PaulDotCom mailing list archives
phishing question
From: dshpritz at edgewebhosting.net (David Shpritz)
Date: Wed, 2 Dec 2009 12:44:00 -0500
Hey David, Would you mind telling us what method you used to deobfuscate the scripts? Usually I have done these by hand or used Malzilla, but I'm always looking for new methods. Thanks! David Shpritz -----Original Message----- From: pauldotcom-bounces at pdc-mail.pauldotcom.com [mailto:pauldotcom-bounces at pdc-mail.pauldotcom.com] On Behalf Of David Auclair Sent: Wednesday, December 02, 2009 9:45 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] phishing question It looks like the javascript on the page you mentioned leads to this page: hxxp://www . businessinabox . com . au/357/?go Which is full of more obfuscated javascript, which leads to sites such as: hxxp:// 62.204.113.141 /d=www.facebook.com/0x3E8/f=fb2/view/console=yes/ Which seems to have 'you need to update your flash player' image, linking to setup.exe According to virustotal, the setup.exe contains koobface: http://www.virustotal.com/analisis/5e9ce9c41a8f46d5dfc4ce366f6f47cb347bcbaa93cd1fcb132a72f61bab14e1-1259705119 -Dave
-----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Chris Blazek Sent: Wednesday, December 02, 2009 12:04 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] phishing question PJ, Yeah, I had the user change all passwords from the email account to fb. I had tried googling for that 1st part of the address, hoping someone had posted something about it. That came up empty. I tried to get malzilla to decode it, but I really have little experience decoding JavaScript like that. I'll try looking for deobfuscaters to see if something else can decode it. Sorry for the typos in the original email. :) Thanks for the help! Chris On Dec 1, 2009, at 8:47 PM, PJ McGarvey <pj_mcgarvey at hotmail.com> wrote:Well, if you mean what does the obfuscated code do, there are a few sites I've used that can "de-obfuscate" code however sometimes all that can tell you is that "yeah, it's probably malicious". I would google for "javascript deobfuscate". You could submit the blogspot site to an online sandbox for analysis, like I just did: http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html and possibly find other URLs found in the de-obfuscated code to see what they do.... like this one http://1nonsensical.cn/?pid=312s02&sid=4db12f ... I've yet to find a .cn domain name I could trust. LOL. Follow down the rabbit hole... That way you can find out if the PC was infected, and how to clean it up. Otherwise it would seem like some sort of facebook worm that spreads using the FB address book. Was the user logged into Facebook at the time? Might be a good idea to change their password, sounds like it either used the active facebook session to send itself out, or maybe a cookie with the user's saved credentials. PJ From: chris.blazek at gmail.com Date: Tue, 1 Dec 2009 14:54:36 -0600 To: pauldotcom at mail.pauldotcom.com Subject: [Pauldotcom] phishing question A coworker clicked on a link in an email and was directed to facebook then redirected to the following site: despatiesmercemerce . blogspot . com All of there fb contacts then received the same email. I pulled up the site in malzilla and noticed a script block in the header that looks like it's obfuscated. I was wondering if someone in the group could figure out what the site was trying to do. Thanks, Chris _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- phishing question Chris Blazek (Dec 01)
- phishing question PJ McGarvey (Dec 01)
- phishing question Chris Blazek (Dec 01)
- phishing question David Auclair (Dec 02)
- phishing question David Shpritz (Dec 02)
- phishing question David Auclair (Dec 02)
- phishing question Chris Blazek (Dec 02)
- phishing question Chris Blazek (Dec 02)
- phishing question David Auclair (Dec 03)
- phishing question Chris Blazek (Dec 01)
- phishing question PJ McGarvey (Dec 01)
- phishing question Chris Blazek (Dec 03)
- phishing question Matt Erasmus (Dec 03)
- phishing question Jim Halfpenny (Dec 04)