Full Disclosure mailing list archives

Re: Phishing scam - Obfuscated url help please

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 24 Jan 2004 12:29:52 +1300

Gadi Evron <ge () linuxbox org> replied to Matthias Benkmann <msbREMOVE-
THIS () winterdrache de>:

An easy way to de-obfuscate this is to give your browser this URL. Works
at least with Mozilla, but I think other browsers support the javascript:
pseudo-protocol, too. 

javascript:alert(decodeURI('<obfuscated-URL-here>'))


We have seen this done and exploited *mostly* on IRC spam (directed at 
the mIRC client).

Let's decode a URL that may end up making IE destroying the PC or 
emailing our passwords.. or downloading a dropper or,,, :o)


You beat me to it...

Indeed, very good advice which applies equally to the other suggestion 
of pasting it into Google (hopefully Google does all the necessary 
escaping, but at the rate XSS bugs are still being found all round the 
place do you really want to take that gamble?).  Always assume the 
worst which in a case like this may be that the URL was obfuscated not 
just to trick some clueless newbie or "typical user" but to outwit 
"power users" or even half-clued admins.

The first rule with _all_ suspect software, be it an unknown 
executable, an HTML-embedded script or a possible one-liner (such as 
this) is _NEVER_ "run" it on anything but an isolated "goat" ("mule", 
"donkey", "test net", etc) machine, (at least not unless you have done 
a thorough static analysis of it and are sure it is "safe" to do 
otherwise).

FWIW, what I did with the posted URL was paste it into a simple 
standalone .JS I use for such things (it decodes the new string into a 
string variable and writes that to a file).  After doing a careful 
eyeballing of the pasted string and any necessary manual tidying (in 
this case, removing the "=" chars) I then ran the .JS then viewed the 
output file with a "safe" file viewer.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Phishing scam - Obfuscated url help please Zach Forsyth (Jan 22)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 22)
  - Re: Phishing scam - Obfuscated url help please Valdis . Kletnieks (Jan 22)
    - Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 23)
- Re: Phishing scam - Obfuscated url help please Matthias Benkmann (Jan 23)
  - Re: Phishing scam - Obfuscated url help please Gadi Evron (Jan 23)
    - Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 23)
- Re: Phishing scam - yet another Paypal phishing scam! Tobias Weisserth (Jan 24)
  - Re: Phishing scam - yet another Paypal phishing scam! Valdis . Kletnieks (Jan 24)
  - RE: Phishing scam - yet another Paypal phishingscam! Bill Royds (Jan 24)
    - RE: Phishing scam - yet another Paypal phishingscam! Tobias Weisserth (Jan 25)
- <Possible follow-ups>
- RE: Phishing scam - Obfuscated url help please Leif Sawyer (Jan 22)