Thursday, June 14, 2007

URL Deobfuscation

A few days ago, I was having a little fun with a coworker. I sent him several obfuscated URL's through Outlook Web Access (OWA) from Internet Explorer (IE)7.

The 3 URLs I sent were:

http://1096965168/


http://0x41.0x62.0x5c.0x30/

http://0101.0142.0134.0060/

(Warning, links NSFW!!)

Which all resolve to: http://65.98.92.48/ (http://goatse.cz)

Strangely enough, as I sent the email, the links were transformed to the "real" IP address, 65.98.92.48 before being sent. Originally I wrote it off as either a feature of OWA or Exchange, but I then resent using OWA via Firefox and also through Entourage. The last two test delivered the email with the URL's in their obfuscated form.. So, it appears that its the IE7 browser that is DE-obfuscating those URL's before they sent!

Additionally, while composing this post, I've noticed that neither Firefox on OSX, nor Safari on OSX was able to resolve the obfuscated URL's and display the site. Using Thunderbird on WindowsXP, I was also surprised to see that not only did Thunderbird label the email as a potential scam, it presented me with a pop-up warning when I attempted to click the links.








(Click for full size view)


As someone who "cut my teeth" working the Security/ Abuse desk at UUNET, I remember URL obfuscation as a major tool in the spammer/ phisher arsenal. Alot of these bad guys would hide their sites by doing something like http://www.bankofamerica.com@0x41.0x62.0x5c.0x30/.

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home