URL sharing security tips... (was: [no subject])

Fairlight fairlite at fairlite.com
Thu Sep 23 20:43:43 PDT 2010 

The honourable and venerable Ken Cole spoke thus:
> Yep,
> 
> I deleted both immediately!

Good idea.  :)

I kept mine around to analyse.

After I sent my message, I realised a third point that I didn't address:

* Risk assessment rises in proportion to the size of the address distribution 
  list on any already-suspicious email.

(Apparently virus writers are too damned lazy to use Bcc or send messages
individually.)

And just to illustrate the point, I threw my RawQuery product at this in
hop-trace mode, which is a perfectly safe way to test, as it only writes
the responses to file and is done on a *nix system, with no JS or other
scripting to be exploited, and no execution capabilities.  

Here are the results:

[shell1] [~] [11:35pm]: rawquery -s -S -mget -n -t -u http://bit.ly/ao8ZRH

Final resolved URL:
http://cn8vy.joinfacebooktoconnect.com/undo/und4.html
==============================================================================

*** HOP #1
*** HEADERS FOR URL:  http://bit.ly/ao8ZRH
***
Connection: close
Date: Fri, 24 Sep 2010 03:33:11 GMT
Location: http://twurl.nl/6przla
Server: nginx/0.7.67
Content-Length: 284
Content-Type: text/html; charset=utf-8
Client-Date: Fri, 24 Sep 2010 03:33:10 GMT
Client-Response-Num: 1
MIME-Version: 1.0
Set-Cookie: _bit=4c9c1bf7-00234-0509b-b2a08fa8;domain=.bit.ly;expires=Tue Mar 22 23:33:11 2011;path=/; HttpOnly
Title: Moved
------------------------------------------------------------------------------
*** HOP #2
*** HEADERS FOR URL:  http://twurl.nl/6przla
***
Cache-Control: no-cache
Connection: close
Date: Fri, 24 Sep 2010 03:32:42 GMT
Location: http://cn8vy.joinfacebooktoconnect.com/undo/und4.html
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.0-8+etch13 Phusion_Passenger/2.0.5
Content-Length: 119
Content-Type: text/html; charset=utf-8
Client-Date: Fri, 24 Sep 2010 03:33:10 GMT
Client-Response-Num: 1
Set-Cookie: _tweetburner_session=BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%0ASGFzaHsABjoKQHVzZWR7AA%3D%3D--e7a0a84a54dd443ece2340d671b9f5e7727ac7f0; path=/
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.0.5, Enterprise Edition
X-Runtime: 0.00342
------------------------------------------------------------------------------
*** HOP #3 (FINAL)
*** HEADERS FOR FINAL URL:  http://cn8vy.joinfacebooktoconnect.com/undo/und4.html
***
Connection: close
Date: Fri, 24 Sep 2010 03:31:51 GMT
Accept-Ranges: bytes
ETag: "83e98-5b-490db47949500"
Server: nginx/0.7.65
Content-Length: 91
Content-Type: text/html
Last-Modified: Wed, 22 Sep 2010 16:03:00 GMT
Client-Date: Fri, 24 Sep 2010 03:33:10 GMT
Client-Response-Num: 1
REFRESH: 0; url=http://babad.ru/?cid=und4

<head>

<meta HTTP-EQUIV="REFRESH" content="0; url=http://babad.ru/?cid=und4">

</head>

==============================================================================

The only reason the "final resolved URL" is not babad.ru is because it
appears to have been shut down already...connection refused.  So RawQuery
reported the last -usable- hop.  But yeah, this definitely looks like a
virus/malware/phishing attempt.

I love the way they bounce it through not one, but -two- URL shorteners,
then a non-shortener redirect relay before actually getting to the presumed
payload delivery site.  Cute.  :/

mark->

More information about the Filepro-list mailing list