OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Obfuscated URL's in spam
From: Kee Hinckley (nazgulSOMEWHERE.COM)
Date: Tue Jul 18 2000 - 16:19:38 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was dissecting a piece of spam I'd received (I'm setting up a
service to identify the source of spam email, somewhat like SpamCop,
but with some other features) when I discovered something I hadn't
seen before.

I've often gotten spam that uses the technique of a URL that uses
base256 encoding. The goal I assume is to make it harder for anyone
reading the email to track down the site and report the problem to
the ISP. You can always click on the link of course, but a) that
isn't safe, and b) the whole point is to automate spam tracking.

This one though, has some rudimentary code in it for completely
obfuscating the URL's. It looks like the goal is to use JavaScript
URL links which generate the real URL on the fly by decoding an
encoded URL. The spam itself appears to have been generated using
some macro substitution code that would have taken the real URL's,
and encoded them into a piece of Javascript. In this case the entire
system seems to have failed, you can still see the macro code, but
it's only a matter of time before someone gets it working. The
encoding is trivial, basically a ROT33 using a base string of likely
URL characters. But the difficulty of the encoding isn't really the
point. The issue is that this is going to make automatically
identifying URL's and shutting down the web site quite a bit more
difficult.

Return-Path: <kyqfkibgmebcqmsxcjaoI.com>
Received: from decpc01.bachoco.net (148.233.27.242) by hinckley.com with ESM=
TP
  (Eudora Internet Mail Server 2.2.2); Tue, 18 Jul 2000 16:13:51 -0400
Received: from ttdpt.aoI.com (UXMAL [192.222.200.25]) by
decpc01.bachoco.net with SMTP (Microsoft Exchange Internet Mail
Service Version 5.5.2650.21)
         id 35FQRB86; Mon, 17 Jul 2000 19:25:28 -0600
=46rom: kyqfkibgmebcqmsxcjaoI.com
Message-Id: <963854572.kyqfkibgmebcqmsxcjkyqfkibgmebcqmsxcj.aoI.com
mxn.com hotmaiI.com>
To: djdgjykqyafjlykbdxaoI.com
Reply-To: wad434ao1.com
X-Mailer: Mozilla 4.51 [en] (Win98; I)
X-Accept-Language: en
Content-Type: text/html; Charset=3Dus-ascii
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: I got this today. Let me know what you think.
bcavc
Date: Tue, 18 Jul 2000 16:13:47 -0400

<x-html><!x-stuff-for-pete base=3D"" src=3D"" id=3D"0" charset=3D""><!DOCTYP=
E
HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"><html>
<basehref=3D"216.71.84.44/enter.cgi">http://www.rr085.COME.CC/il2/216.71.84.44/enter.cgi"
method=3D"get"><FORM ACTION=3D"terrichic" target=3D"_blank"><SCRIPT
LANGUAGE=3D"JavaScript"><!--
ky=3D"";function d(msg){ky=3Dky+codeIt(key,msg);}var key =3D
"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#\"";funct=
ion
codeIt (mC, eS) {var wTG, mcH =3D mC.length / 2, nS =3D "", dv;for (var
x =3D 0; x < eS.length; x++)
{wTG =3D mC.indexOf(eS.charAt(x));if (wTG > mcH) {dv =3D wTG - mcH;nS =3D
nS + mC.charAt(33 - dv);}else {if (key.indexOf(eS.charAt(x)) < 0) {nS
=3D nS + eS.charAt(x)}else {dv =3D mcH - wTG;nS =3D nS + mC.charAt(33 +
dv);}}}return nS;}
//--></SCRIPT><SCRIPT
LANGUAGE=3D"JavaScript"><!--Decode();document.write(basehref);//--></SCRIPT>
<F0RM ACTION=3D"http://203.207.44.83:80/enter.cgi" method=3D"post"
target=3D"_blank"><OR F0RM ACTION=3D"http://203.207.44.34:8080/enter.cgi"
method=3D"post" target=3D"_blank"><OR F0RM
ACTION=3D"http://203.217.44.33:8080/enter.cgi" method=3D"post"
target=3D"_blank">
<OR F0RM ACTION=3D"http://203.227.42.83:8080/enter.cgi" method=3D"post"
target=3D"_blank"><OR F0RM ACTION=3D"http://203.127.44.39:8080/enter.cgi"
method=3D"post" target=3D"_blank"><OR F0RM
ACTION=3D"http://203.157.144.26:8080/enter.cgi" method=3D"post"
target=3D"_blank">
<OR F0RM ACTION=3D"http://203.147.44.83:8080/enter.cgi" method=3D"post"
target=3D"_blank"><!--Begin HTML--><body
BACKGROUND=3D"http://238425861752898/img/bkgnd.gif">
<TABLE width=3D500 border=3D0 align=3D"center"><tr><TD
colspan=3D2><p><center><font size=3D+4 color=3D"#000088"><i><b>3Diamonds
Casino<br></b></i></font><b><BR></b><b><font size=3D+3
color=3D"#D3A68">=DD$$ Sign-up Bonus $$<br>Get $20.00 in FREE chips
<i>NOW!</i>
</font></p></b></center></td></tr><tr><TD
background=3D"http://164469685665926/barney/images/background.gif"
valign=3Dtop><font face=3D"Arial">The $20 in FREE Chips are just the
beginning...<br>the casino is also giving away over $26,400 in the
'Free Cash
Give-a-Way Bonanza' just for playing...<br><br>So hold on to your
hat...you're about to experience</font> <font face=3D"Arial">the most
visually captivating virtual casino on the Internet to date.=DDIt's
like turning your PC into a REAL=DD
Las Vegas Casino.<BR><BR><BR><BR>Your a few clicks away from $20.00
in FREE CASH. <BR><BR><center><a
href=3D"basehref">http://www.rr085.com|enter.cgi.maao.com:80/bc2/baconbits/?basehref(=
'203.45.34.45/enter.cgi')"
onMouseOver=3D"window.status=3D'Click Here For Free Cash'; return
true;">Click Here For Free Cash</a><BR><BR>The games
include:<BR>Blackjack / Roulette / Slots / Video Poker / Caribbean
Poker / Craps / Baccarat / Let-it Ride / Pai-Gow / Red Dog /
Keno and a full service Sportsbook.</center></font><p><font
face=3D"Arial">All of the games will have you earning <i>more</i>free
cash, with the 'Best Comp Program on the
Planet'!!!</font></p><p><font face=3D"Arial">So come in to the casino,
relax,
enjoy, and Win Big.</font></p><p><font face=3D"Arial"><center><a
href=3D"basehref">http://www.rr085.com|enter.cgi.maao.com:80/bc2/baconbits/?basehref(=
'203.45.34.45/enter.cgi')"
onMouseOver=3D"window.status=3D'Click Here For Free Cash'; return true;">
Click Here For Free Cash</a></font></center></p></td><TD valign=3Dtop
align=3Dcenter><font face=3D"Arial"><IMG
SRC=3D"http://238425850582020/pq/lsmclsks/images/roulette.jpg"
width=3D"120" height=3D"113"><BR><BR><IMG
SRC=3D"http://238425850582020/pq/lsmclsks/images/blackjack.jpg"
width=3D"120" height=3D"112"><BR><BR><IMG
SRC=3D"http://238425850582020/pq/lsmclsks/images/battle_royale.jpg"
width=3D"120" height=3D"112"><BR><BR><IMG
SRC=3D"http://238425850582020/pq/lsmclsks/images/red_dog.jpg"
width=3D"120" height=3D"113"><BR><BR></font></td></tr></table>
<p align=3D"center"><font face=3D"Arial" size=3D"1"
color=3D"#000088"><i>copyright 3DC Ltd. 1997-2000</i></font></p><!--End
HTML--><br><br><br><br><br><br><br><br>
<br><br><br><br><center><a
href=3D"basehref">http://www.rr085.com|enter.cgi.maao.com:80/bc2/baconbits/?basehref(=
'http://203.71.84.44:8080/enter.cgi')"
onMouseOver=3D"window.status=3D'Click Here To Be Removed'; return true;">
Click Here And then Click on the Lower Left Status Bar On the page
that loads To Be Removed</a><br>
<font color=3D"red" size=3D"2">c 1999,2000 PopLaunch all rights reserved.
The FIRST encrypted Launch Hosting by MsTerGeNTs. Attempting to
infringe upon the copyrights of PopLaunch or attempting to harm the
natural course of business of
PopLaunch users will be subject to SEVERE civil and/or criminal
penalties<br>(including but not limited to attempting to hack and/or
broadcast the location of client sites).<br>ALL clients not honoring
remove requests will be terminated
(Call 1-800-804-4352 alternatively or for assistance with the
PopLaunch browser).</font>
</center>
</body>
</html>

</x-html>
- --

Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOXTJ/iZsPfdw+r2CEQKaEwCfUkDhEr310u4Xhmth7De55nQO/rwAoN/T
BOzd6+9XJDg8vUw6aUX1rEOY
=R/O4
-----END PGP SIGNATURE-----