SmartFren Iframe Ads Injection Fixes

1. An Indonesian ISP called SmartFren is now injecting ads to all web pages loaded without SSL -- to their paying customers! This case file is updated whenever there are more news. Last updated: 2015/05/29.
2.  
3. ==== UPDATE: Here is a simple, beautiful fix! ====
4.  
5. Install a browser plugin that allows you to modify request headers; e.g. https://addons.mozilla.org/en-us/firefox/addon/modify-headers/ for Firefox. Then, add in a rule to "Modify" header "Accept" to "*/*" in place of the default accept-header. Then all your HTTP requests and responses are untouched. Credit to Steven at StackOverflow for the elegant solution!
6.  
7. Discussion here: http://stackoverflow.com/questions/30505416/eliminate-isp-injects-pages-with-iframe-script-for-ads
8.  
9. ==================================================
10.  
11. SmartFren's poorly implemented iframing script also breaks functionality on many pages. Such as:
12.  
13. Page titles get blanked. Anchors don't work. Many AJAX features don't work (SmartFren also tries to iframe content that's asynchronously loaded). Some AJAX and SocNet javascript plugins break out by themselves and result in a blank page; etc.
14.  
15. The included GreaseMonkey (http://en.wikipedia.org/wiki/Greasemonkey) script attempts to fix some of the damage, including busting out of the iframe and cleaning the DOM. It also has some unintended side-effects that can break pages with legit iframes.
16.  
17. I am also experimenting with a local proxy server for filtering this; using Privoxy (http://www.privoxy.org/). You can find an injection-filtering configuration included. While it prevents the injected script from executing altogether, being a safer option than the GreaseMonkey clean-up, it likewise, causes some problems with legitimate iframes.
18.  
19. Ideally I could configure Privoxy to immediately resend the request when the alteration is detected, instead of filtering out the injected JS and replacing it with a JS redirection to the original URL. (The ISP-injection gets switched off when the same request is resent without delay.) I'm yet to figure out how to accomplish that.
20.  
21. Only requests on port :80 are affected. In addition, SmartFren blocks port 53 to prevent the use of external DNS services.
22.  
23. You should block the IP address 10.20.173.44 in your firewall to ensure that no further ad-injection code is loaded. At least saves that bit of unnecessary extra bandwidth. Any further suggestions, please let me know. This is very annoying. If all else fails, use the TOR Browser. It's immune to this nuisance. Otherwise, set up a VPN. Bad Smartfren, bad...
24.  
25.  
26.  
27. ============ PRIVOXY FILTERING ============
28.  
29. 1. Install Privoxy and configure your browsers to use it as a local proxy server.
30.  
31. 2. In user.action, insert the following:
32.  
33. {+filter{smartfren}}
34. /
35.  
36. 3. In user.filter, insert the following:
37.  
38. FILTER: smartfren Redirect to source URL before injection is activated.
39. s@(.*)function bsxz(.*)@top.location.replace(self.location.href);</script>@igmsx
40.  
41. This results in the blanking out of the entire injected page; and a Javascript redirection back to the requested URL.
42.  
43.  
44.  
45.  
46. ============ GREASEMONKEY SCRIPT ============
47.  
48. // ==UserScript==
49. // @name SmartFrenCrapBuster
50. // @namespace http://*
51. // @include *
52. // @version 1
53. // @grant none
54. // ==/UserScript==
55.  
56. // Redefine the 'u' variable. SmartFren script only logs the URL without the #anchor etc.
57.  
58. u = self.location.href;
59.  
60.  
61. // Cancel out those ugly functions ya. (Unfortunately we can't intercept the process here, because this script only runs after the function gets executed. Need a local proxy filter instead.)
62.  
63. if (typeof bsxz == 'function') {
64. bsxz = function() { return false; }
65. }
66.  
67. if (typeof go == 'function') {
68. go = function() { top.location.replace(u); }
69. }
70.  
71.  
72. // If in frame-holder, undo the DOM modifications.
73.  
74. if (typeof document.getElementById('rf') !== undefined) {
75. unDoDom(document.getElementById('rf').contentDocument);
76. }
77.  
78.  
79. // If in frame, break from frames and redirect to the actual page.
80.  
81. if (typeof parent.document.getElementById('rf') !== undefined) {
82. doReMi(u);
83. unDoDom(document);
84. }
85.  
86.  
87. // Function: Redirect to the page referenced in the URL.
88.  
89. function doReMi(u) {
90.  
91. if (location.protocol == 'https') {
92. return false; // Not that they can tweak https anyways.
93. }
94.  
95. if (u.search(/twitter|facebook|google/i) > -1) {
96. // Things that should be in iframes without SmartFren, like SocNet plugins, shoulnd't break out of frames. This doesn't quite work yet.
97. return false;
98. }
99. top.location.replace(u);
100. }
101.  
102.  
103. // Function: Reverse the DOM changes the SmartFren script does.
104.  
105. function unDoDom(docSrc) {
106.  
107. y = docSrc;
108.  
109. var an = y.getElementsByTagName("a");
110. var i = an.length;
111.  
112. while(i--) {
113. if (an[i].target == "_top") {
114. an[i].removeAttribute('target');
115. }
116. }
117.  
118. var an = y.getElementsByTagName("base");
119. var i = an.length;
120.  
121. while(i--) {
122. if (an[i].target == "_top") {
123. an[i].removeAttribute('target');
124. }
125. }
126. }
127.  
128.  
129.  
130.  
131. ============ INJECTION SAMPLES ============
132.  
133. #### SAMPLE OF THE MAIN INJECTION (Formatted for readability) ####
134.  
135. <html>
136. <head>
137.  
138. <script>
139.  
140. function bsxz(fr){
141. try{
142. var y=fr.contentDocument;
143. try{
144. var h=y.getElementsByTagName('head')[0];
145. var bt=y.createElement("base");
146. bt.target="_top";
147. h.appendChild(bt);
148. var an=y.getElementsByTagName("a");
149. for (var i in an) {
150. an[i].target="_top";
151. }
152. }
153. catch(ee){
154. }
155. }
156. catch(e){
157. }
158. }
159.  
160. function go(w,u){
161. var x=w.frames['rf'];
162. if (x==null){
163. x=w.document.getElementById('rf');
164. if (x!=null)x.src=u;
165. }
166. else
167. x.location=u;
168. }
169.  
170. var xu="http://10.20.173.44:8080/AdsInsert/";
171.  
172. var d=document;
173. var w=window;
174. var res;
175. var ip='10.123.123.123'; // My IP Address
176. var vid='2';
177. var md='6288123123123'; // My Modem Number
178.  
179. var u='http://www.scriptoq.com/'; // Requested URL
180.  
181. if (w.location.hostname.indexOf("m.")>=0)
182. d.writeln('<meta id="xvw" name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">');
183.  
184. </script>
185.  
186. </head>
187.  
188. <body style="margin:0;padding:0;overflow:hidden;width:100%;">
189.  
190. <script>
191. if (w.location == w.parent.location){
192. d.writeln('<iframe src="about:blank" allowtransparency=true frameborder=0 name="rf" id="rf" scrolling=auto style="width:100%;height:100%;" onload="bsxz(this);"></iframe>');
193. go(w,u);
194. d.writeln('<sc'+'ript src="'+xu+'AdsServer?url='+w.location.hostname+'&mdn='+md+'&lac=1&ci=1">'+'</scri'+'pt>');
195. }
196. else{
197. go(w.top,u)
198. };
199. </script>
200.  
201. <iframe src="about:blank" allowtransparency="true" name="rf" id="rf" scrolling="auto" style="width:100%;height:100%;" onload="bsxz(this);" frameborder="0"></iframe>
202.  
203. <script src="http://10.20.173.44:8080/AdsInsert/AdsServer?url=www.scriptoq.com&amp;mdn=6288123123123&amp;lac=1&amp;ci=1"></script>
204.  
205. </body>
206. </html>
207.  
208.  
209.  
210.  
211. #### SAMPLE OF THE /AdsServer? SCRIPT LINKED FROM ABOVE ####
212.  
213. //mdn=6288123123123
214. //user-agent=Mozilla/5.0 (Windows Private) Gecko/00000000 Firefox/X.XX
215. //lac=1
216. //ci=1
217.  
218. if ((window.location == window.parent.location) && (window.innerHeight>175)) {
219. var toolbar_id=12341234
220. var application_dir="http://10.20.173.44:8080/AdsInsert/"
221. var data_dir="http://10.20.173.44:8080/data/banner/"
222. var toolbar_image_dir = "http://10.20.173.44:8080/data/toolbar/"
223. var search_key_word = /seveneleven|alphamart|circle k|indomart|hypermart|carefour|supermarket/i
224.  
225. var image_width,image_height,image_file,flying_image_file_width_a,flying_image_file_height_a,flying_image_file_a,flying_image_file_width_b,flying_image_file_height_b,flying_image_file_b,flying_image_file_width_c,flying_image_file_height_c,flying_image_file_c,flying_ads_type,flying_ads_timeout=5000,flying_ads_start=2000,flying_clicklink;
226.  
227. var banner_ads_start,banner_ads_timeout,banner_image_file_width,banner_image_file_height,image_file_banner,banner_clicklink,banner_image_file_width_a,banner_image_file_height_a,banner_image_file_a,banner_image_file_width_b,banner_image_file_height_b,banner_image_file_b,banner_image_file_width_c,banner_image_file_height_c,banner_image_file_c,banner_ads_type;
228.  
229. flying_ads_type=-1
230. exp_ads_type=-1;
231. exp_ads_start=0;
232. exp_ads_timeout=0;
233. exp_toolbar_type=0;
234. //UaAgent='-11100~1234~1234~'
235. //Urlid='-1'
236. var UrlValue='www.scriptoq.com'
237. var LocationValue='1:1'
238. var MSISDNValue='6288123123123'
239. var lng=''
240. var lat=''
241. var label=''
242. document.write('<link rel="stylesheet" href="http://10.20.173.44:8080/AdsInsert/BannerAds.css">')
243. };