W.O.P.R   W.O.P.R Link checker - a secure way of looking at a suspisious link.   Help


Note to myself: option remove <img> and <a href> tags.

   Decodes URI

The Linkchecker

The idea originated from the anti blog spam project mentioned here  <link> The utility is made to investigate suspicious links, received from the spammers - or the spam bot's. Whether or not a link is suspicious, you have to decide for your self. It is not a tool to qualify a link as suspicious, more a filter to look at a page without being redirected to some malicious site. Also a method to avoid unintented downloads of malware through script injecton.

The Mechanics

There are various techniques and methods that are used to redirect the victims to malicious sites.

Script injection:

This is done by injecting a script tag, typically right after the body tag, so it will be executed immidiately. Here is an example from the real world (slightly censored): <body><script src="http://scanner.malXXXrms.com/5.1/startup.php?advid=3400"></script> More examples can be seen under Malware pictures or Malware playbacks. But when you retrieve a page using this linkchecker, it inspects the retrieved HTML for various tags. The script, and other, tags and their content are extracted and removed from the HTML but will be shown in a separate popup window. Notice - In the popup window, it looks like <script>, but inside, it is actually &lt;script&gt;, so it won't be executed in your browser.

Iframe injection

As with the  script injection, the <iframe> tag is injected right after the body tag. But sometimes appended to the end of the file - all types of files including .htm or .php or .asp file. The iframe injection is also used by STORM to launch a DDoS attack against a victim. By injecting the <iframe> to every single page on thousands of servers, every view from the end user creates a request to the victim. It is made as 1x1 px, so it won't be seen by the end user.

Object injection.

Same as <iframe>. We have no example, but just in case it is cleaned away along with the other tags.

Embed injection.

Same as <object>, no example yet.

302/301 Moved injection.

Now, this is the ugly part. Instead of injecting the various pages, the server itself is under their control. That means, that they have access to the .htaccess file, and injecting rewrite rules into it. So instead of the user seeing anything, the server just responds with a Moved header, thereby redirecting the victim to a malware place.

About The linkchecker

The mechanics.

Normal communication goes like this: Illustration of normal HTTP communication between PC's and WWW Servers When using the linkchecker, the communication is done through the WOPR. The WOPR receives the URI you have submitted, and then connects to the WWW server at the URI from you. So the communication is now like this. Illustration of HTTP communication between PC's, W.O.P.R and WWW Servers Your request - the green arrow goes to WOPR. The WOPR then retrieves the page from the remote WWW server, but only the HTML, doesn't follow any links. After removing the above tags, the WOPR sends the result back to the main window. The retrived, and stripped, page is retuned with <script> tag after the <body> tag, which opens popup windows for each type of tags. It also returne the headers from the remote www server in a separate popup window.