Mailing List Archive

base64 encoded sextorsion
Good day Guys

I would like to ask it someone could help write a rule for the following
base64 encoded sextorsion.

https://pastebin.com/raw/MWYmfkuh

I tried using rawbody. But it was proving to not work and be the right
solution. Below is it me testing.

i.e.
body BASESEX /8J2XrvCdmIHwnZiB8J2XsvCdl7vwnZiB8J2XtvCdl7zwnZe7/
describe BASESEX Base64 Sextorsion
score BASESEX 2.0

If anyone could assist, it would be appreciated.

King regards
Brent Clark
Re: base64 encoded sextorsion [ In reply to ]
Sorry in that example I copied body.
I tried rawbody and body.

Regards
Brent

On 2020/04/22 16:11, Brent Clark wrote:
> Good day Guys
>
> I would like to ask it someone could help write a rule for the following
> base64 encoded sextorsion.
>
> https://pastebin.com/raw/MWYmfkuh
>
> I tried using rawbody. But it was proving to not work and be the right
> solution. Below is it me testing.
>
> i.e.
> body     BASESEX /8J2XrvCdmIHwnZiB8J2XsvCdl7vwnZiB8J2XtvCdl7zwnZe7/
> describe BASESEX Base64 Sextorsion
> score    BASESEX 2.0
>
> If anyone could assist, it would be appreciated.
>
> King regards
> Brent Clark
Re: base64 encoded sextorsion [ In reply to ]
I want to add, I tried this as well, and it *did* match. But it feels
clunky.

https://pastebin.com/raw/7FaqnByB

Regards
Brent

On 2020/04/22 16:14, Brent Clark wrote:
> Sorry in that example I copied body.
> I tried rawbody and body.
>
> Regards
> Brent
>
> On 2020/04/22 16:11, Brent Clark wrote:
>> Good day Guys
>>
>> I would like to ask it someone could help write a rule for the
>> following base64 encoded sextorsion.
>>
>> https://pastebin.com/raw/MWYmfkuh
>>
>> I tried using rawbody. But it was proving to not work and be the right
>> solution. Below is it me testing.
>>
>> i.e.
>> body     BASESEX /8J2XrvCdmIHwnZiB8J2XsvCdl7vwnZiB8J2XtvCdl7zwnZe7/
>> describe BASESEX Base64 Sextorsion
>> score    BASESEX 2.0
>>
>> If anyone could assist, it would be appreciated.
>>
>> King regards
>> Brent Clark
Re: base64 encoded sextorsion [ In reply to ]
I've updated replace_tags with these 4-byte UTF-8 characters, whatever they
are, will look more indepth later..

For example replace_tag A ....[\xf0][\x9d][\x97][\xae]

Now your example hits atleast these rules

3.6 FUZZY_BITCOIN BODY: Obfuscated "Bitcoin"
1.0 BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin

Will take a day or two to end up in sa-update..


On Wed, Apr 22, 2020 at 04:44:25PM +0200, Brent Clark wrote:
> I want to add, I tried this as well, and it *did* match. But it feels
> clunky.
>
> https://pastebin.com/raw/7FaqnByB
>
> Regards
> Brent
>
> On 2020/04/22 16:14, Brent Clark wrote:
> >Sorry in that example I copied body.
> >I tried rawbody and body.
> >
> >Regards
> >Brent
> >
> >On 2020/04/22 16:11, Brent Clark wrote:
> >>Good day Guys
> >>
> >>I would like to ask it someone could help write a rule for the following
> >>base64 encoded sextorsion.
> >>
> >>https://pastebin.com/raw/MWYmfkuh
> >>
> >>I tried using rawbody. But it was proving to not work and be the right
> >>solution. Below is it me testing.
> >>
> >>i.e.
> >>body???? BASESEX /8J2XrvCdmIHwnZiB8J2XsvCdl7vwnZiB8J2XtvCdl7zwnZe7/
> >>describe BASESEX Base64 Sextorsion
> >>score??? BASESEX 2.0
> >>
> >>If anyone could assist, it would be appreciated.
> >>
> >>King regards
> >>Brent Clark
Re: base64 encoded sextorsion [ In reply to ]
On 4/22/20 5:43 PM, Henrik K wrote:
>
> I've updated replace_tags with these 4-byte UTF-8 characters, whatever they
> are, will look more indepth later..
>
you have been faster, I have the same diff on my tree and I was going to commit it :-)

Giovanni

> For example replace_tag A ....[\xf0][\x9d][\x97][\xae]
>
> Now your example hits atleast these rules
>
> 3.6 FUZZY_BITCOIN BODY: Obfuscated "Bitcoin"
> 1.0 BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin
>
> Will take a day or two to end up in sa-update..
>
>
> On Wed, Apr 22, 2020 at 04:44:25PM +0200, Brent Clark wrote:
>> I want to add, I tried this as well, and it *did* match. But it feels
>> clunky.
>>
>> https://pastebin.com/raw/7FaqnByB
>>
>> Regards
>> Brent
>>
>> On 2020/04/22 16:14, Brent Clark wrote:
>>> Sorry in that example I copied body.
>>> I tried rawbody and body.
>>>
>>> Regards
>>> Brent
>>>
>>> On 2020/04/22 16:11, Brent Clark wrote:
>>>> Good day Guys
>>>>
>>>> I would like to ask it someone could help write a rule for the following
>>>> base64 encoded sextorsion.
>>>>
>>>> https://pastebin.com/raw/MWYmfkuh
>>>>
>>>> I tried using rawbody. But it was proving to not work and be the right
>>>> solution. Below is it me testing.
>>>>
>>>> i.e.
>>>> body     BASESEX /8J2XrvCdmIHwnZiB8J2XsvCdl7vwnZiB8J2XtvCdl7zwnZe7/
>>>> describe BASESEX Base64 Sextorsion
>>>> score    BASESEX 2.0
>>>>
>>>> If anyone could assist, it would be appreciated.
>>>>
>>>> King regards
>>>> Brent Clark
Re: base64 encoded sextorsion [ In reply to ]
On Wed, 22 Apr 2020 16:11:48 +0200
Brent Clark wrote:

> Good day Guys
>
> I would like to ask it someone could help write a rule for the
> following base64 encoded sextorsion.


The obfuscation is the use of unicode mathmatical sans-serif
characters rather than the encoding, which is automatically removed.

If you train it and retest you get a lot of tokens based on utf-8 bytes
sequences like:


0.987-1--=f0=9d=97=b5=f0=9d=97=bf=f0=9d=98=80

so Bayes should learn these very quickly.
Re: base64 encoded sextorsion [ In reply to ]
On Wed, 22 Apr 2020, Giovanni Bechis wrote:

> On 4/22/20 5:43 PM, Henrik K wrote:
>>
>> I've updated replace_tags with these 4-byte UTF-8 characters, whatever they
>> are, will look more indepth later..
>>
> you have been faster, I have the same diff on my tree and I was going to commit it :-)

The italic and lowercase variants will be needed too. I expect we could
skip the Script ones as too unclear to be reasonable obfuscations, but a
lot of the Fraktur ones look clear enough to include.

https://www.utf8-chartable.de/unicode-utf8-table.pl?start=119808&number=1024

What a fun weekend project. {rolleyes}

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: base64 encoded sextorsion [ In reply to ]
On Wed, Apr 22, 2020 at 04:54:22PM -0700, John Hardin wrote:
> On Wed, 22 Apr 2020, Giovanni Bechis wrote:
>
> >On 4/22/20 5:43 PM, Henrik K wrote:
> >>
> >>I've updated replace_tags with these 4-byte UTF-8 characters, whatever they
> >>are, will look more indepth later..
> >>
> >you have been faster, I have the same diff on my tree and I was going to commit it :-)
>
> The italic and lowercase variants will be needed too. I expect we could skip
> the Script ones as too unclear to be reasonable obfuscations, but a lot of
> the Fraktur ones look clear enough to include.
>
> https://www.utf8-chartable.de/unicode-utf8-table.pl?start=119808&number=1024
>
> What a fun weekend project. {rolleyes}

One should do something useful with their life or family, I suggest ignoring
this game of whackamole unless it takes few minutes. :-D It's pointless to
try adding all combinations in _advance_, since all this is extremely simple
to bypass with random typos and whitespaces and whatever chars..
Re: base64 encoded sextorsion [ In reply to ]
Bitcoin spam using UTF-8 mathematical monospace characters-- except
that the html tags have to be in the low ascii character range of
UTF-8.

Does outlook.com make any effort at all to filter outbound mail? In
the past 6 hours we've had 768 of these from 256 different accounts. I
have had full raw message for only three in the past few days and I
have sent them to abuse@outlook.com.

FYI part of the sender list below. I don't perceive a pattern to how
they are generated. (This is from sort -u, not the order of arrival.)

<abfmariskaqq@outlook.com>
<acpbrearjck@outlook.com>
<affrederickzc@outlook.com>
<afmkaryntkg@outlook.com>
<ahtsidoniapqf@outlook.com>
<amflovedj@outlook.com>
<atcullanbv@outlook.com>
<bablinciwg@outlook.com>
<bafloryuf@outlook.com>
<bbeerichctu@outlook.com>
<bctobeyiq@outlook.com>
<bdcorendancp@outlook.com>
<bdqannecno@outlook.com>
<bietarynrze@outlook.com>
<bjbebefg@outlook.com>
<blaliceaaja@outlook.com>
<buwreniekm@outlook.com>
<bvkristinawl@outlook.com>
<bvroddiebu@outlook.com>
<bxdduffis@outlook.com>
<bxycarolynzu@outlook.com>
<bydasihxb@outlook.com>
<caethellq@outlook.com>
<camorissabb@outlook.com>
<cbjillanexnc@outlook.com>
<ccvlyndyjls@outlook.com>
<clxjamillms@outlook.com>


On Thu, Apr 23, 2020 at 2:41 AM Henrik K <hege@hege.li> wrote:
>
> On Wed, Apr 22, 2020 at 04:54:22PM -0700, John Hardin wrote:
> > On Wed, 22 Apr 2020, Giovanni Bechis wrote:
> >
> > >On 4/22/20 5:43 PM, Henrik K wrote:
> > >>
> > >>I've updated replace_tags with these 4-byte UTF-8 characters, whatever they
> > >>are, will look more indepth later..
> > >>
> > >you have been faster, I have the same diff on my tree and I was going to commit it :-)
> >
> > The italic and lowercase variants will be needed too. I expect we could skip
> > the Script ones as too unclear to be reasonable obfuscations, but a lot of
> > the Fraktur ones look clear enough to include.
> >
> > https://www.utf8-chartable.de/unicode-utf8-table.pl?start=119808&number=1024
> >
> > What a fun weekend project. {rolleyes}
>
> One should do something useful with their life or family, I suggest ignoring
> this game of whackamole unless it takes few minutes. :-D It's pointless to
> try adding all combinations in _advance_, since all this is extremely simple
> to bypass with random typos and whitespaces and whatever chars..
>


--
Joseph Brennan
Lead, Email and Systems Applications
Re: base64 encoded sextorsion [ In reply to ]
On 29 Apr 2020, at 07:42, Joseph Brennan <brennan@columbia.edu> wrote:
> FYI part of the sender list below. I don't perceive a pattern to how
> they are generated. (This is from sort -u, not the order of arrival.)

Pattern is to take a name or common word and pad it with garbage characters before and after.

“Hey, if common matches on their friend Anne or Kristine in the user, we’re IN!”

(I have no idea how matching works on outlook.com, perhaps it is this stupid?)



--
Q is for QUENTIN who sank in the mire R is for RHODA consumed by a
fire
Re: base64 encoded sextorsion [ In reply to ]
Good day Guys

Our good friends are at it again.

https://pastebin.com/raw/vjFcPzLE

I haven't written anything yet.
Thought I would share in the mean time.

Regards
Brent

On 2020/04/22 16:44, Brent Clark wrote:
> I want to add, I tried this as well, and it *did* match. But it feels
> clunky.
>
> https://pastebin.com/raw/7FaqnByB
>
> Regards
> Brent
>
> On 2020/04/22 16:14, Brent Clark wrote:
>> Sorry in that example I copied body.
>> I tried rawbody and body.
>>
>> Regards
>> Brent
>>
>> On 2020/04/22 16:11, Brent Clark wrote:
>>> Good day Guys
>>>
>>> I would like to ask it someone could help write a rule for the
>>> following base64 encoded sextorsion.
>>>
>>> https://pastebin.com/raw/MWYmfkuh
>>>
>>> I tried using rawbody. But it was proving to not work and be the
>>> right solution. Below is it me testing.
>>>
>>> i.e.
>>> body     BASESEX /8J2XrvCdmIHwnZiB8J2XsvCdl7vwnZiB8J2XtvCdl7zwnZe7/
>>> describe BASESEX Base64 Sextorsion
>>> score    BASESEX 2.0
>>>
>>> If anyone could assist, it would be appreciated.
>>>
>>> King regards
>>> Brent Clark
Re: base64 encoded sextorsion [ In reply to ]
On Thu, 7 May 2020, Brent Clark wrote:

> Good day Guys
>
> Our good friends are at it again.
>
> https://pastebin.com/raw/vjFcPzLE
>
> I haven't written anything yet.
> Thought I would share in the mean time.

100% 4-byte UTF8? That should be trivially easy to detect.

Comments solicited.

body __4BYTE_UTF8_WORD /(?:\xf0\x9d[\x9a-\x9f][\x80-\xff]){3,10}/
tflags __4BYTE_UTF8_WORD multiple, maxhits=10
meta SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD > 9

Potential FP for some languages because it's rather broad, it might be
possible to narrow it to just the 4-byte math glyphs that render readable
English text.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you ask amateurs to act as front-line security personnel,
you shouldn't be surprised when you get amateur security.
-- Bruce Schneier
-----------------------------------------------------------------------
Tomorrow: the 75th anniversary of VE day
Re: base64 encoded sextorsion [ In reply to ]
On Thu, 7 May 2020, Brent Clark wrote:

> Good day Guys
>
> Our good friends are at it again.
>
> https://pastebin.com/raw/vjFcPzLE
>
> I haven't written anything yet.
> Thought I would share in the mean time.

This is new, too:

[.???????????????? ???????????????????????????????????? ???????????????? & ???????????????????? ????????, ???????????? ???????????????????????? * ???????????????? ????????]

...obfuscating the bitcoin wallet ID.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you ask amateurs to act as front-line security personnel,
you shouldn't be surprised when you get amateur security.
-- Bruce Schneier
-----------------------------------------------------------------------
Tomorrow: the 75th anniversary of VE day
Re: base64 encoded sextorsion [ In reply to ]
On Thu, 7 May 2020 11:39:07 -0700 (PDT)
John Hardin wrote:

> 100% 4-byte UTF8? That should be trivially easy to detect.
>
> Comments solicited.
>
> body __4BYTE_UTF8_WORD
> /(?:\xf0\x9d[\x9a-\x9f][\x80-\xff]){3,10}/ tflags
> __4BYTE_UTF8_WORD multiple, maxhits=10 meta
> SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD > 9
>
> Potential FP for some languages because it's rather broad, it might
> be possible to narrow it to just the 4-byte math glyphs that render
> readable English text.

Actually it's not broad enough to cover even the mathematical
letters.

This covers them all without any overlap:

/(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/

It does include digits and Greek letters (the mathematical versions).

Changing the continuation byte to [\x80-\xbf] may help a bit in
avoiding matches on text that isn't actually UTF-8. It wont do any
harm.

I think the risk is mostly in matching actual mathematics. I doubt many
people go to the trouble of entering these characters in emails, but
perhaps something pasted into the body or found inside an attachment (if
you have the appropriate plugin).
Re: base64 encoded sextorsion [ In reply to ]
On Thu, 7 May 2020, RW wrote:

> On Thu, 7 May 2020 11:39:07 -0700 (PDT)
> John Hardin wrote:
>
>> 100% 4-byte UTF8? That should be trivially easy to detect.
>>
>> Comments solicited.
>>
>> body __4BYTE_UTF8_WORD
>> /(?:\xf0\x9d[\x9a-\x9f][\x80-\xff]){3,10}/ tflags
>> __4BYTE_UTF8_WORD multiple, maxhits=10 meta
>> SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD > 9
>>
>> Potential FP for some languages because it's rather broad, it might
>> be possible to narrow it to just the 4-byte math glyphs that render
>> readable English text.
>
> Actually it's not broad enough to cover even the mathematical
> letters.
>
> This covers them all without any overlap:
>
> /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
>
> It does include digits and Greek letters (the mathematical versions).

Updated, thanks.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Phobias should not be the basis for laws.
-----------------------------------------------------------------------
Tomorrow: the 75th anniversary of VE day