Babelfish obfuscation
From spam today: a href=http://66.196.80.202/babelfish/translate_url_content?.intl=uslp=es_entrurl=http://johnnie2006.mcafaloj%2E%63%6E; style=text-decoration: none; color: #0099ff;click here/a Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and then %2E%63%6E for .cn Joseph Brennan Columbia University Information Technology
Re: Babelfish obfuscation
On Mon, 2009-10-05 at 11:06 -0400, Joseph Brennan wrote: Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and then %2E%63%6E for .cn Without checking -- I believe, all you need is a redirector_pattern for the IP redirector, to extract the target URI. The list of URIs should also contain a cleaned version of the extracted target URI, with the escapes converted. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Babelfish obfuscation
On Mon, 5 Oct 2009, Joseph Brennan wrote: From spam today: a href=http://66.196.80.202/babelfish/translate_url_content?.intl=uslp=es_entrurl=http://johnnie2006.mcafaloj%2E%63%6E; style=text-decoration: none; color: #0099ff;click here/a Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and then %2E%63%6E for .cn Warren: I guess that's an argument against anchoring CN_EIGHT at the beginning of the URI... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You cannot bring about prosperity by discouraging thrift. You cannot help small men by tearing down big men. You cannot strengthen the weak by weakening the strong. You cannot lift the wage-earner by pulling down the wage-payer. You cannot help the poor man by destroying the rich. You cannot keep out of trouble by spending more than your income. You cannot further the brotherhood of man by inciting class hatred. You cannot establish security on borrowed money. You cannot build character and courage by taking away men's initiative and independence. You cannot help men permanently by doing for them what they could and should do for themselves. -- William J. H. Boetcker --- Approximately 9183900 firearms legally purchased in the U.S. this year
Re: Babelfish obfuscation
On Mon, 2009-10-05 at 08:27 -0700, John Hardin wrote: I guess that's an argument against anchoring CN_EIGHT at the beginning of the URI... No, it is not. It's an argument for a new redirector_pattern. The extracted target URIs are provided for uri rules. Or alternatively, seriously kicking some redirector provider's butts... -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Babelfish obfuscation
On man 05 okt 2009 17:06:19 CEST, Joseph Brennan wrote Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and then %2E%63%6E for .cn yahoo accept content to be on there ip ? lets blcok that ip so -- xpoint
Re: Babelfish obfuscation
On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote Without checking -- I believe, all you need is a redirector_pattern for the IP redirector, to extract the target URI. The list of URIs should also contain a cleaned version of the extracted target URI, with the escapes converted. i have had this in mind for so long with alot of spam on yahoo, but dont know how to make that work :/ -- xpoint
Re: Babelfish obfuscation
On 10/05/2009 11:27 AM, John Hardin wrote: Warren: I guess that's an argument against anchoring CN_EIGHT at the beginning of the URI... I wasn't the one that suggested anchoring. Did the old rule decode %2E%63%6E as .cn though? Warren
Re: Babelfish obfuscation
On Mon, 2009-10-05 at 19:56 +0200, Benny Pedersen wrote: On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote Without checking -- I believe, all you need is a redirector_pattern for the IP redirector, to extract the target URI. The list of URIs should also contain a cleaned version of the extracted target URI, with the escapes converted. i have had this in mind for so long with alot of spam on yahoo, but dont know how to make that work :/ redirector_pattern m~http://example.net/redir?uri=(target)~ The redirector_pattern pretty much is a simple uri rule. With one notable difference: It needs exactly one capturing match. The captured match will be added to the list of URIs, just the same as if it would have appeared as a plain, ordinary URI in the message. Entirely from memory -- down with a cold, can't be arsed to cross-check my claims today. ;) guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Babelfish obfuscation (fwd)
On Mon, 2009-10-05 at 11:21 -0700, John Hardin wrote: On Mon, 5 Oct 2009, Warren Togami wrote: Did the old rule decode %2E%63%6E as .cn though? The URI parser does that for you: [11433] dbg: rules: ran uri rule ALL_URI == got hit: http://fnord:b...@321%2e%63%6e; [11433] dbg: rules: ran uri rule ALL_URI == got hit: http://321.cn; [11433] dbg: rules: ran uri rule ALL_URI == got hit: http://fnord:b...@321.cn; Didn't I say that? ;) The list of URIs does contain cleaned and decoded versions, in addition to the raw URI. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Babelfish obfuscation
On Mon, 5 Oct 2009, Karsten Br�ckelmann wrote: On Mon, 2009-10-05 at 19:56 +0200, Benny Pedersen wrote: On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote Without checking -- I believe, all you need is a redirector_pattern for the IP redirector, to extract the target URI. The list of URIs should also contain a cleaned version of the extracted target URI, with the escapes converted. i have had this in mind for so long with alot of spam on yahoo, but dont know how to make that work :/ redirector_pattern m~http://example.net/redir?uri=(target)~ Tested: redirector_pattern m;^https?://[^/]+/babelfish/.*\?.*url=(http:.+)$; -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- Approximately 9194940 firearms legally purchased in the U.S. this year