URL Obfuscation

[StevenUnderwood]

http://www.spamcop.net/sc?id=z815925820zfc...909996c0f4b0d8z

The tracking of the URL in this spam can not be determined by the parser being cleaned up to:

http:// ulxwmqn.org.<.lfjxeesiomug.inantaopv.info#fwlbewsffxi.com

SamSpade can not get to that URL but my browser (IE) sure does, going to an HGH site (which transforms the URL as: http:// ulxwmqn.org.%3C.lfjxeesiomug.inantaopv.info/#fwlbewsffxi.com

Processing that way does get a report generated to: abuse[at]cnc-noc.net

Even leaving the original and deobfuscatng the # to /# gets the same report

http:// ulxwmqn.org.<.lfjxeesiomug.inantaopv.info/#fwlbewsffxi.com

Question: Do other browsers accept this as a valid URL or is this another IE "trick"?

P.S. I will try to move this to another obfuscation thread as soon as I get all the data input.

P.P.S. Did not find an obfuscation thread close to this method going back to feb-2004. If another moderator finds one, feel free to move this there.

[Farelf]

... http:// ulxwmqn.org.<.lfjxeesiomug.inantaopv.info#fwlbewsffxi.com

Question:  Do other browsers accept this as a valid URL or is this another IE "trick"? ...

34263[/snapback]

Mozilla 1.7.7 and Firefox 1.0.7 have no difficulty, changing .info#fwlbewsffxi.com to

.info/#fwlbewsffxi.com in each case.

Netscape® Communicator 4.79 however is defeated

[dbiel]

Edit: it seems to have taken me too long to write this as Farelf's post was recorded before I finished this one. But I will leave it here anyway.

You seem to have found a strange one here.

The problem appears to the the additional line break in the middle of the code and/or the fact that the parser is disregarding the redirect information

href="http:/\ulxwmqn.org%2E<.lfjxeesiomug%2Ei

nantaopv.info#fwlbewsffxi.com">

The quote is from the message source of IE pasted into Notepad

Yet if you delete the line break and reparse the entire message the parser seems to have the same problem: http://www.spamcop.net/sc?id=z815960680z47...85be7b1ea6c21dz

On further looking, the problem with Cannot resolve http://ulxwmqn.org is the simple fact that, that address can not be resolved period, even by IE The address that IE is resolving is the redirect address "lfjxeesiomug.inantaopv.info"

href="http:/\ulxwmqn.org%2E<.lfjxeesiomug%2Ei
nantaopv.info#fwlbewsffxi.com">

http://ulxwmqn.org.<.lfjxeesiomug.inantaopv.info/#fwlbewsffxi.com

[StevenUnderwood]

The problem appears to the the additional line break in the middle of the code and/or the fact that the parser is disregarding the redirect information The quote is from the message source of IE pasted into Notepad

Yet if you delete the line break and reparse the entire message the parser seems to have the same problem:

34268[/snapback]

So then the line break would not be the problem

The problem is that the parser seems to see the # as part of the hostname yet the browsers seem to add a / making the # part of a directory structure or other code passed to the site. I was expecting this to be an IE only thing but as Farelf has mentioned, at least 2 other browsers do the same thing.

Kicking this to the deputies for their reaction.

[dbiel]

It would appear that the "#" is the problem. I deleted the string "#fwlbewsffxi.com" and ran the parse and the address resolved http://www.spamcop.net/sc?id=z816100803z45...68491ce68111ebz

Also replacing the "#" with "/" generated the same results http://www.spamcop.net/sc?id=z816102248z2c...e21eba227e37ebz

So I would agree with your logic Steven, the "#" or the missing "/" in front of the "#" is definately a problem for the parser.

[Farelf]

The website lfjxeesiomug.inantaopv.info seems to be struggling at the time of this posting. Refused connection, DNSReport saying

[ERROR: I was unable to get an answer from the parent servers [ns5.cafegood.com], when I tried to find the NS records for lfjxeesiomug.inantaopv.info.]

Among the mourners who mourn,

I'll not a mourner be.

- but it makes experimentation/verification difficult. No consideration, these people!

[EDIT] What a pity, not dead, just flopping about - Searching for lfjxeesiomug.inantaopv.info A record at ns5.cafegood.com. [221.11.134.39]: Reports lfjxeesiomug.inantaopv.info. [took 526 ms]

WHOIS results for 211.233.16.88

Contacts - (abuse) security[at]kidc.net

[StevenUnderwood]

The website lfjxeesiomug.inantaopv.info seems to be struggling at the time of this posting.  Refused connection

34291[/snapback]

Maybe it is due to all the people going there trying to get their HGH (not).

[StevenUnderwood]

Got a reply from Ellen that she is adding it to the parser mods list.

[Farelf]

Came across another, entirely elaborate, one today - not from an account I report but the spamvertized "URL" is

<http://www.dogpile.com/clickserver/_iceUrlFlag=1?rawURL=http%3A%2F%2Fwww.holesteam.com%2F&0=&1=0&4=204.9.89.53&5=85.17.143.180&9=3b3d47ee217645b39178c1c78361c801&10=1&11=info.dogpl&13=search&14=239137&15=main-title&17=2&18=1&19=0&20=0&21=2&22=VxiGXJ9DA6c%3D&23=0&40=hQK52We75q3brdPgZBSLGw%3D%3D&_IceUrl=true }>

...which appears unclickable in this browser (IE7) but certainly is clickable in Outlook and in Hotmail Live messages. Where it is trying to go or what is meant to do when it gets there I have no idea - but according to the parser ("added either end of URL to preserve displayed text, line break added for width)

...Percent unescape: Percent unescape: "http://www.dogpile.com/clickserver/_iceUrlFlag=1?rawURL=http://www.holesteam.com/&0=&1=0&4=204.9.89.53&5=85.17.143.180&9=3b3d47ee217645b39178c1c78361c801&10=1

&11=info.dogpl&13=search&14=239137&15=main-title&17=2&18=1&19=0&20=0&21=2&22=VxiGXJ9DA6c=&23=0&40=hQK52We75q3brdPgZBSLGw==&_IceUrl=true"

Host www.dogpile.com (checking ip) = 204.9.89.53

host 204.9.89.53 = webcrawler.com (cached)

Host www.dogpile.com (checking ip) = 204.9.89.53

host 204.9.89.53 = webcrawler.com (cached)...

I somehow doubt the parser has "got it" (but I'm not about to follow the link on this machine to check), anyone able to analyze?

[turetzsr]

<snip>

but according to the parser ("added either end of URL to preserve displayed text, line break added for width)

...Percent unescape: Percent unescape: "http://www.dogpile.com/clickserver/_iceUrlFlag=1?rawURL=http://www.holesteam.com/&0=&1=0&4=204.9.89.53&5=85.17.143.180&9=3b3d47ee217645b39178c1c78361c801&10=1
&11=info.dogpl&13=search&14=239137&15=main-title&17=2&18=1&19=0&20=0&21=2&22=VxiGXJ9DA6c=&23=0&40=hQK52We75q3brdPgZBSLGw==&_IceUrl=true"
Host www.dogpile.com (checking ip) = 204.9.89.53
host 204.9.89.53 = webcrawler.com (cached)
Host www.dogpile.com (checking ip) = 204.9.89.53
host 204.9.89.53 = webcrawler.com (cached)...

I somehow doubt the parser has "got it" (but I'm not about to follow the link on this machine to check), anyone able to analyze?

...Hmm, inconsistent with what I get when I enter "www.dogpile.com" into the online parser:

SpamCop v 647 Copyright © 1998-2006, IronPort Systems, Inc. All rights reserved.

Parsing input: www.dogpile.com

Routing details for 72.53.194.53

[refresh/show] Cached whois for 72.53.194.53 : ne[at]infospace.com

Using last resort contacts ne[at]infospace.com

Statistics:

72.53.194.53 not listed in bl.spamcop.net

More Information..

72.53.194.53 not listed in dnsbl.njabl.org

72.53.194.53 not listed in dnsbl.njabl.org

72.53.194.53 not listed in cbl.abuseat.org

72.53.194.53 not listed in dnsbl.sorbs.net

Reporting addresses:

ne[at]infospace.com

[Farelf]

...Hmm, inconsistent with what I get when I enter "www.dogpile.com" into the online parser:

Thanks Steve, yes that is strange, investigating further, it has two A records?? Anyway, I've seen the parser resolve it to both in turn but mostly to the 204.9.89.53 address. [on edit -seems to depend; I just had the Devil's own job getting that resolution, as follows]

Parsing input: www.dogpile.com

Routing details for 204.9.89.53

[refresh/show] Cached whois for 204.9.89.53 : noc_insp[at]infospace.com

Using abuse net on noc_insp[at]infospace.com

abuse net infospace.com = postmaster[at]infospace.com, abuse[at]savvis.net, abuse[at]internap.com

Using best contacts postmaster[at]infospace.com abuse[at]savvis.net abuse[at]internap.com

Statistics:

204.9.89.53 not listed in bl.spamcop.net

More Information..

204.9.89.53 not listed in dnsbl.njabl.org

204.9.89.53 not listed in dnsbl.njabl.org

204.9.89.53 not listed in cbl.abuseat.org

204.9.89.53 not listed in dnsbl.sorbs.net

Reporting addresses:

postmaster[at]infospace.com

abuse[at]savvis.net

abuse[at]internap.com

Following are the DNS records (my emphasis) for www.dogpile.com - I can't get rid of the leading whitespace by the way. [On edit - trimming leading and trailing whitespace around tags and text does the trick. {sigh} I think I knew that once. Ah well, forever young.]

[tcol]dogpile.com

name	class	type	data	time to live
www.dogpile.com	IN	CNAME	icebridge.infospace.com	30s (00:00:30)
icebridge.infospace.com	IN	A	72.53.194.53	30s (00:00:30)
dogpile.com	IN	SOA	server: ns.infospace.com	300s (00:05:00)
[/tcol]			email: hostmaster.infospace.com
			serial: 2006071032
			refresh: 900
			retry: 300
			expire: 2419200
			minimum ttl: 3600
dogpile.com	IN	NS	ns2.infospace.com	300s (00:05:00)
dogpile.com	IN	NS	ns3.infospace.com	300s (00:05:00)
dogpile.com	IN	NS	ns.infospace.com	300s (00:05:00)
dogpile.com	IN	A	204.9.89.53	30s (00:00:30)
dogpile.com	IN	MX	preference: 10	300s (00:05:00)
			exchange: mail2.infospace.com
dogpile.com	IN	MX	preference: 20	300s (00:05:00)
			exchange: mail1.infospace.com
IN	TXT	mail2.infospace.com.	300s (00:05:00)
dogpile.com	IN	TXT	mail1.infospace.com.	300s (00:05:00)
53.89.9.204.in-addr.arpa	IN	PTR	icebridge-b.infospace.com	68625s (19:03:45)
53.89.9.204.in-addr.arpa	IN	PTR	icebridge.infospace.com	68625s (19:03:45)
53.89.9.204.in-addr.arpa	IN	PTR	webcrawler.com	68625s (19:03:45)

All of which is a red herring to the extent that the link actually tries to go to 219.251.217.133 in Hanaro netspace, NOT to dogpile (tempting though it might be to imagine all sorts of unsavoriness attaching to something with such a name) and which seems to be "hard to get", perhaps mercifully - or perhaps the page doesn't even need to display to do its (supposed) mischief. Anyway, even pinging 219.251.217.133 results in 75% packet loss so it is probably not a great risk?

The sending source for the message containing this (218.209.41.84, also Korean) was and is listed on the SCbl last I looked but the reported spam may have had a completely different payloads to this one. If there is any evidence that this type of obfuscation is becoming used in volume (and that it is effective or that it becomes effective) then guess the Deputies should be alerted to ponder whether it is worth a parser solution. Well, they need to know the parser apparently picks the wrong target but even for that I think we need some evidence of a problem (which is to say, more than just my one sighting).

[Farelf]

...All of which is a red herring to the extent that the link actually tries to go to 219.251.217.133 in Hanaro netspace, NOT to dogpile (tempting though it might be to imagine all sorts of unsavoriness of something with such a name) and which seems to be "hard to get", perhaps mercifully - or perhaps the page doesn't even need to display to do its (supposed) mischief. Anyway, even pinging 219.251.217.133 results in 75% packet loss so it is probably not a great risk?...

AND sometimes that resolves to (apparently) the intended webpage www.holesteam.com, proudly proclaiming itself as 'Canadian Pharmacy' (so we know to trust it) and offering a veritable cornucopia of pharmacological delights to improve health, comfort and 'recreational' opportunities beyond imagining ('female enhancement'? - I know of no females who require enhancement).

Parsing input: www.holesteam.com

Host www.holesteam.com (checking ip) = 219.251.217.133

host 219.251.217.133 (getting name) no name

Host www.holesteam.com (checking ip) = 219.251.217.133

host 219.251.217.133 (getting name) no name

Routing details for 219.251.217.133

[refresh/show] Cached whois for 219.251.217.133 : abuse[at]hanaro.com ip-adm[at]hanaro.com

Using abuse net on abuse[at]hanaro.com

abuse net hanaro.com = abuse[at]hanaro.com, cert[at]certcc.or.kr, spamcop[at]kisa.or.kr

Using best contacts abuse[at]hanaro.com cert[at]certcc.or.kr spamcop[at]kisa.or.kr

cert[at]certcc.or.kr redirects to spamrelay[at]certcc.or.kr

Statistics:

219.251.217.133 not listed in bl.spamcop.net

More Information..

219.251.217.133 not listed in dnsbl.njabl.org

219.251.217.133 not listed in dnsbl.njabl.org

219.251.217.133 not listed in cbl.abuseat.org

219.251.217.133 listed in dnsbl.sorbs.net ( 127.0.0.10 )

So, I'm staying with the opinion that the Deputies might need to consider this form of obfuscation should it [come into]/[actually be of] more widespread use. No exploits, not even ad-aware cookies detected by the way, apparently a proper little parasite. But goodness knows what all that code in the link following 'holesteam' is there for.