Wednesday 14 December 2005
- Decoding the spam: Inside the beast
Decoding the spam: Inside the beast
by Steven Burn
First, for those that have not yet read the previous articles, lets take a look back.
In part 1 - A tribute to Joe, we dissected the body of a Rolex scam that led us invariably, to Mr Buchar and his "cheap watches". Part 2 - From head to eternity saw us running through the headers of an e-mail, to determine the real path the e-mail took to get to our poor inbox.
Well, as the last article of the year, I thought we'd take a look at safely decoding the encoded body and attatchments of an e-mail, and how you can protect yourself - without having to be a geek.
Take for example, the following partial code. This code was taken from a recent bit of rubbish I received in my inbox, claiming to come from someone called "Bob Frye" with something to do with momentum building for whatever a "smallcap" is (what exactly is a smallcap anyway?).
Now, I've not actually decoded this myself yet so am as much in the dark as to what it is as you are. However, and this is where it gets fun. Looking at the above you could be forgiven for dismissing it as nothing but rubbish, and to be honest, in it's current form - it is.
For this glimpse, we are going to use an online base64 decoder, made available by OpinionatedGeek Ltd. If you have not come accross this site before, ensure you bookmark this little gem as it has proved itself extremely handy on several occasions (saves me writing a decoder for starters). The tool we're going to use is called "Base 64 Decoder", and can be found at:
We could just go straight in and use the safe decoders big brother, but you'll find out in a second why it's best not to.
Taking the code from e-mail, the first thing we do is re-format it (in lamans terms, this just means removing all of the line breaks), then dump it into the box that is provided on the website. Once the code is in the box, you simply click "Submit". The site then processes your code, and takes you back to a nice little page so you can take a look at it. Alas in this case, it turned out to be harmless text.
Because I said you'd find out in a second why it's best not to use the safe decoders big brother first, we're going to look at another e-mail. This one was received from a charter.com customer (68-113-75-10.dhcp.leds.al.charter.com) this morning and claims to be from err, me actually (yes you guessed it, they tried forging the headers).
Return-Path: <info@[REMOVED]> The only part of the e-mail we are interested in at the moment, is the first few lines. The reason for this is because the code we are looking at, is the "header" part of the e-mails attatchment (the header information tells us what type of file it is). Can you tell what this is from the following?.
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (smtpin09l.fasthosts.co.uk [127.0.0.1])
by smtpin77.livemail.co.uk (Postfix) with SMTP id 8C197168121
for <services@[REMOVED]>; Mon, 12 Dec 2005 01:35:12 +0000 (GMT)
Received: from [REMOVED] (68-113-75-10.dhcp.leds.al.charter.com [188.8.131.52])
by smtpin77.livemail.co.uk (Postfix) with ESMTP id 0D9F1168121
for <services@[REMOVED]>; Mon, 12 Dec 2005 01:35:04 +0000 (GMT)
Subject: You have successfully updated your password
Date: Sun, 11 Dec 2005 19:37:28 -0600
No?, okay, lets decode it then. As before, we simply paste the above into the safe decoder, and allow it to decode the mess for us. This time, we're given the following:
Now, if you took a quick glance, you'd probably first notice the alledged filename as being "account-password.txt". Fine, .txt files can't do any harm on their own. However, if you look at the next line, you then see ".pifMZ". PIF stands for "Windows Program Information File" and just like .cmd, .exe, .com et al, these are executable (program) files. (Tip: If you are ever unsure as to what a particular extension is, you can find out at: http://filext.com)
Normally when we receive executables in e-mails, the e-mail gets deleted immediately. However, this would leave this article at a strange ending, so instead, we're going to find out whats inside it. Looking at the e-mails source, we can see the content itself is harmless enough (plain text), so we are okay to open the e-mail (side note: if your e-mail contains coding that suggests it is going to load an image (screenshot: ../imgSpamImgSnap.gif) or HTML (screenshot: ../imgSpamHTMLSnap.gif), then we wouldn't open it as the image/file itself could be infected).
The first thing we do is save the file to our hard drive. If the antivirus that is installed on the system is upto date and running and the file contains a worm, virus or trojan, it should pick it up as soon as you do this, however, not all of them will do (ergo, extreme caution should be taken to ensure the file is not accidentally run (i.e. NEVER click "Open")).
Once the file has been saved, we then load up our favourite online virus scanner (http://virusscan.jotti.org/) and click the Browse button to locate the file. Clicking Submit then allows the scanner to analyse our file.
From the results, it's quite clear what the file actually contains, so quite obviously, this gets deleted. Now you may think you won't get infected if you don't open the e-mail, and in most cases, this is quite true. However, how many of you allow HTML e-mail?, how many of you use the preview pane?, how many of you open an e-mail when you see the "from" address as being from someone you know?. If you answer "I do" to either of those, you stand a much greater chance of being infected.
Take for example, the second e-mail shown in this article. The "from" line shows it as coming from "firstname.lastname@example.org". If you received this e-mail - would you open it? (bearing in mind, you'd not yet looked at it's content). With specific regard to HTML e-mail, whilst it looks nice and pretty with it's fancy fonts and enticing images, it hides a more sinister possibility.
If you've ever been on a website and had the site install spyware, do you re-visit the site?, of course not. So why put up with it in e-mails?. An HTML e-mail allows infection via several methods, the most common being either via scripts, or images. By disabling HTML e-mail and reading it in plain text only, you are considerably decreasing the risks of your computer being infected with everything from worms to viruses to spyware.
Unfortunately, this also applies to the e-mail clients preview pane. When you highlight an e-mail in your e-mail client, and you have the preview pane active, the e-mail and it's content is loaded instantly. This includes any scripts, images or HTML etc, that it may contain (of course, you could just disable attatchments, but this is not viable for everyone so it would be rather silly to suggest it).
I could probably waffle on about this to the end of eternity, but instead I'll close it there. For excellent advice and tips on how you can help yourself with regards to e-mail, please see the following references.
Is your e-mail safe?