"Benutzerumfragen"... bin ich Maleware-Opfer? von Deus Figendi (noReg), 18.04.2011 17:20

"Benutzerumfragen"... bin ich Maleware-Opfer?

Deus Figendi (noReg) 18.04.2011 17:20

sonstiges

Guten Morgen, seit einer Weile erhalte ich auf verschiedenen Websites beim ersten Aufruf die Aufforderung von "agof.de" an einer Umfrage von Benutzern teilzunehmen. Zunächst hatte ich mir wenig dabei gedacht, kommt es doch immer wieder vor, dass einzelne Anbieter sich auf vielen Seiten verbreiten. Dann aber fand ich inzwischen, dass sich die Seiten auf denen das auftritt zuweilen zu stark unterscheiden... heise, ebay, lokale Radiosender, überregionale Zeitungen... alle mögliche. So dass es mir inzwischen irgendwie nicht mehr koscher vorkommt.

Die Frage die ich habe ist simpel: Hat jemand da Kenntnis? Ist das wirklich nur 'nen Service oder 'ne Werbekamagne oder bin ich Opfer von Maleware o.ä.?

Ich habe mal Irons (Chromium) "Entwicklertools" angeworfen, der Code, der mir bei heise.de beispielhalft angezeigt wird ist dieser (Einrückungen von mir... was ne Arbeit ^^):

<div id="szm_divlayer" style="position: absolute; left: 100px; top: 10px; border-top-style: none; border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; z-index: 1100000; background-image: none; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; visibility: visible; background-position: initial initial; background-repeat: initial initial; ">
 <div id="szm_layer" style="z-index:1100000;position:absolute;top:0px;left:0px;width:420px; height:450px; background-image:url(http://iamde.irquest.com/iamde/wmresources/layer.gif);background-repeat:no-repeat">
  <img src="http://iamde.irquest.com/iamde/wmresources/transparent.gif" alt="" onclick="iam_CP4(0);" width="13" height="13" style="position:absolute;left:378px;top:30px;cursor:pointer;" border="0">
  <a href="http://iamde.irquest.com/iamde/start?pi=18255379047&amp;ps=1301925570368&amp;szmvar=heise//CP//sec_news&amp;wmid=3833171381705530442&amp;ver=iam_de_xss_2.2.11&amp;wm=0&amp;p1=54769665&amp;p0=50198970" target="_new">
   <img src="http://iamde.irquest.com/iamde/wmresources/transparent.gif" alt="" onclick="iam_close();" width="151" height="38" border="0" style="padding:0px;margin:0;position:absolute;left:134px;top:306px;display:block;background-image:url(http://iamde.irquest.com/iamde/wmresources/transparent.gif);width:151px;height:38px;">
  </a>
  <a href="mailto:fragebogen@agof.de">
   <img src="http://iamde.irquest.com/iamde/wmresources/transparent.gif" alt="" width="101" height="10" border="0" style="position:absolute;left:101px;top:399px;">
  </a>
  <a href="http://www.agof.de/index_ndim153.php" target="_blank">
   <img src="http://iamde.irquest.com/iamde/wmresources/transparent.gif" alt="" width="47" height="10" border="0" style="position:absolute;left:330px;top:399px;">
  </a>
  <img src="http://iamde.irquest.com/iamde/logos/heise.jpg" alt="" style="position:absolute;left:238px;top:100px;">
 </div>
</div>

Und auf den ersten Blick habe ich den Eindruck es wird von diesem JS eingebunden:

var ValidWMID = "3833171381705530442";
var iam_Vers = "iam_de_xss_2.2.11";
var IAMRange = new Array(100,10,100,10);
var VisRange = new Array(0,0,600,600);
var iam_countX=0;
var iam_countY=0;
var iam_vis="0";
var iam_wm="0";
var putoggle;
var iam_rm_1;
var iam_rm_2;
var iam_rm_3;
var iam_rm_4;
var iam_rm_5;
var iam_rm_6;
var iam_rm_7;
var iam_rm_8;
var iam_fadeout="0";
if(typeof iam_fadeout_flash == "undefined") {
 var iam_fadeout_flash = true;
} else {
 if (typeof iam_fadeout_flash != "boolean") {
  iam_fadeout_flash = true;
 }
}
if(typeof iam_fadeout_iframe == "undefined") {
 var iam_fadeout_iframe = true;
} else {
 if (typeof iam_fadeout_iframe != "boolean") {
  iam_fadeout_iframe = true;
 }
}
if(typeof iam_fadeout_form == "undefined") {
 var iam_fadeout_form = true;
} else {
 if (typeof iam_fadeout_form != "boolean") {
  iam_fadeout_form = true;
 }
}
if (!iam_fadeout_flash || !iam_fadeout_iframe || !iam_fadeout_form) {iam_fadeout = "1";}
if(typeof iam_position_top == "undefined") {
 var iam_position_top = 10;
} else {
 if (typeof iam_position_top != "number") {
  iam_position_top = 10;
 }
 if (iam_position_top < 0 || iam_position_top > 600) {
  iam_position_top = 10;
 }
}
if(typeof iam_position_left == "undefined") {
 var iam_position_left = 100;
} else {
 if (typeof iam_position_left != "number") {
  iam_position_left = 100;
 }
 if (iam_position_left < 0 || iam_position_left > 600) {
  iam_position_left = 100;
 }
}
if(typeof iam_zindex == "undefined") {
 var iam_zindex = 1100000;
} else {
 if (typeof iam_zindex != "number") {iam_zindex = 1100000;}
 if (iam_zindex < 1100000) {iam_zindex = 1100000;}
}
document.write('[code lang=html]<div id="szm_divlayer" style="visibility:hidden;position:absolute;left:'+iam_position_left+'px;top:'+iam_position_top+'px;border:none;z-index:'+iam_zindex+';background:none;">
 <div id="szm_layer" style="z-index:'+iam_zindex+';position:absolute;top:0px;left:0px;width:420px; height:450px; background-image:url(http://iamde.irquest.com/iamde/wmresources/layer.gif);background-repeat:no-repeat">
  <img src="http://iamde.irquest.com/iamde/wmresources/transparent.gif" alt="" onclick="iam_CP4(0);" width="13" height="13" style="position:absolute;left:378px;top:30px;cursor:pointer;" border="0" />
  <a href="http://iamde.irquest.com/iamde/start?pi=18255379047&ps=1301925570368&amp;szmvar='+szmvars+'&amp;wmid='+ValidWMID+'&amp;ver='+iam_Vers+'&amp;wm='+iam_wm+'&amp;p1=54769665&amp;p0=50198970" target="_new">
   <img src="http://iamde.irquest.com/iamde/wmresources/transparent.gif" alt="" onclick="iam_close();" width="151" height="38" border="0" style="padding:0px;margin:0;position:absolute;left:134px;top:306px;display:block;background-image:url(http://iamde.irquest.com/iamde/wmresources/transparent.gif);width:151px;height:38px;" />
  </a>
  <a href="mailto:fragebogen@agof.de">
   <img src="http://iamde.irquest.com/iamde/wmresources/transparent.gif" alt="" width="101" height="10" border="0" style="position:absolute;left:101px;top:399px;" />
  </a>
  <a href="http://www.agof.de/index_ndim153.php" target="_blank">
   <img src="http://iamde.irquest.com/iamde/wmresources/transparent.gif" alt="" width="47" height="10" border="0" style="position:absolute;left:330px;top:399px;" />
  </a>
  <img src="http://iamde.irquest.com/iamde/logos/heise.jpg" alt="" style="position:absolute;left:238px;top:100px;" />
 </div>
</div>

'); function iam_move_layer(iam_id){ var iam_el = document.getElementById(iam_id); if(!iam_el){return;} if (iam_el.parentNode.tagName != "BODY") { var iam_body = document.getElementsByTagName('BODY'); iam_el.parentNode.removeChild(iam_el); iam_body[0].insertBefore(iam_el.cloneNode(true),iam_body[0].firstChild); } } function iam_Analyser(evt) { var PlattformExisting = navigator.appVersion.indexOf("4.7"); if (PlattformExisting!=-1) { iam_DeliverPopUp(); } else { var ir_time = new Date(); var ir_randmulti = Math.random(); var ir_random = Math.ceil(ir_time.getTime()*ir_randmulti); var ir_lock = new Image(); ir_lock.src = "http://qs.ivwbox.de/do/nextcheck.gif?delta=315360000000&z="+ir_random;document.getElementById("szm_divlayer").style.visibility = "visible"; iam_move_layer("szm_divlayer"); iam_CP1(); iam_CP3(0); if(iam_fadeout_flash) { iam_rm_1 = setInterval("iam_disable_errors('OBJECT')",1000); iam_rm_2 = setInterval("iam_disable_errors('EMBED')",1000); } if(iam_fadeout_iframe) {iam_rm_3 = setInterval("iam_disable_errors('IFRAME')",1000);} if(iam_fadeout_form) { iam_rm_4 = setInterval("iam_disable_errors('SELECT')",1000); iam_rm_5 = setInterval("iam_disable_errors('OPTION')",1000); iam_rm_6 = setInterval("iam_disable_errors('INPUT')",1000); iam_rm_7 = setInterval("iam_disable_errors('TEXTAREA')",1000); iam_rm_8 = setInterval("iam_disable_errors('BUTTON')",1000); } } } function iam_CP1() { var iam_el = document.getElementById('szm_divlayer'); if(iam_el){ do { iam_countX += iam_el.offsetLeft; iam_countY += iam_el.offsetTop; iam_el = iam_el.offsetParent; } while(iam_el); } if (iam_countX >= IAMRange[0] && iam_countX <= IAMRange[2] && iam_countY >= IAMRange[1] && iam_countY <= IAMRange[3] ) { iam_vis = 1; } else { if (iam_countX >= VisRange[0] && iam_countX <= VisRange[2] && iam_countY >= VisRange[1] && iam_countY <= VisRange[3] ) { iam_vis = 2;} else {iam_vis = 3; } } } function iam_CP3(iam_ex) { var irimg = new Image(); irimg.src = "http://iamde.irquest.com/iamde/wp?p0=18255379047&p2=1301925570368&szmvar="+szmvars+"&posx="+iam_countX+"&posy="+iam_countY+"&vis="+iam_vis+"&fade="+iam_fadeout+"&wmid="+ValidWMID+"&ver="+iam_Vers+"&ex="+iam_ex; } function iam_CP4(iam_cl) { var cpimg = new Image(); cpimg.src = "http://iamde.irquest.com/iamde/wp?p0=18255379047&p2=1301925570368&szmvar="+szmvars+"&wmid="+ValidWMID+"&ver="+iam_Vers+"&cl="+iam_cl;window.setTimeout('iam_close()', 200); } function iam_DeliverPopUp() { var popupinvite = window.open("http://iamde.irquest.com/iamde/getfallback?p0=50198970&p1=54769665&p2=18255379047&siteid=heise&ps=1301925570368&wmid=3833171381705530442&szm=heise//CP//sec_news&l=multi","iaminvite","width=378,height=408,left="+iam_position_left+",top="+iam_position_top+",toolbar=no,scrollbars=no,menubar=no,location=no"); if (popupinvite != null) {popupinvite.focus();} } function iam_close() { document.getElementById("szm_divlayer").style.visibility = "hidden"; if(iam_fadeout_flash) {window.clearInterval(iam_rm_1); window.clearInterval(iam_rm_2); iam_activate_invisible("OBJECT"); iam_activate_invisible("EMBED"); } if(iam_fadeout_iframe) { window.clearInterval(iam_rm_3); iam_activate_invisible("IFRAME"); } if(iam_fadeout_form) { window.clearInterval(iam_rm_4); window.clearInterval(iam_rm_5); window.clearInterval(iam_rm_6); window.clearInterval(iam_rm_7); window.clearInterval(iam_rm_8); iam_activate_invisible("SELECT"); iam_activate_invisible("OPTION"); iam_activate_invisible("INPUT"); iam_activate_invisible("TEXTAREA"); iam_activate_invisible("BUTTON"); } } function iam_disable_errors(iam_trg) { var iam_sel = document.getElementsByTagName(iam_trg); for (var i=0;i<iam_sel.length;i++) { if (iam_sel[i].style.visibility != "hidden") { iam_sel[i].style.visibility = "hidden"; } } } function iam_activate_invisible(iam_trg) { var iam_sel = document.getElementsByTagName(iam_trg); for (var i=0;i<iam_sel.length;i++) { iam_sel[i].style.visibility = "visible"; } } if (putoggle == true) { iam_DeliverPopUp(); } else { window.setTimeout("iam_Analyser()",3000); }[/code]

Und das ganze schaut dann so aus: Screenshot

Ich hab den Code (noch) nicht analysiert, sondern hoffe erstmal, dass jemand was darüber weiß :)

Beitrag melden

– Informationen zu den Bewertungsregeln

SELFHTML Forum - Ergänzung zur Dokumentation Übersicht

Deus Figendi (noReg): "Benutzerumfragen"... bin ich Maleware-Opfer?

"Benutzerumfragen"... bin ich Maleware-Opfer?

"Benutzerumfragen"... bin ich Maleware-Opfer?