Thursday, April 26, 2007

Mix and Match

An additional point worth mentioning regarding IP Address Obfuscation is that the techniques can be mixed and matched within the same IP address.
All/most of these formats should work in all browsers. Additionally, in dotted format, each octet can be of the different bases. For example, 207.0x8E.0203.235 is a valid (though unconventional) equivalent to the above addresses. (Wikipedia article on IPv4)
Spammers are actively using this technique; this URL arrived today in a Pump and Dump stock spam:

http://0x00000000000d8.00000000000323.0x000000000000000000000009e.124/

The link in the email refers to MoneyCentral.MSN.com, but actually redirects to a random .BIZ site.

The format of this URL is:
  1. 'Dotted Hex with leading zeroes' .
  2. 'Dotted Octal with leading zeroes' .
  3. 'Dotted Hex with leading zeroes' .
  4. 'Dotted Decimal'.
The address translates to 216.211.158.124 in dotted quad (decimal) format.

Tuesday, April 24, 2007

URL Obfuscation for fun and profit

We've all grown accustomed to the 'dotted quad' format of IP addresses. Localhost is 127.0.0.1, for example.

'127.0.0.01' is simply a convenient shorthand for a 32-bit number, in this case listed as four 8-bit numbers. There are numerous other ways to represent that 32-bit number. The simplest is to represent it as a decimal. '127.0.0.01' is decimal 2,130,706,433.

An easy way to make that conversion is to open up a calculator; Windows calculator in Scientific mode works fine (go to Options-> Scientific). Then choose binary mode ('Bin'), and enter '01111111' (127) . '00000000' (0). '00000000' (0).'00000001' (1). Then hit decimal ('Dec').

Your answer should be 2130706433. To verify you are correct, open a command prompt and type 'ping 2130706433'. What IP address answered?

There are other legitimate ways to represent an IP address; many are summarized in this Wikipedia article. Other forms include dotted hex, dotted octal, and others.

This topic is normally an arcane source of trivia for die-hard IP geeks. I mention it today because spammers and phishers abuse these forms of URL obfuscation in an attempt to bypass IP address blocking schemes.

Here are some live examples harvested from today's mail spool:

Bank phishing attempt using dotted hex IP address:
  • Subject: Arizona Federal - Account Suspended.
  • Embedded URL: http://0xcb.0xe9.0xc7.0x92/(deleted)/www.azfcu.org/
Ebay phishing attempt using a decimal IP
  • Subject: Question about payment for item: #2070651641
  • Embedded URL: http://1478700420:82/(deleted)&co/reg.php
Paypal phishing attempt using a dotted octal URL:
  • Subject: Update your PayPal records
  • Embedded URL: http://0112.0000.0067.0012/(deleted)/index.htm
MSN phishing scam in dotted hex, with leading '0's:
  • Subject: Fwd: MoneyCentral.MSN.com 721362
  • Embedded URL: href="http://0x000000000000000D8.0x0D3.0x000000000000000009E.0x00000(deleted)">MoneyCentral.MSN.com
As the last example illustrates, these obfuscation techniques may be further confused by adding leading zeroes.

The good news is these phishing attempts are trivially easy to block via email, assuming your MTA can block email based on regular expression matches in the body of the email.
Postfix is one such mailer, with its excellent support of Perl-Compatible Regular Expressions.

Here are the pcre maps I use to block these URL obfuscation attacks:
  • /http:\/\/(0x0*[0-9A-F]{2}\.){3}0x0*[0-9A-F]{2}/ REJECT URL Obfuscation
  • /http:\/\/0*[0-9]{8,10}/ REJECT URL Obfuscation
  • /http:\/\/0x0*[0-9A-F]{8}/ REJECT URL Obfuscation
  • /http:\/\/(0+[0-7]{3}\.){3}0+[0-7]{3}/ REJECT URL Obfuscation
These will block dotted hexadecimal, decimal, hexadecimal, and dotted octal URLs, respectively. You may enable these using the Postfix MTA by saving them to a file (in this case, /usr/local/etc/postfix/bodyfilt.pcre), and entering the following line in main.cf:

body_checks = pcre:/usr/local/etc/postfix/bodyfilt.pcre

Postfix PCRE's are case insensitive by default. If your MTA is not, use '[A-Za-z0-9]' for a hex digit (for example).

Tuesday, April 17, 2007

SANS CISSP @Home

I just finished up teaching SANS@Home Management 414: SANS® +S™ Training Program for the CISSP® Certification Exam with Dr. Eric Cole, which began on Monday, February 26, 2007, and ran through Thursday, April 12, 2007.

http://www.sans.org/athome/details.php?nid=1982


The next SANS CISSP @Home begins on July 16th.

http://www.sans.org/athome/details.php?nid=5066

It will be 13 sessions, Mondays and Wednesday nights. The last class was a blast; I'm looking forward to this one.