During the last week we have seen a new trick being used by Mal/Badsrc-C. The trick is not new but like all things in the malware world old tricks get re-used on a regular basis.
This trick is to encode the URL SRC in hexadecimal.
There are valid reasons why someone would encode a URL in hexadecimal. Here it is used purely for the purpose of obfuscating the code.
The problem for the malware author in this case is that it is easily de-obfuscated. A variety of tools will do the de-obfuscation because they need to know about the encoding e.g. WGET.
Simple tools can also be knocked up to do the job like this one in Internet Forensics (O'Reilly) .
#!/usr/bin/perl -w
die "Usage: $0 <hex encoded URL>" unless @ARGV ==1;
$ARGV[0] =~ s/\%(..)/chr hex $1/ge;
print $ARGV[0] . "\n";
The beauty of using Perl for the job is that the code is:
- cross-platform
- easily modified
- extensible
As for the cryptic subject well that is a little puzzle and you should submit answers to sophosblog@sophos.com.
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
