Hail and farewell

During the last week we have seen a new trick being used by Mal/Badsrc-C. The trick is not new but like all things in the malware world old tricks get re-used on a regular basis.

This trick is to encode the URL SRC in hexadecimal.


There are valid reasons why someone would encode a URL in hexadecimal. Here it is used purely for the purpose of obfuscating the code.

The problem  for the malware author in this case is that it is easily de-obfuscated. A variety of tools will do the de-obfuscation because they need to know about the encoding e.g. WGET.

Simple tools can also be knocked up to do the job like this one in Internet Forensics (O’Reilly) .

#!/usr/bin/perl -w
die “Usage: $0 <hex encoded URL>” unless @ARGV ==1;
$ARGV[0] =~ s/\%(..)/chr hex $1/ge;
print $ARGV[0] . “\n”;

The beauty of using Perl for the job is that the code is:

  • cross-platform
  • easily modified
  • extensible

As for the cryptic subject well that is a little puzzle and you should submit answers to sophosblog@sophos.com.