return of the linkjack code

Apr 16, 2010 11:23

Quiet as a mouse, there's a new version of the DrivingRevenue code being served on LJ. This change is, of course, not reflected in the latest LJ News post or the latest LJ code release post. And any attempt to bring this up on those posts is probably going to get completely buried under the deluge of "OMG I CAN BUY TEN THOUSAND ICON SLOTS ♥♥♥♥"

This code is much more complex. It's also not obfuscated, which is nice. It also seems to be doing a lot more processing on the remote end - there's no more juicy list of strings to pull out and see just what sites it's linkjacking.

It's even got a credit for a MIT-licensed URL parser it's using. So hooray for not, you know, tripping every single alert in my head that this is probably malicious code within the first ten seconds of looking at it. It's still of dubious ethics but at least it's not acting like it's got tons to hide, you know?

A quick dig into the code shows that it does this:
1. Wake up and get a list of every single link on the page.
2. Send this list to http://outboundlink.me/anxo/dr_ta_1/dr_rwl_v2.php
3. Get back a list of which URLs need to be fuzzled with.
4. Attach code to every single link; upon pressing 'return' or clicking the mouse on the link, check if it's in the list in step 3, and change it.

It also seems to be repeatedly asking outboundlink.me for this data at random intervals. Oh, no, I see: when you roll over a link it'll query outboundlink.me as to what should be done with it. Sneaky sneaky sneaky.

It is not presently stripping Amazon affiliate IDs, nor is it inserting new ones. It is however Doing Things: an unaffiliated link to China Miéville's upcoming book gets turned into a monstrosity like file:///Users/egypt/Desktop/Friends.html?dr_log=-1&linkout=http%3A//www.amazon.com/Kraken-China-Mieville/dp/034549749X/ upon cut-and-paste. (where 'file:///Users/egypt/Desktop/Friends.html' is the URL of whatever page you'e viewing).

DrivingRevenue also seems to have learned from the mistakes we found; the crittersbythebay.com problem is no more. I guess they have somewhat more robust code for deciding which links should be munged running on their own server than they were able to kludge up in their original Javascript.

Looks like you can stop most of these shenanigans by blocking outboundlink.me. And http://l-stat.livejournal.com/js/pagestats/DR_v4u.js - hell, maybe just disallow all Javascript from LJ if they're gonna keep pulling crap like this without saying a damn thing. Actually if you wanna block this I'd suggest blocking outboundlink.* - they've switched from .net to .me, and will probably switch to some other top-level domain as they keep getting noticed. I'm just blocking anything from http://l-stat.livejournal.com/js/pagestats/ myself.

I really need to sit down and figure out the roadblocks to moving my posting habits to Dreamwidth. Let's see: lost some icon associations upon import, need to find out what'll happen if I try a re-import, XJournal needs a little expanding to deal with multiple services. That's about it.

(thanks to foxfirefey for the heads-up on the return of this stuff.)

drivingrevenue.net

Previous post Next post
Up