1515698 - Loading this page (on Windows at least) hangs Firefox and Windows (could eventually kill

Status: NEW

(Toolkit :: Places, defect, P3)

Description

[Mike Kaply [:mkaply]]

Attachment: 20181220_110946.jpg

Loading this page:

https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null

Hangs Firefox by creating a ton of history items (these are just a few - there were hundreds)

https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#0123456789101112
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#01234567891011
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#012345678910
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#0123456789
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#012345678
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#01234567
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#0123456
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#012345
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#01234
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#0123
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#012
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#01
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null#0
https://allyceurcertextra.info/en/?search=%B9%E3%9FZ%CA%83%EE%B5z%A9%A8%5C%C7%80Bf%A2M3%01%7C%20%F2%AE%18&list=null

It was redirected from

https://news.grabien.com/story-18-most-mortifying-media-moments-2018-1

as an ad.

It displays a Fake Firefox security error (attached)

Comment 1

[Mike Kaply [:mkaply]]

Attachment: Source of page

Page is 404ing sometimes.

Here's the source of the page (was able to bring it up in Chrome)

Comment 2

[Mike Kaply [:mkaply]]

Comment on attachment 9032746 [details]
Source of page

Switching to text/plain because it kills Firefox when you view as a web page, even as an attachment.

Comment 3

[Mike Kaply [:mkaply]]

This is doing the infamous giant mouse pointer thing to make you think your mouse doesn't work.

Comment 4

[Daniel Veditz [:dveditz]]

Attachment: Partially unpacked script

Partially unpacked the script to see what's going on. Maybe part of a more generic framework because there's things like the _l() function that don't seem to be called from anywhere. Also a handful of places something like:

function _j(_q) {
    if (_q > 83) _q = _q - 1;
    return _q;
};
_j(64);

Where there's a function that basically returns a numeric result, called only once with a number and not in an expression context. Meaningless chaff for further obfuscation, or something deeper I don't understand?

<div id="zeiyybi">

According to Google translate "zeiyybi" might be Uzbek for "zealous".

The fake helpline number (which is contained in a PNG image for further firewall-scanning resistance) is 1-888-311-5117 and goes to a "support" call-center which was answered by an Indian-accented man.