So the other day one of my friends sent me a link that looks like this.
I downloaded the source and saved in an html file. Then opened it with notepad++.
It looks something like this after some code beautification. Now the most important part is within the script tag. I haven’t tested what the other links are doing. After some clever replace actions code looks more understandable.
It is very clear that the doEvil function is taking an encoded string and decoding it to basically and url which is then taken by the httpreq.open which is then appended to the html. It was very easy to get the url. Just print the output of doEvil funtion with the encoded string as parameter.
There we go. Now lets input the link in tor again.
We get another link. This looks like a linkception but we are patient. Lets input that again.
Is this just jquery v1.9 or something else I dont know. I have not analysed it. Probably uses the other links in some ways. I will just submit this link to google.
If you want to take a look for yourselves.
Initial Source Code – http://pastebin.com/493mBGck
Jquery Source Code (Obsfucated)- http://pastebin.com/vEYS6X6g
If you clicked on the link its best to just resetup windows. These tools below may help but no 100% guarantee. Try all three in order.