Hail and farewell

Filed Under: SophosLabs

During the last week we have seen a new trick being used by Mal/Badsrc-C. The trick is not new but like all things in the malware world old tricks get re-used on a regular basis.

This trick is to encode the URL SRC in hexadecimal.

hexidecimal.jpg

There are valid reasons why someone would encode a URL in hexadecimal. Here it is used purely for the purpose of obfuscating the code.

The problem  for the malware author in this case is that it is easily de-obfuscated. A variety of tools will do the de-obfuscation because they need to know about the encoding e.g. WGET.

Simple tools can also be knocked up to do the job like this one in Internet Forensics (O'Reilly) .


#!/usr/bin/perl -w
die "Usage: $0 <hex encoded URL>" unless @ARGV ==1;
$ARGV[0] =~ s/\%(..)/chr hex $1/ge;
print $ARGV[0] . "\n";

The beauty of using Perl for the job is that the code is:

  • cross-platform
  • easily modified
  • extensible

As for the cryptic subject well that is a little puzzle and you should submit answers to sophosblog@sophos.com.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s