phishing question

[chris.blazek at gmail.com (Chris Blazek)]

Thanks! The user sent me a snapshot of symantec finding the koobface
infection. I found a mcafee article that mentions the worm on what David
found: http://vil.nai.com/vil/content/v_148955.htm

I was trying to use malzilla to decode that script block but really didn't
have much luck because of my experience with the app.

Thanks for the help, great community!

Chris



On Wed, Dec 2, 2009 at 12:03 PM, David Auclair <d.auclair at utoronto.ca>wrote:

> The obfuscation wasn't too bad in this case... Just a couple tricks
> repeated over and over.
>
> I manually 'unwrapped' the layers of obfuscation, and ended up with some
> pretty simple code.
>
> For example:
> c4239='do';
> db749="coaujoimrggh".replace(/[oajirgh]+/g,"");
> eaf76='ent.r';
> f638e36f4="esgkfkusueduvrbo".replace(/[sgkudvbo]+/g,"");
> gda746b57='rer';
> a206c=eval(c4239+db749+eaf76+f638e36f4+gda746b57);
>
> Is basically a set of strings containing extra characters, that are
> stripped out by the replace commands, then merged.  This can be simplified
> to:
> c4239='do';
> db749="cum";
> eaf76='ent.r';
> f638e36f4="efer";
> gda746b57='rer';
> a206c=eval("document.referer");
>
> -Dave
>
> > -----Original Message-----
> > From: pauldotcom-bounces at mail.pauldotcom.com [mailto:
> pauldotcom-bounces at mail.pauldotcom.com] On Behalf
> > Of David Shpritz
> > Sent: Wednesday, December 02, 2009 12:44 PM
> > To: PaulDotCom Security Weekly Mailing List
> > Subject: Re: [Pauldotcom] phishing question
> >
> > Hey David,
> > Would you mind telling us what method you used to deobfuscate the
> scripts?  Usually I have done these
> > by hand or used Malzilla, but I'm always looking for new methods.
>  Thanks!
> > David Shpritz
> >
> > -----Original Message-----
> > From: pauldotcom-bounces at pdc-mail.pauldotcom.com [mailto:
> pauldotcom-bounces at pdc-mail.pauldotcom.com]
> > On Behalf Of David Auclair
> > Sent: Wednesday, December 02, 2009 9:45 AM
> > To: PaulDotCom Security Weekly Mailing List
> > Subject: Re: [Pauldotcom] phishing question
> >
> > It looks like the javascript on the page you mentioned leads to this
> page:
> > hxxp://www . businessinabox . com . au/357/?go
> >
> > Which is full of more obfuscated javascript, which leads to sites such
> as:
> > hxxp:// 62.204.113.141 /d=www.facebook.com/0x3E8/f=fb2/view/console=yes/
> >
> > Which seems to have 'you need to update your flash player' image, linking
> to setup.exe
> > According to virustotal, the setup.exe contains koobface:
> http://www.virustotal.com/analisis/5e9ce9c41a8f46d5dfc4ce366f6f47cb347bcbaa93cd1fcb132a72f61bab14e1-
> > 1259705119
> >
> > -Dave
> >
> > > -----Original Message-----
> > > From: pauldotcom-bounces at mail.pauldotcom.com [mailto:
> pauldotcom-bounces at mail.pauldotcom.com] On
> > Behalf
> > > Of Chris Blazek
> > > Sent: Wednesday, December 02, 2009 12:04 AM
> > > To: PaulDotCom Security Weekly Mailing List
> > > Subject: Re: [Pauldotcom] phishing question
> > >
> > > PJ,
> > >    Yeah, I had the user change all passwords from the email account to
> > > fb. I had tried googling for that 1st part of the address, hoping
> > > someone had posted something about it. That came up empty.
> > > I tried to get malzilla to decode it, but I really have little
> > > experience decoding JavaScript like that.
> > > I'll try looking for deobfuscaters to see if something else can decode
> > > it.
> > > Sorry for the typos in the original email. :)
> > >
> > > Thanks for the help!
> > >
> > > Chris
> > >
> > >
> > >
> > > On Dec 1, 2009, at 8:47 PM, PJ McGarvey <pj_mcgarvey at hotmail.com>
> wrote:
> > > > Well, if you mean what does the obfuscated code do, there are a few
> > > > sites I've used that can "de-obfuscate" code however sometimes all
> > > > that can tell you is that "yeah, it's probably malicious".  I would
> > > > google for "javascript deobfuscate".
> > > >
> > > > You could submit the blogspot site to an online sandbox for
> > > > analysis, like I just did:
> http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html
> > > > and possibly find other URLs found in the de-obfuscated code to see
> > > > what they do.... like this one
> > > > http://1nonsensical.cn/?pid=312s02&sid=4db12f
> > > >
> > > > ... I've yet to find a .cn domain name I could trust.  LOL.
> > > >
> > > > Follow down the rabbit hole...
> > > >
> > > > That way you can find out if the PC was infected, and how to clean
> > > > it up.
> > > >
> > > > Otherwise it would seem like some sort of facebook worm that spreads
> > > > using the FB address book.  Was the user logged into Facebook at the
> > > > time?  Might be a good idea to change their password, sounds like it
> > > > either used the active facebook session to send itself out, or maybe
> > > > a cookie with the user's saved credentials.
> > > >
> > > > PJ
> > > >
> > > > From: chris.blazek at gmail.com
> > > > Date: Tue, 1 Dec 2009 14:54:36 -0600
> > > > To: pauldotcom at mail.pauldotcom.com
> > > > Subject: [Pauldotcom] phishing question
> > > >
> > > > A coworker clicked on a link in an email and was directed to
> > > > facebook then redirected to the following site:
> > > > despatiesmercemerce . blogspot . com
> > > > All of there fb contacts then received the same email. I pulled up
> > > > the site in malzilla and noticed a script block in the header that
> > > > looks like it's obfuscated.
> > > >
> > > > I was wondering if someone in the group could figure out what the
> > > > site was trying to do.
> > > >
> > > > Thanks,
> > > > Chris
> > > >
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
http://www.kingbin.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091202/4b8dc4ba/attachment.htm