Mailing List Archive

On 2/18/21 6:37 PM, Ricky Boone wrote:
> Just wanted to forward an example of an interesting URL obfuscation
> tactic observed yesterday.
>
> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
>
> Google then spits back a response with the redirect target in both
> JavaScript and non-JavaScript forms (meta refresh tag):
>
> https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g
>
> Slightly different response behavior this time, but ultimately
> redirects the victim to the malicious destination. The effective
> destination in this case has been taken down, but I'll avoid putting
> the full link.
>
> Unfortunately, there didn't seem to be any rules that would help catch
> this. I have a couple thoughts on some that I would need to test, but
> wanted to share to the community.
>
I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well.
If you can send me a spample I could tweak it a bit more.

Giovanni

Nice. I've copied scrubbed versions of what I've seen so far here:
https://gitlab.com/-/snippets/2079108 (I can never remember if it is
appropriate to include attachments to mailing lists like this).

On Thu, Feb 18, 2021 at 1:13 PM Giovanni Bechis <giovanni@paclan.it> wrote:
>
> On 2/18/21 6:37 PM, Ricky Boone wrote:
> > Just wanted to forward an example of an interesting URL obfuscation
> > tactic observed yesterday.
> >
> > https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
> >
> > Google then spits back a response with the redirect target in both
> > JavaScript and non-JavaScript forms (meta refresh tag):
> >
> > https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g
> >
> > Slightly different response behavior this time, but ultimately
> > redirects the victim to the malicious destination. The effective
> > destination in this case has been taken down, but I'll avoid putting
> > the full link.
> >
> > Unfortunately, there didn't seem to be any rules that would help catch
> > this. I have a couple thoughts on some that I would need to test, but
> > wanted to share to the community.
> >
> I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well.
> If you can send me a spample I could tweak it a bit more.
>
> Giovanni
>

On Thu, 18 Feb 2021, Ricky Boone wrote:

> Nice. I've copied scrubbed versions of what I've seen so far here:
> https://gitlab.com/-/snippets/2079108 (I can never remember if it is
> appropriate to include attachments to mailing lists like this).

In our case it's best to upload an entire email (all headers intact and
with as little obfuscation as possible) to something like Pastebin, then
post the URL to that here so it can be downloaded. This keeps the spample
from being modified during transit in ways that could impede analysis and
rule development and testing.

For just URLs, though, examples could just be pasted into the body of your
post (as you did) or in a .txt attachment.



--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Today: Perseverence lands on Mars

On Thu, 18 Feb 2021, Giovanni Bechis wrote:

> On 2/18/21 6:37 PM, Ricky Boone wrote:
>> Just wanted to forward an example of an interesting URL obfuscation
>> tactic observed yesterday.
>>
>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
>
> I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well.
> If you can send me a spample I could tweak it a bit more.

We may need to coordinate a little here - there's also a google.com/url
redir rule in my sandbox, and they may be overlapping.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Today: Perseverence lands on Mars

On Thu, Feb 18, 2021 at 7:08 PM John Hardin <jhardin@impsec.org> wrote:
>
> In our case it's best to upload an entire email (all headers intact and
> with as little obfuscation as possible) to something like Pastebin, then
> post the URL to that here so it can be downloaded. This keeps the spample
> from being modified during transit in ways that could impede analysis and
> rule development and testing.
>
> For just URLs, though, examples could just be pasted into the body of your
> post (as you did) or in a .txt attachment.

Gotcha, thanks. Hopefully the copies I put up on GitLab are still
useful for testing any rules; I didn't see any issues when I ran SA
against the redacted copies. Since they included real addresses,
names, etc., I have to redact certain elements due to my company's
policies.

On 2/19/21 1:09 AM, John Hardin wrote:
> On Thu, 18 Feb 2021, Giovanni Bechis wrote:
>
>> On 2/18/21 6:37 PM, Ricky Boone wrote:
>>> Just wanted to forward an example of an interesting URL obfuscation
>>> tactic observed yesterday.
>>>
>>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
>>
>> I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well.
>> If you can send me a spample I could tweak it a bit more.
>
> We may need to coordinate a little here - there's also a google.com/url redir rule in my sandbox, and they may be overlapping.
>
I proposed a shared sandbox for that reason when we developed bitcoin rules (and we had similar problems with overlapping rules).

Giovanni

On Thu, 18 Feb 2021 16:08:01 -0800 (PST)
John Hardin wrote:


> In our case it's best to upload an entire email (all headers intact
> and with as little obfuscation as possible) to something like
> Pastebin, then post the URL to that here so it can be downloaded.
...
> For just URLs, though, examples could just be pasted into the body of
> your post (as you did) or in a .txt attachment.

I'd still suggest uploading them to pastebin. Other spam filters may
already have better handling for those URLs.

On Fri, 19 Feb 2021, Giovanni Bechis wrote:

> On 2/19/21 1:09 AM, John Hardin wrote:
>> On Thu, 18 Feb 2021, Giovanni Bechis wrote:
>>
>>> On 2/18/21 6:37 PM, Ricky Boone wrote:
>>>> Just wanted to forward an example of an interesting URL obfuscation
>>>> tactic observed yesterday.
>>>>
>>>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
>>>
>>> I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well.
>>> If you can send me a spample I could tweak it a bit more.
>>
>> We may need to coordinate a little here - there's also a google.com/url redir rule in my sandbox, and they may be overlapping.
>
> I proposed a shared sandbox for that reason when we developed bitcoin rules (and we had similar problems with overlapping rules).

Perhaps it's time we pursued that. :)

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The promise of nuclear power: electricity too cheap to meter
The reality of nuclear power: FUD too cheap to meter
-----------------------------------------------------------------------
3 days until George Washington's 289th Birthday