Hey David, Would you mind telling us what method you used to deobfuscate the scripts? Usually I have done these by hand or used Malzilla, but I'm always looking for new methods. Thanks!
David Shpritz -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David Auclair Sent: Wednesday, December 02, 2009 9:45 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] phishing question It looks like the javascript on the page you mentioned leads to this page: hxxp://www . businessinabox . com . au/357/?go Which is full of more obfuscated javascript, which leads to sites such as: hxxp:// 62.204.113.141 /d=www.facebook.com/0x3E8/f=fb2/view/console=yes/ Which seems to have 'you need to update your flash player' image, linking to setup.exe According to virustotal, the setup.exe contains koobface: http://www.virustotal.com/analisis/5e9ce9c41a8f46d5dfc4ce366f6f47cb347bcbaa93cd1fcb132a72f61bab14e1-1259705119 -Dave > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf > Of Chris Blazek > Sent: Wednesday, December 02, 2009 12:04 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] phishing question > > PJ, > Yeah, I had the user change all passwords from the email account to > fb. I had tried googling for that 1st part of the address, hoping > someone had posted something about it. That came up empty. > I tried to get malzilla to decode it, but I really have little > experience decoding JavaScript like that. > I'll try looking for deobfuscaters to see if something else can decode > it. > Sorry for the typos in the original email. :) > > Thanks for the help! > > Chris > > > > On Dec 1, 2009, at 8:47 PM, PJ McGarvey <[email protected]> wrote: > > > Well, if you mean what does the obfuscated code do, there are a few > > sites I've used that can "de-obfuscate" code however sometimes all > > that can tell you is that "yeah, it's probably malicious". I would > > google for "javascript deobfuscate". > > > > You could submit the blogspot site to an online sandbox for > > analysis, like I just did: > > > > http://anubis.iseclab.org/?action=result&task_id=1c4a179271c4d4ee4f5b9820e431f7281&format=html > > > > and possibly find other URLs found in the de-obfuscated code to see > > what they do.... like this one > > http://1nonsensical.cn/?pid=312s02&sid=4db12f > > > > ... I've yet to find a .cn domain name I could trust. LOL. > > > > Follow down the rabbit hole... > > > > That way you can find out if the PC was infected, and how to clean > > it up. > > > > Otherwise it would seem like some sort of facebook worm that spreads > > using the FB address book. Was the user logged into Facebook at the > > time? Might be a good idea to change their password, sounds like it > > either used the active facebook session to send itself out, or maybe > > a cookie with the user's saved credentials. > > > > PJ > > > > From: [email protected] > > Date: Tue, 1 Dec 2009 14:54:36 -0600 > > To: [email protected] > > Subject: [Pauldotcom] phishing question > > > > A coworker clicked on a link in an email and was directed to > > facebook then redirected to the following site: > > despatiesmercemerce . blogspot . com > > All of there fb contacts then received the same email. I pulled up > > the site in malzilla and noticed a script block in the header that > > looks like it's obfuscated. > > > > I was wondering if someone in the group could figure out what the > > site was trying to do. > > > > Thanks, > > Chris > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
