[Dshield] I would like help decoding abuse script for clues
Dave Hull
dphull at trustedsignal.com
Sun Dec 16 17:43:19 GMT 2007
On 12/15/07, Team Amber Beistle <beistle_jr at hotmail.com> wrote:
> I have several destination scripts downloaded. Does anyone have experience with this kind
> of code.
Yes.
> Can forensics identify the scripts like viruses?
Interesting question. A digital forensic analyst worth her salt ought
to be able to recover malware on a system, especially if it's a
script. If it's a packed compiled binary then more specialized reverse
engineering skills are called for that the average forensic analyst
may not possess.
> Is there a repository for such code that can show timeline of when first recorded and where
> first released?
I don't know of a single comprehensive source for this information,
but you can sometimes find it by searching various malware archives,
anti-virus company web sites or other security forums.
> ... Is there legal strategy to go after the users of such code that reuses code from other
> companies in violation of license or copyrights?
Somehow I doubt the people putting out malicious software care about
the fact that they may be violating copyright.
> I believe this is part of a classic phish schema to reroute traffic by comment spam then recruit
> new school of victims who visit such url destinations. the file on the server is a txt file extent in
> the destination urls they are the full url of the file with a question mark appended to the url ...
> I believe to be accessed as an active script server side to log the id and info of the visitor who
> is browsing. Then they are sent phish email or other spam streams.
Hm. How are the attackers getting the victim's email addresses? Just
because I visit a web site with my browser, doesn't mean the
destination web site can collect my email address. My IP sure, but
there's no smtp server at the IP address that I'm browsing from.
Do the sites in question have web forms that the users are filling
out, thus divulging their contact info? If so, user education and
blocking of such web sites after you learn of them is a good defense.
A bigger problem is the drive-by-downloads that are probably being
installed on the users' systems when they visit these sites.
--
Dave Hull
CISSP, GCIH, GREM, SSP-MPA, CHFI
Trusted Signal, LLC
http://trustedsignal.com
Tel. 785.424.0832
More information about the list
mailing list