I.T. Mate
Menu: Home | About | Articles | Blog | Contact Us | Downloads | News | Search | Services | Support

hphosts logo
hpHosts HOSTS file
sGB Hosted Guestbooks
sURL URL redirection
vURL Webpage dissection

I.T. Mate
AB Archive
hpHosts Blog
hpHosts Online
Phishing Scams
Product Support
vURL Online

Friends ...
Helen Benoist
Wrightway Computers


Saturday 08 October 2005 - Decoding the spam: A tribute to Joe
Decoding the spam: A tribute to Joe
By Steven Burn

If you've been following the news lately, you may remember my mentioning Tom Liston's series 'Follow the bouncing malware' (FTBM) and the adventures of Joe. Well I decided to give Joe and Tom a rest and do a little dissecting myself.

Not being much of a Javascript user I found myself extremely thankful that I keep all of the FTBM series bookmarked (though irritatingly, have never gotten round to indexing them or I could have saved myself a little time when I noticed I'd need one of the routines Tom mentioned).

This trip started out simple enough, with an e-mail arriving in my inbox from a chap called "darron buchar". As I do with all e-mails I receive, I opened up the properties to look at the source (those of us that use MS Outlook Express do this by right clicking the e-mail in question and selecting "Properties", then the "Details" tab, then the "Message Source" button).

The e-mail contained what was quite obviously spam, and to be honest, I should have just left it there and deleted it, but being the inquisitive sort - didn't, I couldn't, I felt compelled to investigate further. The first thing I did was to take the URL contained within the e-mail and run it through the vURL dissection process.


This at first looked quite normal, until around half way down when I began noticing encoded Javascript. Remembering what Tom had mentioned in A Fresh Bounce, I decided to go looking back at the FTBM series to refresh my memory on decoding Javascript (I'm more of a VBScript fan myself). As luck would have it, I ended up going through all of them before finding the correct one (someone please remind me to index these things in future).

I did as Tom mentioned and added a little extra to use the script against itself, then saved it to a local htm file. Against the advice of Tom, I ran it on what is normally the machine I use for surfing the internet (IE is blocked so no outgoing connections can be made) and the script did almost exactly as Tom said. It first tried an outgoing connection, this was obviously automatically blocked, and the script then proceeded to do what I intended and outputted the decoded script to my wonderful text file.

With my newly created text file, and Greenday playing in the background, I proceeded to read through the now decoded Javascript file that, had I not been the paranoid sort, was to be run on my poor computer. Now, unless I am missing something here, this script is supposed to send me to a random website, chosen from those that it places in the array "tds" (what, no exploit?). Alas I was to be disappointed when, upon dissecting the first site in the list, I was to find nothing more than what appeared to be a store selling replica rolex's (why does Tom get all of the interesting one's?).

There is actually a funny side to this however. Not only has whomever sent this, spent lord knows how much on all of these .com's, they've tried hiding their little scam using easily reversable Javascript code and worse still, have referenced a Geocities website as the "front" of it all (a quick e-mail was fired off to Geocities with my findings so we will hopefully see this one removed within the next few days).

In closing, I would like to give a little message to the people that come up with this stuff.

If you are going to try and scam people (especially using spam), atleast spend a little more time on hiding it and if you are wanting to sell people your rubbish, atleast put a little effort into making it at the very least appear to look legit (the websites you've used here make it blatantly obvious that it is a scam). Scammers and spammers have a bad enough name with people such as myself as it is, without your having to make it worse.

UPDATE: 08-10-2005 12:30 GMT London

It would seem Mr Buchar was not content with only the one.


Same code, different name - same scam.

Screenshot: http://mysteryfcm.co.uk/images/articles/imgbuchar_source2.gif


About vURL

The Tom Liston Fanclub

For those that have not yet read the FTBM (Follow the Bouncing Malware) series, below are links to each edition.

FTBM - Part I - http://isc.sans.org/diary.php?date=2004-07-23
FTBM - Part II - http://isc.sans.org/diary.php?date=2004-08-23
FTBM - Part III - http://isc.sans.org/diary.php?date=2004-11-04
FTBM - Part IV - http://isc.sans.org/diary.php?date=2004-11-24
FTBM - Part V - http://isc.sans.org/diary.php?date=2005-05-11
FTBM - Part VI - http://isc.sans.org/diary.php?date=2005-07-13
FTBM - Part VII - http://isc.sans.org/diary.php?date=2005-07-20
FTBM - Part VIII - http://isc.sans.org/diary.php?date=2005-08-22
FTBM - Part IX - http://isc.sans.org/diary.php?date=2005-09-21
FTBM - Part X - http://isc.sans.org/diary.html?storyid=2682

Tom Liston: http://www.intelguardians.com

Part 1 | Part 2 | Part 3 | Part 4 | Part 5
<< Back to Articles Discuss this article

Archives: 2003 | 2004 | 2005/6

Sophie Lancaster Foundation

End User Licence Agreement | Help Us | Privacy Policy | Terms of Use
Copyright 1998 - 2019 I.T. Mate - All Rights Reserved