On Thu, 28 Aug 2008, Steven Adair wrote: > hxxp seems to be advantageous for a few reasons: > 1. you can still cut and paste the url > 2. the protocol handlers won't load it up if you accidently click > on it > 3. you can add a protocol handler for hxxp for whatever you want > 4. easier to recognize domains and patterns (rather than rotted urls) > 5. already widely accepted in spam fighting groups > 6. trivial to do and undo with no exception cases > > I figured I'd put down my thoughts to try to help a standard to move > forward.
I say, chuck the entire URL and send an encoded string: echo dot.com|python -c "import sys; print sys.stdin.read().encode('base64')" This avoids having other malware creators re-hijacking something that's already a nuisance. It also avoids having someone search for their own malware and dishing out retribution against one (DDoS). Imagine you're a syndicate running one of these and you wanted to find out who's reporting you, its quite easy to Google up your URL's and while encoding it doesn't outright protect you, it minimizes the potential for retribution, as well as minimizes the ability to keep on spreading sites, e.g., it's much easier for me to links -dump www.grouplist.com/urlwithMalwaresites.html|\ sed 's:hxx:htt:g' | DO_SOMETHING_ELSE =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) CEH/CNDA, CHFI, OSCP "Experience hath shewn, that even under the best forms (of government) those entrusted with power have, in time, and by slow operations, perverted it into tyranny." Thomas Jefferson wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB _______________________________________________ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets