lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40126540.11697.7C5586DE@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Phishing scam - Obfuscated url help please

Gadi Evron <ge@...uxbox.org> replied to Matthias Benkmann <msbREMOVE-
THIS@...terdrache.de>:

> > An easy way to de-obfuscate this is to give your browser this URL. Works
> > at least with Mozilla, but I think other browsers support the javascript:
> > pseudo-protocol, too. 
> > 
> > javascript:alert(decodeURI('<obfuscated-URL-here>'))
> 
> We have seen this done and exploited *mostly* on IRC spam (directed at 
> the mIRC client).
> 
> Let's decode a URL that may end up making IE destroying the PC or 
> emailing our passwords.. or downloading a dropper or,,, :o)

You beat me to it...

Indeed, very good advice which applies equally to the other suggestion 
of pasting it into Google (hopefully Google does all the necessary 
escaping, but at the rate XSS bugs are still being found all round the 
place do you really want to take that gamble?).  Always assume the 
worst which in a case like this may be that the URL was obfuscated not 
just to trick some clueless newbie or "typical user" but to outwit 
"power users" or even half-clued admins.

The first rule with _all_ suspect software, be it an unknown 
executable, an HTML-embedded script or a possible one-liner (such as 
this) is _NEVER_ "run" it on anything but an isolated "goat" ("mule", 
"donkey", "test net", etc) machine, (at least not unless you have done 
a thorough static analysis of it and are sure it is "safe" to do 
otherwise).

FWIW, what I did with the posted URL was paste it into a simple 
standalone .JS I use for such things (it decodes the new string into a 
string variable and writes that to a file).  After doing a careful 
eyeballing of the pasted string and any necessary manual tidying (in 
this case, removing the "=" chars) I then ran the .JS then viewed the 
output file with a "safe" file viewer.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ