URL sharing security tips... (was: [no subject])
Fairlight
fairlite at fairlite.com
Thu Sep 23 20:43:43 PDT 2010
The honourable and venerable Ken Cole spoke thus:
> Yep,
>
> I deleted both immediately!
Good idea. :)
I kept mine around to analyse.
After I sent my message, I realised a third point that I didn't address:
* Risk assessment rises in proportion to the size of the address distribution
list on any already-suspicious email.
(Apparently virus writers are too damned lazy to use Bcc or send messages
individually.)
And just to illustrate the point, I threw my RawQuery product at this in
hop-trace mode, which is a perfectly safe way to test, as it only writes
the responses to file and is done on a *nix system, with no JS or other
scripting to be exploited, and no execution capabilities.
Here are the results:
[shell1] [~] [11:35pm]: rawquery -s -S -mget -n -t -u http://bit.ly/ao8ZRH
Final resolved URL:
http://cn8vy.joinfacebooktoconnect.com/undo/und4.html
==============================================================================
*** HOP #1
*** HEADERS FOR URL: http://bit.ly/ao8ZRH
***
Connection: close
Date: Fri, 24 Sep 2010 03:33:11 GMT
Location: http://twurl.nl/6przla
Server: nginx/0.7.67
Content-Length: 284
Content-Type: text/html; charset=utf-8
Client-Date: Fri, 24 Sep 2010 03:33:10 GMT
Client-Response-Num: 1
MIME-Version: 1.0
Set-Cookie: _bit=4c9c1bf7-00234-0509b-b2a08fa8;domain=.bit.ly;expires=Tue Mar 22 23:33:11 2011;path=/; HttpOnly
Title: Moved
------------------------------------------------------------------------------
*** HOP #2
*** HEADERS FOR URL: http://twurl.nl/6przla
***
Cache-Control: no-cache
Connection: close
Date: Fri, 24 Sep 2010 03:32:42 GMT
Location: http://cn8vy.joinfacebooktoconnect.com/undo/und4.html
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.0-8+etch13 Phusion_Passenger/2.0.5
Content-Length: 119
Content-Type: text/html; charset=utf-8
Client-Date: Fri, 24 Sep 2010 03:33:10 GMT
Client-Response-Num: 1
Set-Cookie: _tweetburner_session=BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%0ASGFzaHsABjoKQHVzZWR7AA%3D%3D--e7a0a84a54dd443ece2340d671b9f5e7727ac7f0; path=/
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.0.5, Enterprise Edition
X-Runtime: 0.00342
------------------------------------------------------------------------------
*** HOP #3 (FINAL)
*** HEADERS FOR FINAL URL: http://cn8vy.joinfacebooktoconnect.com/undo/und4.html
***
Connection: close
Date: Fri, 24 Sep 2010 03:31:51 GMT
Accept-Ranges: bytes
ETag: "83e98-5b-490db47949500"
Server: nginx/0.7.65
Content-Length: 91
Content-Type: text/html
Last-Modified: Wed, 22 Sep 2010 16:03:00 GMT
Client-Date: Fri, 24 Sep 2010 03:33:10 GMT
Client-Response-Num: 1
REFRESH: 0; url=http://babad.ru/?cid=und4
<head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://babad.ru/?cid=und4">
</head>
==============================================================================
The only reason the "final resolved URL" is not babad.ru is because it
appears to have been shut down already...connection refused. So RawQuery
reported the last -usable- hop. But yeah, this definitely looks like a
virus/malware/phishing attempt.
I love the way they bounce it through not one, but -two- URL shorteners,
then a non-shortener redirect relay before actually getting to the presumed
payload delivery site. Cute. :/
mark->
More information about the Filepro-list
mailing list