Saturday 08 October 2005
- Decoding the spam: A tribute to Joe
Decoding the spam: A tribute to Joe
By Steven Burn
If you've been following the news lately, you may remember my mentioning Tom Liston's series 'Follow the bouncing malware' (FTBM) and the adventures of Joe. Well I decided to give Joe and Tom a rest and do a little dissecting myself.
This trip started out simple enough, with an e-mail arriving in my inbox from a chap called "darron buchar". As I do with all e-mails I receive, I opened up the properties to look at the source (those of us that use MS Outlook Express do this by right clicking the e-mail in question and selecting "Properties", then the "Details" tab, then the "Message Source" button).
The e-mail contained what was quite obviously spam, and to be honest, I should have just left it there and deleted it, but being the inquisitive sort - didn't, I couldn't, I felt compelled to investigate further. The first thing I did was to take the URL contained within the e-mail and run it through the vURL dissection process.
I did as Tom mentioned and added a little extra to use the script against itself, then saved it to a local htm file. Against the advice of Tom, I ran it on what is normally the machine I use for surfing the internet (IE is blocked so no outgoing connections can be made) and the script did almost exactly as Tom said. It first tried an outgoing connection, this was obviously automatically blocked, and the script then proceeded to do what I intended and outputted the decoded script to my wonderful text file.
In closing, I would like to give a little message to the people that come up with this stuff.
If you are going to try and scam people (especially using spam), atleast spend a little more time on hiding it and if you are wanting to sell people your rubbish, atleast put a little effort into making it at the very least appear to look legit (the websites you've used here make it blatantly obvious that it is a scam). Scammers and spammers have a bad enough name with people such as myself as it is, without your having to make it worse.
UPDATE: 08-10-2005 12:30 GMT London
It would seem Mr Buchar was not content with only the one.
Same code, different name - same scam.
The Tom Liston Fanclub
For those that have not yet read the FTBM (Follow the Bouncing Malware) series, below are links to each edition.
FTBM - Part I - http://isc.sans.org/diary.php?date=2004-07-23
FTBM - Part II - http://isc.sans.org/diary.php?date=2004-08-23
FTBM - Part III - http://isc.sans.org/diary.php?date=2004-11-04
FTBM - Part IV - http://isc.sans.org/diary.php?date=2004-11-24
FTBM - Part V - http://isc.sans.org/diary.php?date=2005-05-11
FTBM - Part VI - http://isc.sans.org/diary.php?date=2005-07-13
FTBM - Part VII - http://isc.sans.org/diary.php?date=2005-07-20
FTBM - Part VIII - http://isc.sans.org/diary.php?date=2005-08-22
FTBM - Part IX - http://isc.sans.org/diary.php?date=2005-09-21
FTBM - Part X - http://isc.sans.org/diary.html?storyid=2682
Tom Liston: http://www.intelguardians.com