Spam and Viruses: Unholy Matrimony, Part 2 - Page 2
How to Find Malicious Code
Studying a spam or virus message in plain text is a fascinating exercise in misplaced ingenuity. (If only that energy were devoted to good and useful activities!) Be sure to read suspect HTML messages in plain text only! A rich source of spam messages to study is the Usenet group news.admin.net-abuse.sightings.
A person can spend a lot of time looking for Web Bugs, as they are sneaky little buggers. Here's one example from The Privacy Foundation:
<img width='1' height='1' src="http://www.m0.net/m/logopen02.asp? vid=3&catid=370153037&email=SMITHS %40tiac.net" alt=" "><IMG SRC= "http://email.bn.com/cgi-bin/flosensing? x=ABYoAEhouX">
Making matters worse, if you happen to enter personally identifiable information on any of the co-conspirator sites, all of them will be able to link your activities to your name. There is some debate about whether Web bugs are evil, but anything that is so sneaky is highly suspect to me. I've yet to see any disclosure on sites that use these, and of course spammers aren't going to say anything.
Decoding Malicious HTML
Much of what you see is an attempt to evade spam filters by breaking up key words with HTML tags and comments. Newer spam filters are not fooled.
<div align="center"><!--9p1t5lyvnvhp--><font size="+2"><strong>G<!--d14my1181r-->ene<!--xgjs4fd0yt4n18-->ric Vi<!--h5uxcu5oqa9-->ag<!--2cxnzp1vdkj3c-->ra </strong></font></div>
See the original here. It's a Viagra spam, in case you were wondering.
This example uses HTML entities to hide words (see The HTML Coded Character Set for the complete list of HTML entity codes):
Watch Dogs slurp
And the following is Unicode, indicating the character set is not installed on your system:
I see a lot of these from China. Yeah, why not flood the world with this stuff — you never know who will be able to read it and wind up as a happy customer. Sure.
Scripting, Spoofing, and Phishing
Here is a PayPal phish. The person who posted this gave a lot of useful information. Most of the code was first copied directly from a real PayPal page, and then hidden fields, Web bugs, and redirects were added. This particular exercise in sheer chutzpah contains a nice, handy-dandy form full of drop-down boxes that asks for all kinds of neat stuff: your PayPal account information, bank account, credit card number, etc. The safest way to view this in full HTML glory is to copy the code to a text editor, save it as an .html file, and then view it in an offline Web browser. Do not be connected to the Internet!
Spoofing doesn't even need fancy scripting; look at this little honey from another PayPal phish:
<a href=3D"http://www.exme.us/~x">https://www.paypal.com/cgi-bin/webscr?c= md=3Dverification>
Notice how the URL is spoofed — the label looks like a PayPal URL, but the real link is http://www.exme.us/~x. That's right, you cannot even trust clicking links. Thanks, spammers!