Re: [Full-Disclosure] Phishing scam - Obfuscated url help please

From: Nick FitzGerald (
Date: 01/24/04

  • Next message: Matt Burnett: "Re: [Full-Disclosure] DOS all platforms"
    Date: Sat, 24 Jan 2004 12:29:52 +1300

    Gadi Evron <> replied to Matthias Benkmann <msbREMOVE->:

    > > An easy way to de-obfuscate this is to give your browser this URL. Works
    > > at least with Mozilla, but I think other browsers support the javascript:
    > > pseudo-protocol, too.
    > >
    > > javascript:alert(decodeURI('<obfuscated-URL-here>'))
    > We have seen this done and exploited *mostly* on IRC spam (directed at
    > the mIRC client).
    > Let's decode a URL that may end up making IE destroying the PC or
    > emailing our passwords.. or downloading a dropper or,,, :o)

    You beat me to it...

    Indeed, very good advice which applies equally to the other suggestion
    of pasting it into Google (hopefully Google does all the necessary
    escaping, but at the rate XSS bugs are still being found all round the
    place do you really want to take that gamble?). Always assume the
    worst which in a case like this may be that the URL was obfuscated not
    just to trick some clueless newbie or "typical user" but to outwit
    "power users" or even half-clued admins.

    The first rule with _all_ suspect software, be it an unknown
    executable, an HTML-embedded script or a possible one-liner (such as
    this) is _NEVER_ "run" it on anything but an isolated "goat" ("mule",
    "donkey", "test net", etc) machine, (at least not unless you have done
    a thorough static analysis of it and are sure it is "safe" to do

    FWIW, what I did with the posted URL was paste it into a simple
    standalone .JS I use for such things (it decodes the new string into a
    string variable and writes that to a file). After doing a careful
    eyeballing of the pasted string and any necessary manual tidying (in
    this case, removing the "=" chars) I then ran the .JS then viewed the
    output file with a "safe" file viewer.

    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    Full-Disclosure - We believe in it.

  • Next message: Matt Burnett: "Re: [Full-Disclosure] DOS all platforms"

    Relevant Pages

    • Re: TLV Objekte aus Datei lesen
      ... Weil STRING als OCTET STRING und IA5STRING vorkommen, das aber piepegal ist, schere ich die alle über einen Kamm und komme mit meinem STRING aus. ... Es gibt hier keinen Len-Parameter beim Decode. ... In meinen Daten haben die meisten der Arrays eine ein- oder zweibyteige Angabe der Anzahl der Records am Anfang. ... technischen Daten der Karte sofern sie in der Datei stehn). ...
    • Re: Sending floats over a client-server in Smalltalk
      ... The trick is knowing what to decode them ... Then encode the number in the remaining bytes. ... ByteString>>floatAt: byteIndex ... I could then take a string ...
    • Re: UnicodeDecodeError: utf-8 codec cant decode byte 0xb6 in position 0: invalid start byte
      ... Don't fix the problem till you understand it. ... Figure out who is dealing with a byte string here, and where that byte string came from. ... Adding a decode, especially one that's going to do the same decode as your original error message, is very premature. ... I'll bet the real problem is you're using some greek characters in the name of the environment variable, rather than "REMOTE_HOST" So everything you show us is laboriously retyped, hiding the real problems underneath. ...
    • Re: Selecting a record froma table where a column might be null
      ... In perl dbi, ... So you use the decode function in your ... string null in decode you can ... Win a $20,000 Career Makeover at Yahoo! ...
    • Re: New EW
      ... After I crawl off your Mommy, yeah. ... It's safe to decode everything I say with "Actually I don't have any ...