On Thu, 28 Aug 2008, Steven Adair wrote:
> hxxp seems to be advantageous for a few reasons:
> 1. you can still cut and paste the url
> 2. the protocol handlers won't load it up if you accidently click
> on it
> 3. you can add a protocol handler for hxxp for whatever you want
> 4. easier to recognize domains and patterns (rather than rotted urls)
> 5. already widely accepted in spam fighting groups
> 6. trivial to do and undo with no exception cases
>
> I figured I'd put down my thoughts to try to help a standard to move
> forward.
I say, chuck the entire URL and send an encoded string:
echo dot.com|python -c "import sys; print sys.stdin.read().encode('base64')"
This avoids having other malware creators re-hijacking
something that's already a nuisance. It also avoids
having someone search for their own malware and dishing
out retribution against one (DDoS).
Imagine you're a syndicate running one of these and you
wanted to find out who's reporting you, its quite easy
to Google up your URL's and while encoding it doesn't
outright protect you, it minimizes the potential for
retribution, as well as minimizes the ability to keep
on spreading sites, e.g., it's much easier for me to
links -dump www.grouplist.com/urlwithMalwaresites.html|\
sed 's:hxx:htt:g' | DO_SOMETHING_ELSE
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1)
CEH/CNDA, CHFI, OSCP
"Experience hath shewn, that even under the best
forms (of government) those entrusted with power
have, in time, and by slow operations, perverted
it into tyranny." Thomas Jefferson
wget -qO - www.infiltrated.net/sig|perl
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
_______________________________________________
botnets@, the public's dumping ground for maliciousness
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
