Tuesday, April 24, 2007

URL Obfuscation for fun and profit

We've all grown accustomed to the 'dotted quad' format of IP addresses. Localhost is 127.0.0.1, for example.

'127.0.0.01' is simply a convenient shorthand for a 32-bit number, in this case listed as four 8-bit numbers. There are numerous other ways to represent that 32-bit number. The simplest is to represent it as a decimal. '127.0.0.01' is decimal 2,130,706,433.

An easy way to make that conversion is to open up a calculator; Windows calculator in Scientific mode works fine (go to Options-> Scientific). Then choose binary mode ('Bin'), and enter '01111111' (127) . '00000000' (0). '00000000' (0).'00000001' (1). Then hit decimal ('Dec').

Your answer should be 2130706433. To verify you are correct, open a command prompt and type 'ping 2130706433'. What IP address answered?

There are other legitimate ways to represent an IP address; many are summarized in this Wikipedia article. Other forms include dotted hex, dotted octal, and others.

This topic is normally an arcane source of trivia for die-hard IP geeks. I mention it today because spammers and phishers abuse these forms of URL obfuscation in an attempt to bypass IP address blocking schemes.

Here are some live examples harvested from today's mail spool:

Bank phishing attempt using dotted hex IP address:
  • Subject: Arizona Federal - Account Suspended.
  • Embedded URL: http://0xcb.0xe9.0xc7.0x92/(deleted)/www.azfcu.org/
Ebay phishing attempt using a decimal IP
  • Subject: Question about payment for item: #2070651641
  • Embedded URL: http://1478700420:82/(deleted)&co/reg.php
Paypal phishing attempt using a dotted octal URL:
  • Subject: Update your PayPal records
  • Embedded URL: http://0112.0000.0067.0012/(deleted)/index.htm
MSN phishing scam in dotted hex, with leading '0's:
  • Subject: Fwd: MoneyCentral.MSN.com 721362
  • Embedded URL: href="http://0x000000000000000D8.0x0D3.0x000000000000000009E.0x00000(deleted)">MoneyCentral.MSN.com
As the last example illustrates, these obfuscation techniques may be further confused by adding leading zeroes.

The good news is these phishing attempts are trivially easy to block via email, assuming your MTA can block email based on regular expression matches in the body of the email.
Postfix is one such mailer, with its excellent support of Perl-Compatible Regular Expressions.

Here are the pcre maps I use to block these URL obfuscation attacks:
  • /http:\/\/(0x0*[0-9A-F]{2}\.){3}0x0*[0-9A-F]{2}/ REJECT URL Obfuscation
  • /http:\/\/0*[0-9]{8,10}/ REJECT URL Obfuscation
  • /http:\/\/0x0*[0-9A-F]{8}/ REJECT URL Obfuscation
  • /http:\/\/(0+[0-7]{3}\.){3}0+[0-7]{3}/ REJECT URL Obfuscation
These will block dotted hexadecimal, decimal, hexadecimal, and dotted octal URLs, respectively. You may enable these using the Postfix MTA by saving them to a file (in this case, /usr/local/etc/postfix/bodyfilt.pcre), and entering the following line in main.cf:

body_checks = pcre:/usr/local/etc/postfix/bodyfilt.pcre

Postfix PCRE's are case insensitive by default. If your MTA is not, use '[A-Za-z0-9]' for a hex digit (for example).