All would be almost 'fine' but WTF is that? Not that I wouldn't guess but I'm just curious how owned you can get :-)
As a matter of fact, you can get owned pretty bad and what I've seen I would expect to be just a starter... the main course is coming soon!
WARNING: All the information provided in this post is available on the Internet. Links presented on screen shots should be considered malicious - do not visit them unless you really know what you are doing. You have been warned.
Just as your mother told you...
The best way IMHO to check stuff like that is the old school way...
Isn't that just sweet? You go to a website and the traffic goes via proxy somewhere in China. Well - that's not all in fact. Let's grab a clean VM, make snapshot just in case, connect - let's see what a sexy girl has to offer, right?
Don't to that at work or you may get strange looks from people around (at best) ;-)
Page loads and looks like a blog - that's what the URL would suggest, but if you look in the source... I said THE SOURCE, not the boobs on the page!
London, H9... hold on - London doesn't have H9 post code (although on the page it looks like it was a part of address). GeoIP information is used in several places and looks quite... convincing... as long as you focus on the boobies... oh and forget about the fact that the bottom of the page says 'She is single boys!!!! She lives in my hometown of London' - right, somebody doesn't even have a spell check :-]
Let's look at the gems on the top shelf... I don't have a lot of time to look at it properly, so just quick bullet points:
Getting the referrer string doesn't look that bad... right? Anyway, why do they want to know where am I coming from? Is that like SEO and affiliate tracking for malware? Interesting!
- Call to encode function with referrer URL given as parameter - why someone is trying to steal my referrer info?
Not much of it... As I said I don't have time to play with it properly and see if for example I actually get something from this 'empty' html file. It would be trivial to provide further payload if the victim provides properly encoded referrer string that is of attacker's interest.
How effective it would be if the bad guys used this just to check via which channel the victim came to them (they can also find out which channels are the most successful - it's just like marketing campaigns)? The next logical step would be to provide customized exploit - if victim came from Twitter do bad stuff to a Twitter user, Facebook - get them owned on Facebook, etc.
Surely the guys are learning and their intentions are not good. Keep an eye out and don't get yourself fooled!