Full Disclosure mailing list archives
Re: Phishing scam - Obfuscated url help please
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 24 Jan 2004 12:29:52 +1300
Gadi Evron <ge () linuxbox org> replied to Matthias Benkmann <msbREMOVE- THIS () winterdrache de>:
An easy way to de-obfuscate this is to give your browser this URL. Works at least with Mozilla, but I think other browsers support the javascript: pseudo-protocol, too. javascript:alert(decodeURI('<obfuscated-URL-here>'))We have seen this done and exploited *mostly* on IRC spam (directed at the mIRC client). Let's decode a URL that may end up making IE destroying the PC or emailing our passwords.. or downloading a dropper or,,, :o)
You beat me to it... Indeed, very good advice which applies equally to the other suggestion of pasting it into Google (hopefully Google does all the necessary escaping, but at the rate XSS bugs are still being found all round the place do you really want to take that gamble?). Always assume the worst which in a case like this may be that the URL was obfuscated not just to trick some clueless newbie or "typical user" but to outwit "power users" or even half-clued admins. The first rule with _all_ suspect software, be it an unknown executable, an HTML-embedded script or a possible one-liner (such as this) is _NEVER_ "run" it on anything but an isolated "goat" ("mule", "donkey", "test net", etc) machine, (at least not unless you have done a thorough static analysis of it and are sure it is "safe" to do otherwise). FWIW, what I did with the posted URL was paste it into a simple standalone .JS I use for such things (it decodes the new string into a string variable and writes that to a file). After doing a careful eyeballing of the pasted string and any necessary manual tidying (in this case, removing the "=" chars) I then ran the .JS then viewed the output file with a "safe" file viewer. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Phishing scam - Obfuscated url help please Zach Forsyth (Jan 22)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 22)
- Re: Phishing scam - Obfuscated url help please Valdis . Kletnieks (Jan 22)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 23)
- Re: Phishing scam - Obfuscated url help please Valdis . Kletnieks (Jan 22)
- Re: Phishing scam - Obfuscated url help please Matthias Benkmann (Jan 23)
- Re: Phishing scam - Obfuscated url help please Gadi Evron (Jan 23)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 23)
- Re: Phishing scam - Obfuscated url help please Gadi Evron (Jan 23)
- Re: Phishing scam - yet another Paypal phishing scam! Tobias Weisserth (Jan 24)
- Re: Phishing scam - yet another Paypal phishing scam! Valdis . Kletnieks (Jan 24)
- RE: Phishing scam - yet another Paypal phishingscam! Bill Royds (Jan 24)
- RE: Phishing scam - yet another Paypal phishingscam! Tobias Weisserth (Jan 25)
- <Possible follow-ups>
- RE: Phishing scam - Obfuscated url help please Leif Sawyer (Jan 22)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 22)