Jump to content

URL Obfuscation


StevenUnderwood

Recommended Posts

http://www.spamcop.net/sc?id=z815925820zfc...909996c0f4b0d8z

The tracking of the URL in this spam can not be determined by the parser being cleaned up to:

http:// ulxwmqn.org.<.lfjxeesiomug.inantaopv.info#fwlbewsffxi.com

SamSpade can not get to that URL but my browser (IE) sure does, going to an HGH site (which transforms the URL as: http:// ulxwmqn.org.%3C.lfjxeesiomug.inantaopv.info/#fwlbewsffxi.com

Processing that way does get a report generated to: abuse[at]cnc-noc.net

Even leaving the original and deobfuscatng the # to /# gets the same report

http:// ulxwmqn.org.<.lfjxeesiomug.inantaopv.info/#fwlbewsffxi.com

Question: Do other browsers accept this as a valid URL or is this another IE "trick"?

P.S. I will try to move this to another obfuscation thread as soon as I get all the data input.

P.P.S. Did not find an obfuscation thread close to this method going back to feb-2004. If another moderator finds one, feel free to move this there.

Link to comment
Share on other sites

... http:// ulxwmqn.org.<.lfjxeesiomug.inantaopv.info#fwlbewsffxi.com

Question:  Do other browsers accept this as a valid URL or is this another IE "trick"? ...

34263[/snapback]

Mozilla 1.7.7 and Firefox 1.0.7 have no difficulty, changing .info#fwlbewsffxi.com to

.info/#fwlbewsffxi.com in each case.

Netscape® Communicator 4.79 however is defeated :)

Link to comment
Share on other sites

Edit: it seems to have taken me too long to write this as Farelf's post was recorded before I finished this one. But I will leave it here anyway.

You seem to have found a strange one here.

The problem appears to the the additional line break in the middle of the code and/or the fact that the parser is disregarding the redirect information

href="http:/\ulxwmqn.org%2E<.lfjxeesiomug%2Ei

nantaopv.info#fwlbewsffxi.com">

The quote is from the message source of IE pasted into Notepad

Yet if you delete the line break and reparse the entire message the parser seems to have the same problem: http://www.spamcop.net/sc?id=z815960680z47...85be7b1ea6c21dz

On further looking, the problem with Cannot resolve http://ulxwmqn.org is the simple fact that, that address can not be resolved period, even by IE The address that IE is resolving is the redirect address "lfjxeesiomug.inantaopv.info"

href="http:/\ulxwmqn.org%2E&lt;.lfjxeesiomug%2Ei
nantaopv.info#fwlbewsffxi.com"&gt;

http://ulxwmqn.org.&lt;.lfjxeesiomug.inantaopv.info/#fwlbewsffxi.com

Link to comment
Share on other sites

The problem appears to the the additional line break in the middle of the code and/or the fact that the parser is disregarding the redirect information The quote is from the message source of IE pasted into Notepad

Yet if you delete the line break and reparse the entire message the parser seems to have the same problem:

34268[/snapback]

So then the line break would not be the problem ;)

The problem is that the parser seems to see the # as part of the hostname yet the browsers seem to add a / making the # part of a directory structure or other code passed to the site. I was expecting this to be an IE only thing but as Farelf has mentioned, at least 2 other browsers do the same thing.

Kicking this to the deputies for their reaction.

Link to comment
Share on other sites

It would appear that the "#" is the problem. I deleted the string "#fwlbewsffxi.com" and ran the parse and the address resolved http://www.spamcop.net/sc?id=z816100803z45...68491ce68111ebz

Also replacing the "#" with "/" generated the same results http://www.spamcop.net/sc?id=z816102248z2c...e21eba227e37ebz

So I would agree with your logic Steven, the "#" or the missing "/" in front of the "#" is definately a problem for the parser.

Link to comment
Share on other sites

The website lfjxeesiomug.inantaopv.info seems to be struggling at the time of this posting. Refused connection, DNSReport saying

[ERROR: I was unable to get an answer from the parent servers [ns5.cafegood.com], when I tried to find the NS records for lfjxeesiomug.inantaopv.info.]
Among the mourners who mourn,

I'll not a mourner be.

- but it makes experimentation/verification difficult. No consideration, these people!

[EDIT] What a pity, not dead, just flopping about - Searching for lfjxeesiomug.inantaopv.info A record at ns5.cafegood.com. [221.11.134.39]: Reports lfjxeesiomug.inantaopv.info. [took 526 ms]

WHOIS results for 211.233.16.88

Contacts - (abuse) security[at]kidc.net

Link to comment
Share on other sites

  • 2 years later...

Came across another, entirely elaborate, one today - not from an account I report but the spamvertized "URL" is

<http://www.dogpile.com/clickserver/_iceUrlFlag=1?rawURL=http%3A%2F%2Fwww.holesteam.com%2F&0=&1=0&4=204.9.89.53&5=85.17.143.180&9=3b3d47ee217645b39178c1c78361c801&10=1&11=info.dogpl&13=search&14=239137&15=main-title&17=2&18=1&19=0&20=0&21=2&22=VxiGXJ9DA6c%3D&23=0&40=hQK52We75q3brdPgZBSLGw%3D%3D&_IceUrl=true }>

...which appears unclickable in this browser (IE7) but certainly is clickable in Outlook and in Hotmail Live messages. Where it is trying to go or what is meant to do when it gets there I have no idea - but according to the parser ("added either end of URL to preserve displayed text, line break added for width)

...Percent unescape: Percent unescape: "http://www.dogpile.com/clickserver/_iceUrlFlag=1?rawURL=http://www.holesteam.com/&0=&1=0&4=204.9.89.53&5=85.17.143.180&9=3b3d47ee217645b39178c1c78361c801&10=1

&11=info.dogpl&13=search&14=239137&15=main-title&17=2&18=1&19=0&20=0&21=2&22=VxiGXJ9DA6c=&23=0&40=hQK52We75q3brdPgZBSLGw==&_IceUrl=true"

Host www.dogpile.com (checking ip) = 204.9.89.53

host 204.9.89.53 = webcrawler.com (cached)

Host www.dogpile.com (checking ip) = 204.9.89.53

host 204.9.89.53 = webcrawler.com (cached)...

I somehow doubt the parser has "got it" (but I'm not about to follow the link on this machine to check), anyone able to analyze?
Link to comment
Share on other sites

<snip>

but according to the parser ("added either end of URL to preserve displayed text, line break added for width)

...Percent unescape: Percent unescape: "http://www.dogpile.com/clickserver/_iceUrlFlag=1?rawURL=http://www.holesteam.com/&amp;0=&amp;1=0&amp;4=204.9.89.53&amp;5=85.17.143.180&amp;9=3b3d47ee217645b39178c1c78361c801&amp;10=1
&amp;11=info.dogpl&amp;13=search&amp;14=239137&amp;15=main-title&amp;17=2&amp;18=1&amp;19=0&amp;20=0&amp;21=2&amp;22=VxiGXJ9DA6c=&amp;23=0&amp;40=hQK52We75q3brdPgZBSLGw==&amp;_IceUrl=true"
Host www.dogpile.com (checking ip) = 204.9.89.53
host 204.9.89.53 = webcrawler.com (cached)
Host www.dogpile.com (checking ip) = 204.9.89.53
host 204.9.89.53 = webcrawler.com (cached)...

I somehow doubt the parser has "got it" (but I'm not about to follow the link on this machine to check), anyone able to analyze?

...Hmm, inconsistent with what I get when I enter "www.dogpile.com" into the online parser:
SpamCop v 647 Copyright © 1998-2006, IronPort Systems, Inc. All rights reserved.

Parsing input: www.dogpile.com

Routing details for 72.53.194.53

[refresh/show] Cached whois for 72.53.194.53 : ne[at]infospace.com

Using last resort contacts ne[at]infospace.com

Statistics:

72.53.194.53 not listed in bl.spamcop.net

More Information..

72.53.194.53 not listed in dnsbl.njabl.org

72.53.194.53 not listed in dnsbl.njabl.org

72.53.194.53 not listed in cbl.abuseat.org

72.53.194.53 not listed in dnsbl.sorbs.net

Reporting addresses:

ne[at]infospace.com

Link to comment
Share on other sites

...Hmm, inconsistent with what I get when I enter "www.dogpile.com" into the online parser:
Thanks Steve, yes that is strange, investigating further, it has two A records?? Anyway, I've seen the parser resolve it to both in turn but mostly to the 204.9.89.53 address. [on edit -seems to depend; I just had the Devil's own job getting that resolution, as follows]
Parsing input: www.dogpile.com

Routing details for 204.9.89.53

[refresh/show] Cached whois for 204.9.89.53 : noc_insp[at]infospace.com

Using abuse net on noc_insp[at]infospace.com

abuse net infospace.com = postmaster[at]infospace.com, abuse[at]savvis.net, abuse[at]internap.com

Using best contacts postmaster[at]infospace.com abuse[at]savvis.net abuse[at]internap.com

Statistics:

204.9.89.53 not listed in bl.spamcop.net

More Information..

204.9.89.53 not listed in dnsbl.njabl.org

204.9.89.53 not listed in dnsbl.njabl.org

204.9.89.53 not listed in cbl.abuseat.org

204.9.89.53 not listed in dnsbl.sorbs.net

Reporting addresses:

postmaster[at]infospace.com

abuse[at]savvis.net

abuse[at]internap.com

Following are the DNS records (my emphasis) for www.dogpile.com - I can't get rid of the leading whitespace by the way. [On edit - trimming leading and trailing whitespace around tags and text does the trick. {sigh} I think I knew that once. Ah well, forever young.]

[tcol]dogpile.com
name class type data time to live
www.dogpile.com IN CNAME icebridge.infospace.com 30s (00:00:30)
icebridge.infospace.com IN A 72.53.194.53 30s (00:00:30)
dogpile.com IN SOA server: ns.infospace.com 300s (00:05:00)
[/tcol] email: hostmaster.infospace.com
serial: 2006071032
refresh: 900
retry: 300
expire: 2419200
minimum ttl: 3600
dogpile.com IN NS ns2.infospace.com 300s (00:05:00)
dogpile.com IN NS ns3.infospace.com 300s (00:05:00)
dogpile.com IN NS ns.infospace.com 300s (00:05:00)
dogpile.com IN A 204.9.89.53 30s (00:00:30)
dogpile.com IN MX preference: 10 300s (00:05:00)
exchange: mail2.infospace.com
dogpile.com IN MX preference: 20 300s (00:05:00)
exchange: mail1.infospace.com
IN TXT mail2.infospace.com. 300s (00:05:00)
dogpile.com IN TXT mail1.infospace.com. 300s (00:05:00)
53.89.9.204.in-addr.arpa IN PTR icebridge-b.infospace.com 68625s (19:03:45)
53.89.9.204.in-addr.arpa IN PTR icebridge.infospace.com 68625s (19:03:45)
53.89.9.204.in-addr.arpa IN PTR webcrawler.com 68625s (19:03:45)

All of which is a red herring to the extent that the link actually tries to go to 219.251.217.133 in Hanaro netspace, NOT to dogpile (tempting though it might be to imagine all sorts of unsavoriness attaching to something with such a name) and which seems to be "hard to get", perhaps mercifully - or perhaps the page doesn't even need to display to do its (supposed) mischief. Anyway, even pinging 219.251.217.133 results in 75% packet loss so it is probably not a great risk?

The sending source for the message containing this (218.209.41.84, also Korean) was and is listed on the SCbl last I looked but the reported spam may have had a completely different payloads to this one. If there is any evidence that this type of obfuscation is becoming used in volume (and that it is effective or that it becomes effective) then guess the Deputies should be alerted to ponder whether it is worth a parser solution. Well, they need to know the parser apparently picks the wrong target but even for that I think we need some evidence of a problem (which is to say, more than just my one sighting).

Link to comment
Share on other sites

...All of which is a red herring to the extent that the link actually tries to go to 219.251.217.133 in Hanaro netspace, NOT to dogpile (tempting though it might be to imagine all sorts of unsavoriness of something with such a name) and which seems to be "hard to get", perhaps mercifully - or perhaps the page doesn't even need to display to do its (supposed) mischief. Anyway, even pinging 219.251.217.133 results in 75% packet loss so it is probably not a great risk?...
AND sometimes that resolves to (apparently) the intended webpage www.holesteam.com, proudly proclaiming itself as 'Canadian Pharmacy' (so we know to trust it) and offering a veritable cornucopia of pharmacological delights to improve health, comfort and 'recreational' opportunities beyond imagining ('female enhancement'? - I know of no females who require enhancement).
Parsing input: www.holesteam.com

Host www.holesteam.com (checking ip) = 219.251.217.133

host 219.251.217.133 (getting name) no name

Host www.holesteam.com (checking ip) = 219.251.217.133

host 219.251.217.133 (getting name) no name

Routing details for 219.251.217.133

[refresh/show] Cached whois for 219.251.217.133 : abuse[at]hanaro.com ip-adm[at]hanaro.com

Using abuse net on abuse[at]hanaro.com

abuse net hanaro.com = abuse[at]hanaro.com, cert[at]certcc.or.kr, spamcop[at]kisa.or.kr

Using best contacts abuse[at]hanaro.com cert[at]certcc.or.kr spamcop[at]kisa.or.kr

cert[at]certcc.or.kr redirects to spamrelay[at]certcc.or.kr

Statistics:

219.251.217.133 not listed in bl.spamcop.net

More Information..

219.251.217.133 not listed in dnsbl.njabl.org

219.251.217.133 not listed in dnsbl.njabl.org

219.251.217.133 not listed in cbl.abuseat.org

219.251.217.133 listed in dnsbl.sorbs.net ( 127.0.0.10 )

So, I'm staying with the opinion that the Deputies might need to consider this form of obfuscation should it [come into]/[actually be of] more widespread use. No exploits, not even ad-aware cookies detected by the way, apparently a proper little parasite. But goodness knows what all that code in the link following 'holesteam' is there for.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...