Tuesday, January 13, 2015

Blogspot www.adcash.com Hijack/Redirect www.freecounterstat.com sucks!

Thought I'd make a post since I was unable to find key words to point me to a quick fix to the problem and had to fix it myself the hard way. A few weeks ago my wife mentioned that visitors to her blogspot/blogger blog had contacted her mentioning that they were getting served random popups to a variety of crap sites. Some sites wanted to install viewer software, others just wanted to sell you crap, make you watch videos. Make you clickity click everywhere.. etc..

It would only do it once per visit per day, which meant when it happened and she told me about it, I asked her to repeat the steps to recreate the behavior and it would not do it again. How annoying is that? I'm used to Personal Computers and servers behaving in my presence because they are deathly afraid of me (as they should be) and flaking out when I leave the room but eventually I actually saw it happen with my own eyes.

Whatever it was wrote a local cookie, same name as the blog itself and deleting/blocking access to these would make the redirect fire each and every time Which made it easier to troubleshoot.

The sites were a multitude random crappy click generators. It was all starting with the site www.adcash.com. It would go here to find the random re-direct of the day:


So many of which it became impossible to research the problem from the back-end, like, "Hey I get re-directed once a day to this site (and this one the next day, and this one, and this one..) so you can't look up any info that way, it's a buckshot of annoying websites and the info is safe in the forest of keyword website crap. Any hits that did come up also only pointed to PC malware cleanups which was not the issue in this case. All the PC's at home are pretty well-protected with MS Security Essentials, Spybot Search and Destroy, etc.. This was a problem with the Blog itself. Had it been hacked? How was that possible? Can clicking on a bad popup while logged into your Google account (which we always are) write malicious code? Unlikely. That's a lot of clicks and not easily scrip-table.

I looked through the Blog template (3000 lines) and found an odd entry in an unimportant place in the layout. It was a 200 character nonsense string with a "Base64" function in front of it. This is handy for turning cleartext into gobbledygook when trying to hide stuff from people. You have some nasty commands you want to hide, you convert the string to base64 and tell the template to decode it on the fly. I popped it into a BASE64 decoder and saw cleartext and that it was calling some binary code. Out it came.

Didn't fix it. Not sure what is was. Next.. Time to get out Wire Shark and start looking at packets or process monitor and look for the needle in the haystack.. But wait!

Turns out the site I found the BASE64 decoder on was chocked full of info. It was http://aw-snap.info/articles/redirects.php. Not only did it go over the BASE64 thing but a host of other nasty tricks. They had a Blogger Tool you could plug your blogspot blog into and it would check it (tried it but no luck).

In fact there was not a lot of issues on the Blogspot/Blogger front apart from some kuno​ichi gadget issues. I figured removing javascript blocks one at a time was a good shortcut to try, so in a fit of brute force and ignorance I backed up the Blog template again, documented the layout and started removing HTML Javascript widgets. Damned if it wasn't the second one causing all the fuss. It was a visit counter from www.freecounterstat.com (counter2.statcounterfree.com to be exact) and this was the thing writing the cookies and calling the ajax random malware page popup generator.

This is a free 3rd party visitor counter java script that my wife found somewhere that looked pretty and she put it on her blog where it counted away for years until a few weeks ago. 

Brute force and ignorance. It was only after I found out it was the culprit and researching www.freecounterstat.com that I stumbled across that website keyword in this article that described the same issue we were having. Crazy thing about that story is that the author contacted the makers of the script and they replied back with "

I turn off popup on your account
GREAT! Thanks Chris.. Were they hacked or is this something they randomly turn on for sets of clients to generate click revenue for their free tool? I vote for the latter. 

Don't use scripts from www.freecounterstat.com. Malware sucks. 

Along the way I learned about Scriptsafe, a google chrome extension that stops scripts from running on web pages you can set to trust or distrusted. Worth checking out... 

No comments: