During the last week we have seen a new trick being used by Mal/Badsrc-C. The trick is not new but like all things in the malware world old tricks get re-used on a regular basis.
This trick is to encode the URL SRC in hexadecimal.
There are valid reasons why someone would encode a URL in hexadecimal. Here it is used purely for the purpose of obfuscating the code.
The problem for the malware author in this case is that it is easily de-obfuscated. A variety of tools will do the de-obfuscation because they need to know about the encoding e.g. WGET.
Simple tools can also be knocked up to do the job like this one in Internet Forensics (O'Reilly) .
die "Usage: $0 <hex encoded URL>" unless @ARGV ==1;
$ARGV =~ s/\%(..)/chr hex $1/ge;
print $ARGV . "\n";
The beauty of using Perl for the job is that the code is:
- easily modified
As for the cryptic subject well that is a little puzzle and you should submit answers to email@example.com.