Re: [Full-Disclosure] Phishing scam - Obfuscated url help please
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
To: firstname.lastname@example.org Date: Sat, 24 Jan 2004 12:29:52 +1300
Gadi Evron <email@example.com> replied to Matthias Benkmann <msbREMOVE-
> > An easy way to de-obfuscate this is to give your browser this URL. Works
> > pseudo-protocol, too.
> We have seen this done and exploited *mostly* on IRC spam (directed at
> the mIRC client).
> Let's decode a URL that may end up making IE destroying the PC or
> emailing our passwords.. or downloading a dropper or,,, :o)
You beat me to it...
Indeed, very good advice which applies equally to the other suggestion
of pasting it into Google (hopefully Google does all the necessary
escaping, but at the rate XSS bugs are still being found all round the
place do you really want to take that gamble?). Always assume the
worst which in a case like this may be that the URL was obfuscated not
just to trick some clueless newbie or "typical user" but to outwit
"power users" or even half-clued admins.
The first rule with _all_ suspect software, be it an unknown
executable, an HTML-embedded script or a possible one-liner (such as
this) is _NEVER_ "run" it on anything but an isolated "goat" ("mule",
"donkey", "test net", etc) machine, (at least not unless you have done
a thorough static analysis of it and are sure it is "safe" to do
FWIW, what I did with the posted URL was paste it into a simple
standalone .JS I use for such things (it decodes the new string into a
string variable and writes that to a file). After doing a careful
eyeballing of the pasted string and any necessary manual tidying (in
this case, removing the "=" chars) I then ran the .JS then viewed the
output file with a "safe" file viewer.
-- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html