17	107	112	p
1f	s	31	116	116	t
55	x	85	117	34	"
4d	j	77	109	62	>
0f	k	15	105	119	w
03	d	3	122	105	i
05	t	5	98	110	n
00	a	0	117	100	d
1b	u	27	119	111	o
16	n	22	107	119	w
5b	m	91	115	46	.
1a	l	26	106	116	t
02	i	2	100	111	o
1c	i	28	97	112	p
47	z	71	110	46	.
05	o	5	108	108	l
15	b	21	105	111	o
0c	o	12	111	99	c
03	u	3	111	97	a
1b	l	27	108	116	t
1c	w	28	97	105	i
03	a	3	119	111	o
03	k	3	120	110	n
59	w	89	107	46	.
09	s	9	116	104	h
19	x	25	117	114	r
12	j	18	109	101	e
15	k	21	105	102	f
58	d	88	122	32	SPACE
4a	t	74	98	32	SPACE
4b	a	75	117	32	SPACE
44	u	68	119	32	SPACE
54	n	84	107	32	SPACE
41	m	65	115	32	SPACE
55	l	85	106	32	SPACE
53	i	83	100	61	=
4d	i	77	97	32	SPACE
4b	z	75	110	39	'
01	o	1	108	104	h
1d	b	29	105	116	t
0e	o	14	111	116	t
1f	u	31	111	112	p
58	l	88	108	58	:
40	w	64	97	47	/
5a	a	90	119	47	/
1f	k	31	120	115	s
02	w	2	107	111	o
11	s	17	116	102	f
15	x	21	117	116	t
03	j	3	109	104	h
12	k	18	105	101	e
01	d	1	122	114	r
1a	t	26	98	98	b
0b	a	11	117	97	a
07	u	7	119	108	l
17	n	23	107	115	s
5a	m	90	115	46	.
02	l	2	106	99	c
1a	i	26	100	111	o
03	i	3	97	109	m
4a	z	74	110	39	'
57	o	87	108	59	;
55	b	85	105	60	<
46	o	70	111	47	/
09	u	9	111	115	s
0c	l	12	108	99	c
10	w	16	97	114	r
06	a	6	119	105	i
05	k	5	120	112	p
18	w	24	107	116	t
53	s	83	116	62	>