How It Works
1.What is PopLaunch?
If you have seen the following quote you have seen PopLaunch.
<Begin Quote>
c 1999,2000 PopLaunch all rights reserved. The FIRST encrypted Launch
Hosting by M@sTer@GeNTs. Attempting to infringe upon the copyrights of
PopLaunch or attempting to harm the natural course of business of PopLaunch
users will be subject to SEVERE civil and/or criminal penalties
(including but not limited to attempting to hack and/or broadcast the
location of client sites).
ALL clients not honoring remove requests will be terminated (Call
1-800-804-4352 alternatively or for assistance with the PopLaunch browser).
<End Quote>
PopLaunch is a spamming system that is usually sent out one of two ways. Through relay rape of a server or through a spam friendly provider. The system was designed to provide anonymity as to the source of the e-mail and the location of the website for the clients. Clicking on the link in the message will send your browser on a trip to
three web pages. The service uses Java Script, redirects, encoded scripts and URLs, daughter windows with no address bar, all to hide the location of these sites. The final
web page will be that of the PopLaunch client.
2. How does PopLaunch work?
The Simple Explanation
The spam is sent in HTML format containing Java Script. Most of what appear to be URLs in the source code are fake. The use of the word f"zero"rm is used instead of the proper f"o"rm to make all form actions in the message invalid.
There is only one valid and active link in the spam. Clicking on this link will begin the process.
The chain of webpages begins with a stop at www.angelfire.com, followed by a second
stop at a redirecting site and finally the site where the spam advertised. Over the course of these stops, the following things will occur.
The right mouse button will be disabled, to stop you from seeing the source code of any pages.
Your main browser window will be resized smaller and an ad for Stealthlaunch/PopLaunch will appear in
it or it may just be blank.
A daughter window will open and maximize to cover the entire screen, this window will not have a tool bar or address bar. It will have a new toolbar loaded by Poplaunch that provides limited functionality. The final site will load in this window.
What PopLaunch does is reverse the process that you may have seen when an advertising pop-up window occurs on your screen. This ad will usually be in a daughter window with the main site in your browser window. PopLaunch puts the ad in the main window and the site in the daughter window.
The Complex Answer.
For those who really want to know how this is accomplished, here are the details.
The information below refers to a spam decoded by Spamless and posted to
News.admin.net-abuse.email on 2/11/00. Reposted here with his permission. The Angelfire
page is no longer active, but the ones controlled by ETC could be.
There have been some changes.
First, the name servers
=======================
(getting to the first page)
The obfuscated URL is in the second level domain jjjjjjjj.com.
The name server sends you to another host.
USUALLY it is angelfire.com (doing a traceroute would
then show angelfire.com and you could complain to them).
It may be that the angelfire.com page is now down and
they have changed the CNAME (see below) to their
own machine.
SO CURRENTLY the name servers give an alias which is on their
own system.
Apparently they have been having problems.
Now they have put their first page up on their OWN system.
Apparently, of the four servers they have up at the IP addresses
64.132.8.4x where x=1,2,3,4 ONLY 64.132.8.43 is actually up.
So, they have to run EVERYTHING from that and from 64.132.8.45.
That obfuscated URL is handled by the name servers for the
jjjjjjjj.com second level domain. If you just do a nameserver
lookup for the name servers ("dig jjjjjjjj.com ns") you won't
find any (that will go to the "authoritative" source, the
name servers themselves, and they are configured to lie and
say that "localhost" is the name server). Instead, to find
what name servers actually are used, check at the 'net's
root servers.
They have four name servers that are used (only the third
is currently alive - that is enough, though)
The name servers used are (check at the root servers for the 'net)
; <<>> DiG 8.2 <<>> @a.root-servers.net jjjjjjjj.com ns
jjjjjjjj.com. NS QC1.QZAA.COM. A 64.132.8.41
jjjjjjjj.com. NS QC2.QZAA.COM. A 64.132.8.42
jjjjjjjj.com. NS QC3.QZAA.COM. A 64.132.8.43
jjjjjjjj.com. NS QC4.QZAA.COM. A 64.132.8.44
Attempting to resolve the obfuscated URL gets me:
NO RESPONSE FROM QC1.QZAA.COM.
NO RESPONSE FROM QC2.QZAA.COM.
CNAME fx1.angel.jjjjjjjj.com from QC3.QZAA.COM.(*)
NO RESPONSE FROM QC4.QZAA.COM.
(*) a CNAME (canonical name) entry is an alias and claims that this
obfuscated URL is just a different name for their other server
fx1.angel.jjjjjjjj.com (usually this is for angelfire.com
where they usually put up the starting page - when that goes
down they can keep the spam run going by putting up the page
with the same directory structure, in this case "/wow/wow/"
on their own server and resetting the entry in their name server).
Finding the IP address for the canonical name (where one goes
to get the first page) gives (no responses except from
QC3.QZAA.COM, again).
fx1.angel.jjjjjjjj.com. A 64.132.8.43
and so one can reach the first page in the chain at:
<http://fx1.angel.jjjjjjjj.com/wow/wow/>
or even:
<http://64.132.8.43/wow/wow/>
(NOTE that this is just the QC3.QZAA.COM machine itself).
The First Page:
===============
The first page (usually on angelfire.com, but currently on their own machine
for this run) is designed to hide locations and send you on to the next step
which (currently) is to another web server which sends a REDIRECT (http
header) to the final site.
This page is doubly encrypted JavaScript.
As the page originally loads one sees:
HTTP/1.1 404 Not Found
[SCRIPT LANGUAGE="Javascript"]
http1="i";mpage1="";mpage0="";http2="mchar";
http8="v";http9="lied";http1="lie/";http0="a";
http1="http://3516597318";
http2="http://3516597317";
http3="http://3516597318";
coded="encrypted";
http4="http://3516597319";
http5="http://3516597320";
http6="http://3516597321";
http7="http://3516597322";
http8="http://3516597323";
http9="http://3516597324";
http10="http://3516597325";
http11="http://3510841944/pet";
classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000";
Which is interesting. It gives a PAGE NOT FOUND HTTP header.
Then it sends the page! (DON'T TRUST THAT HEADER of course)
There is more ... below this header (values) section there
is a section of encrypted JavaScript with decryptor that
decrypts and writes more stuff to the page.
What it writes is another encrypted section with decryptor
which writes a final set of stuff to the page.
This sets up a frameset and, depending on your browser goes to one of two
URLs (the URLs are created in the JavaScript code from the second level
decryption - it used to be that the values, above, that are loaded first,
were used in this - now only "mpage0" is used and that is a null
string).
For IE one has:
codebase="&codeBase=";
nav="&nav=msie&";
flashplugincheck = "/index.cgi?coded=high&classid=";
and the URL is created as:
IE URL: flashplugincheck + classid + codebase + http11 + nav + mpage0
For Navigator one has:
codebase="&codeBase=";
nav="&nav=net&";
flashplugincheck = "/index.cgi?coded=high&classid=";
and the URL is created as:
NAV URL: flashplugincheck + classid + codebase + http11 + nav + mpage0
The code here is much cleaner than it was a week ago! Not *very* good, for
all those variables set in the first load of the page are ignored (mpage0 is
a null string) but at least it is a lot cleaner than it was.
This results in the following URLS:
Internet Explorer URL:
"/index.cgi?coded=high&classid=clsid:D27CDB6E-AE6D-11cf-96B8-444553540000
&codeBase=http://3510841944/pet&nav=msie&"
Navigator URL:
"/index.cgi?coded=high&classid=clsid:D27CDB6E-AE6D-11cf-96B8-444553540000
&codeBase=http://3510841944/pet&nav=net&"
(these are relative URLs: it used to be that they were absolute URLs to
a different server - but now everything is on just two machines at
two IP addresses)
So, the URLs are:
IE:
<http://fx1.angel.jjjjjjjj.com/index.cgi?coded=high>
&classid=clsid:D27CDB6E-AE6D-11cf-96B8-444553540000
&codeBase=http://3510841944/pet&nav=msie&
NETSCAPE:
<http://fx1.angel.jjjjjjjj.com/index.cgi?coded=high>
&classid=clsid:D27CDB6E-AE6D-11cf-96B8-444553540000
&codeBase=http://3510841944/pet&nav=net&
The REDIRECTING WEB SERVER:
===========================
Those URLs do NOT correspond to any pages. Instead, using them goes to the
web server at 64.132.8.43 which responds to those URLs with an
http-redirect header ("302" header).
For IE:
HTTP/1.1 302 Found <-- it FOUND something to do - a location to give you
for redirection.
Location: <http://2093487520357028604592428963475628463945697865934653>
6972205209450298750385080580283509820285096252035729
7509356029875757572934878848570248572098757028082507
0820345877293847565758@
000034534534534534534520349857093000000000100
.092864912732983475698237456923865469187246000000000 *
0000000000000000000000000000000000000000000000000000 *
00000000000000000000000204 *
.000010.000055:23521
/corbis.mx/@3510841963/http:/203.67.39.102/3510841924
/frames.cgi?&program=3510841924&rep=gg&campaign=pvv&ref=
&sub=etc&page=index.html&sessionID=5afGzg3o1gllY
(*) those three lines marked with asterisks make up one LONG number.
For NAVIGATOR:
HTTP/1.1 302 Found
Location: <http://2034572907089785456809840298457969655087398777639458>
6308209293485785575723345028945702845028745082748084
5700870344747647628234758237564298233498884664788298
3498582958982598726663@
000035108419459999999990000000000100.
0000204.000010.000055:23521
/corbis.mx/@3510841963/http:/203.67.39.102/3510841924
/index.cgi?&program=3510841924&rep=gg&campaign=pvv&ref=
&sub=etc&page=&sessionID=pvEn2s2snMYEg
NOTE that there is one LONG junk userid number followed by "@" and
then
0xxxx.0yyyy.0zzzz.0ttt:23521
This is a numeric IP address as a dotted octal quad (the bytes making
up the address are in octal).
The first number is 0......00000000100 (starting with 0 is OCTAL).
When parsed by your machine, it should convert this to a number and check
that it is between 0 and 255 (it is much too large, of course) BUT
your machine will probably drop high bits and this is just a few
very high bits plus the octal number 0100_octal=64_decimal. That is
what is seen (it does not see the high bits) and treats it as the
number 64_decimal which IS between 0 and 255.
The next number in the IP address (in both cases) is 0.....204.
Again, this is the octal number 0204_octal=132_decimal plus a few very
high bits (this should be parsed, after having the high bits overflow
away, as the number 132_decimal - a number which IS between 0 and 255).
The next number is 000010=010_octal=8.
The next is 000055=055_octal=45_decimal.
So ... this is at 64.132.8.45 on port 23521.
So, the URLs are:
IE:
<http://64.132.8.45:23521/corbis.mx/@3510841963/http:/203.67.39.102/3510841924>
/frames.cgi?&program=3510841924&rep=gg&campaign=pvv&ref=
&sub=etc&page=index.html&sessionID=5afGzg3o1gllY
NAV:
<http://64.132.8.45:23521/corbis.mx/@3510841963/http:/203.67.39.102/3510841924>
/index.cgi?&program=3510841924&rep=gg&campaign=pvv&ref=
&sub=etc&page=&sessionID=pvEn2s2snMYEg
The LOADING PAGE
================
These are not the URLs for the pages that you see in your browser.
In fact, for Navigator, we have to go through a few more pages before we
even get to the loading page! (it appears to be a bit more difficult
in Netscape to kill the right mouse click and control key presses).
For Navigator, the URL above leads to:
More JavaScript (to block keys, mouse) AND the next page.
The javascript code is obtained from
<http://64.132.8.45:23521/corbis.mx/@3510841963/http:/203.67.39.102/3510841923/images/indexpic.gif>
(the Navigator URL page uses a [SCRIPT] tag with SRC=that_url to load
javascript). It is NOT a gif, but javascript.
It is doubly encrypted. It loads, writes the first decrypted version to your
browser and then that decrypts and writes more to the browser. The final
code blocks mouse clicks and keypresses.
This code USED to be run (in prior versions of PopLaunch) for IE and
Navigator, so the first section just determines which browser one is using.
However, this page does not appear to be loaded if one uses IE.
Besides this JavaScript code, this URL uses JavaScript to replace the
current page with the page from the URL at (it uses a relative URL):
<http://64.132.8.45:23521/corbis.mx/@3510841963/http:/203.67.39.102/3510841924>
/indexx.cgi?&program=3510841924&rep=gg&sub=etc&campaign=pvv&ref=
This is a frameset which loads a main page from:
<http://64.132.8.45:23521/corbis.mx/@3510841963/http:/203.67.39.102/3510841924>
/frames.cgi?&program=3510841924&rep=gg&sub=etc&campaign=pvv&ref=&page=index.html
(I have cleaned up the actual URLs in the pages - they have long, junk,
userids and have dotted octal quads with some junk high bits, etc.)
So ... the Navigator URL (from the redirecting web server) loads more
JavaScript (to block you from seeing code) and loads a new page which is a
frameset which contains the page at the last URL listed above.
That final page is pretty much exactly what you get from the URL (from the
redirecting web server) sent to IE in one step.
The page (either from the redirecting web server in IE or after loading the
extra javascript first in Netscape) is not YET what actually appears in your
browser. It does two things.
First, it defines some javascript functions to open windows for other
"affiliate" sex sites with an onUnload JavaScript function that runs
them
(so when you try to leave this site you get popup windows) (JavaScript has
the onUnload command which many sites use to open a new window when you
Unload the current window, that is, leave a page - that is how all those pop
up windows open when you try to leave a site). Those functions are used when
you try to leave But that is for later (when you try to leave).
Second, it sets up a frameset and loads the actual page (yes, FINALLY) that
appears in your browser in the frame.
The page you see
================
The location of the final page that loads in your browser (FINALLY) is:
(for IE)
"<http://1625344163513298476982346198276349187364918746@>
00000000000100.00000000000204.0000000000010
.0000000000055:23521
/corbis.mx/@3510841963/http:/203.67.39.102/3510841924
/frames.cgi?&program=3510841924&rep=gg&sub=etc&campaign=pvv
&ref=empty&user=905874&category=&page=indexfr.html"
(for Netscape):
"<http://1625344163513298476982346198276349187364918746@>
00000000000100.00000000000204.0000000000010
.0000000000055:23521
/corbis.mx/@3510841963/http:/203.67.39.102/3510841924
/frames.cgi?&program=3510841924&rep=gg&sub=etc&campaign=pvv
&ref=empty&user=657700&category=&page=indexfr.html"
(NOTE that only the "&user=#" number value varies and is not
important)
Again, we have a junk userid followed by an "@" and an octal dotted
quad for
the IP address and the location for the final page that loads is:
<http://64.132.8.45:23521/corbis.mx/@3510841963/http:/203.67.39.102/3510841924>
/frames.cgi?&program=3510841924&rep=gg&sub=etc&campaign=pvv
&ref=empty&user=905874&category=&page=indexfr.html
^^^^^^
This changes to 657700 in Netscape.
The order form page
===================
On this page you find a link to the signup page. That link is:
<http://1625344163513298476982346198276349187364918746@>
00000000000100.00000000000204.0000000000010
.0000000000055:23521
/corbis.mx/@3510841963/http:/203.67.39.102/3510841924
/frames.cgi?&program=3510841924&rep=gg&sub=etc&campaign=pvv
&ref=empty&user=905874&category=empty&page=joinpvv1.html
^^^^^^
again, this is different if you use Netscape.
and if you don't like the junk, the signup page can be reached at:
(IE)
<http://64.132.8.45:23521>
/corbis.mx/@3510841963/http:/203.67.39.102/3510841924
/frames.cgi?&program=3510841924&rep=gg&sub=etc&campaign=pvv
&ref=empty&user=905874&category=empty&page=joinpvv1.html
^^^^^^
this changes in Navigator to 657700
This signup page has an order form (give them your credit card!
and the data is sent unencrypted - this is NOT a SSL page!).
This is a "give me your credit card info" form with action:
[action=http://216.112.208.20/hcteen/sid=0/bid=0
/info=i79tsgpi637iqzkpwhawcgdrcbza8jm2/trial.php
method=post encType=multipart/form-data]
[INPUT type=hidden
value=http://216.112.208.20/hcteen/sid=0/bid=0
/info=i79tsgpi637iqzkpwhawcgdrcbza8jm2/trial.php
name=page_this]
[INPUT type=hidden
value=http://216.112.208.20/hcteen/sid=0/bid=0
/info=i79tsgpi637iqzkpwhawcgdrcbza8jm2/receipt.php
name=page_done]
(NOTE: You have to use the full URLs give above. If you shorten them you might
wind up at Yahoo.com! If you have JavaScript turned off you may wind
up at MSN.COM instead!)