Spam and Viruses: Unholy Matrimony, Part 2 - Page 2

By Carla Schroder | Posted Aug 13, 2003
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

How to Find Malicious Code

Studying a spam or virus message in plain text is a fascinating exercise in misplaced ingenuity. (If only that energy were devoted to good and useful activities!) Be sure to read suspect HTML messages in plain text only! A rich source of spam messages to study is the Usenet group news.admin.net-abuse.sightings.

Web Bugs
A person can spend a lot of time looking for Web Bugs, as they are sneaky little buggers. Here's one example from The Privacy Foundation:

<img width='1' height='1' src="http://www.m0.net/m/logopen02.asp? vid=3&catid=370153037&email=SMITHS %40tiac.net" alt=" "><IMG SRC= "http://email.bn.com/cgi-bin/flosensing? x=ABYoAEhouX">

Web bugs will typically plant a transparent 1-pixel by 1-pixel .gif attached to a URL. Web bugs confirm your email address to the sender, use cookies and third-party servers to track and record your movements, and build a profile of your surfing activities.

Making matters worse, if you happen to enter personally identifiable information on any of the co-conspirator sites, all of them will be able to link your activities to your name. There is some debate about whether Web bugs are evil, but anything that is so sneaky is highly suspect to me. I've yet to see any disclosure on sites that use these, and of course spammers aren't going to say anything.

Decoding Malicious HTML
Much of what you see is an attempt to evade spam filters by breaking up key words with HTML tags and comments. Newer spam filters are not fooled.

<div align="center"><!--9p1t5lyvnvhp--><font size="+2"><strong>G<!--d14my1181r-->ene<!--xgjs4fd0yt4n18-->ric Vi<!--h5uxcu5oqa9-->ag<!--2cxnzp1vdkj3c-->ra </strong></font></div>

See the original here. It's a Viagra spam, in case you were wondering.

This example uses HTML entities to hide words (see The HTML Coded Character Set for the complete list of HTML entity codes):

&#87;&#97;tc&#104; &#68;ogs &#115;&#108;u&#114;p&#3

And the following is Unicode, indicating the character set is not installed on your system:

C4=A3=B1=B8=BF=CD =C0=CC=BB=F3=C7=FC=C0=BB

I see a lot of these from China. Yeah, why not flood the world with this stuff — you never know who will be able to read it and wind up as a happy customer. Sure.

Scripting, Spoofing, and Phishing
Ah, now we have a nice, robust cross-platform scripting language that can wreak havoc impartially. Javascript can do all kinds of stunts, like make fake URLs and perform web spoofing, which are prime tactics for phishing, or identity theft. For some reason Ebay is a prime target for this kind of fraud. I receive Ebay phishes every week. I've also seen them for PayPal and Best Buy, and many other big online merchants. Examine the message for lines that mention scripting in any way, such as <script language="JavaScript">. I will wager money any message containing scripting does not have your best interest at heart.

Here is a PayPal phish. The person who posted this gave a lot of useful information. Most of the code was first copied directly from a real PayPal page, and then hidden fields, Web bugs, and redirects were added. This particular exercise in sheer chutzpah contains a nice, handy-dandy form full of drop-down boxes that asks for all kinds of neat stuff: your PayPal account information, bank account, credit card number, etc. The safest way to view this in full HTML glory is to copy the code to a text editor, save it as an .html file, and then view it in an offline Web browser. Do not be connected to the Internet!

Spoofing doesn't even need fancy scripting; look at this little honey from another PayPal phish:

<a href=3D"http://www.exme.us/~x">https://www.paypal.com/cgi-bin/webscr?c= md=3Dverification>

Notice how the URL is spoofed — the label looks like a PayPal URL, but the real link is http://www.exme.us/~x. That's right, you cannot even trust clicking links. Thanks, spammers!

Resources

The Privacy Foundation Phishing Alert
EFF Web Bug FAQ
Securing Outlook, Part One: Initial Configuration
Securing Outlook, Part Two: Many Choices to Make

» See All Articles by Columnist Carla Schroder

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter