Jul 15
Jul 08
A few weeks ago Richard posted a %%1%%blog about malicious HTML attachments we were seeing in spam. Well, the attacks have continued since then along much the same lines. For example:
Current attachments are being blocked as Troj/JSRedir-BV.
As noted before, if the victim opens the HTML attachment, the embedded script will run within the browser, and redirect them to a another remote web page (hosted within a legitimate but compromised site). Sophos products block this page as Mal/Iframe-Q. From there, the attack is two-fold:
- META redirect to some spammy site (Canadian Pharmacy and similar)
- malicious IFRAME loading further content from another site
In this post I wanted to highlight one of the tricks used in the malicious JavaScript within the HTML attachments. The script is minified and peppered with junk code, hindering readability, but after prettifying and removing the junk code, it is fairly simple. The decryption function is called via setTimeOut, and consists of a simple xor.
There is a cunning little trick in the script, designed to break JavaScript emulation tools. By calling the decryption routine via setTimeOut, the script is able to ensure there has been a sufficient delay. Most emulation tools will tend to ignore the setTimeOut delay, resulting in an incorrect xor key being generated, and decryption failing.
When correctly deobfuscated, you can see that the script redirects the victim with a location.href:
These attacks are just another example of the growing number of tricks being used within malicious JavaScript to evade generic detection and hinder automated analysis techniques.
Jul 05
Looking through news sites I encountered articles about a full-frontal pin-up calendar (“EIZO – Pin-up Calendar 2010″) that shows a young lady more exposed than any I have seen before. Yet this calendar is reproduced on various respectable websites. It is all part of a clever marketing campaign by LCD monitor manufacturer Eizo. Now after the initial laugh & giggle no one would seriously say that there is anything wrong or immoral about these pictures, but…
This strikes me as another one of those grey areas, literally shades of grey in this case. It is difficult to have a universal definition of what is legitimate for public consumption and what should be censored as pornography. Now obviously a skeleton of a woman is not pornographic, yet full-frontal pictures of a live woman in erotic poses is obvious porn. So when is an image unacceptably pornographic?
A little bit of exposed flesh is alluring, a lot is rude. If a picture can be pornographic when you can see the exposed outer micrometer of flesh, as displayed in PlayBoy magazine etc. Then is being able to see the rest of the flesh that is below the skin going to be more pornographic, or less? And what ever the decision, why?
Is it context that counts, as in the “is it art or is it porn” argument? In this case the erotic poses would suggest it is definitely pornographic. There is certainly no medical reason involved for these particular poses.
In some countries the laws have defined pornography as how much and what bits of flesh are exposed. The film industry suffered with actresses in bedroom scenes having the amount of exposed breast measured by a censor before shooting was allowed. Well these pictures certainly fail that test.
Miss August 2010
Sometimes laws define pornography as “that which may shock, offend or corrupt”. But that surely depends on who is present at the time. Some regions with this type of law allow people to walk to the local supermarket whilst completely naked, whilst others are very restrictive in their interpretation. So are these X-rays offensive or likely to corrupt you?
Legal definitions of pornography in general vary drastically. It can depend on where you are, what social group you are in, who you are with at the time, age, period of history, gender and so many other factors. In the end it usually comes down to the interpretation of an individual censor or judge.
If we have ruled out law, artistry & offensiveness as suitable definitions of what should define pornography then should it depend on it’s arousal. Should it be down to whether someone might choose to experience the material because of it’s sexual effect. After all that is what the other methods are trying to restrict, namely images or actions that might cause a sexual response. So do these X-ray images cause you to be aroused? Possibly an interesting question. But yet again there is the huge variance from person to person. After all there is Objectum sexuality or Objectophilia where some people get sexually aroused by everyday objects. So should Apple’s iBook be banned because of it’s potential erotic effect?
I still don’t know if technically these X-rays are pornography. Why do I care? Because it can be our job at Sophos to help protect you from pornography, if only we knew what it is.
And if this isn’t explicit enough for you there is also a MRI video of sexual intercourse penetration that is part of the results from a paper submitted to the British Medical Journal some time back. Though this example is not pornography as it is medical research, lucky scientists.
Miss March 2010
Jul 02
%%1%%Search engine optimisation (SEO) techniques have received a fair amount of attention recently, thanks mostly to their use in fake AV distribution. In this blog, I will describe an interesting piece of JavaScript I came across whilst investigating some SEO pages.
In a typical SEO attack, when the victim clicks through to the SEO page from the search engine results, they are immediately redirected to the target site (be that designed to infect them with malware or show them spammy services/goods). This is normally achieved using one of the following methods:
- 302 redirect
- JavaScript driven redirect
- Flash (ActionScript) driven redirect
- META redirect
The SEO pages I was looking at this week used an interesting JavaScript for the redirection. The script is shown below:
As you can see, the redirection is a little more obscure than the usual simplistic location.href=_some_url_! The script adds an event listener to the document using addEventListener or attachEvent for Mozilla et al. and IE respectively.
Upon the mousemove event firing, the exit() function is called, incrementing a counter. Once that counter hits 3, an anchor element is added to the page, and the redirection is delivered. A curious exercise in making the simple overly complex and cumbersome! Seems like the use of “hiding in plain sight” tactics in an attempt to evade detection.
The target of the redirect is changing (of course), but thus far the SEO efforts seem to have been focused on shifting software and other products.
In addition to blocking access to the target spammy pages via URL filtering, the malicious redirect script is also blocked as Troj/JSRedir-BU by Sophos products.