PDA

View Full Version : Help required in decoding suspicious URL



Immaturedevil
05-16-2012, 02:54 PM
Hi Group,
Need your help on understanding and decoding these URLs that i have got from my proxy.These URLs seems to be obfuscated. Appreciate If anyone could help me in decoding these URLs.

sample of urls:

http://i-e-g-n-9-p-2-5-0-9-1-1-b-h-9-d-4-t-0-g-1-q-q-1-i-i-0-0-y-f-k-.i-9t3-sy-7i-5j3-sf7-8z5-54-n8v7r-0-ih7-36992m-o3-0q-g-3.info/VERSION.TXT
http://3-4-c-9-9-f-2-3-2-6-6-q-j-2-5-d-7-j-0-s-v-6-c-q-f-4-6-q-b-w-b-.81r-x7-tr2p-7c-5lk-huxs-0wq-bma-0wvi-2y-a8s-elw-hv-o0-6.info/VERSION.TXT
http://v-q-z-q-y-1-o-n-8-u-q-9-v-d-x-y-0-9-2-2-y-0-9-o-x-5-l-f-j-a-5-.0-0-0-0-0-0-0-0-0-0-0-0-0-60-0-0-0-0-0-0-0-0-0-0-0-0-0.info/VERSION.TXT
http://8-n-9-0-f-f-u-3-9-0-y-n-9-m-9-1-o-2-o-h-k-r-a-m-1-6-y-i-g-2-0-.rb-e-e3-j-fi-1-il-h-il-3e-z-u-r-u-lk-h-wm-3-6-g-0o-s-dx.info/VERSION.TXT
http://4-e-q-o-8-y-w-i-3-r-0-p-q-o-5-5-k-2-p-9-1-8-0-b-z-q-v-0-t-8-s-.z-hk-yl8-k-7o-8z-l-v-uhb-u-td-8i-oe-0gp-e2g-we6-ws-2vpd.info/VERSION.TXT
http://s-4-r-d-7-j-m-9-0-9-1-2-5-2-7-4-e-o-6-s-j-o-1-a-u-1-5-z-4-s-1-.5-68-wk-5g-z2-pu6-e5x-4h-yij-yx-duv-wpx-2r8-7vc-ox-4q-u.info/VERSION.TXT

Regards

fb1h2s
05-16-2012, 03:13 PM
Unless and until u provide more info on the same we wdnt be able to do anything .

Immaturedevil
05-17-2012, 12:22 PM
Hi FB1H2s

Let me know any specific information that you are looking at. i wud share that. Just to give more background on the issue... One of the desktop seems to be infected with some backdoor or trojan that is trying to send some information out. Going through proxy logs ...system is continuously trying to connect to the URL's as given earlier. These URL's are changing with each request. Iam trying to find malicious program that could be running on this system.
If anyone could help in decoding or understanding these http links, so that atleast know, what server it is trying to connect.
Any guidance in this direction is appreciated.

Regards

neo
05-17-2012, 04:12 PM
Well these are dynamic addresses. Right now all of them seems to be dead.
So you need to do a whois on them at the time you find one URL.
Simple way to do it using some sites like Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS (http://network-tools.com).
Just remove "/VERSION.TXT" and "http://" from the url and put the URL for express lookup on that site or do whois on that string.

Immaturedevil
05-17-2012, 05:21 PM
Hi Neo,

Thanks for your comment. I have already done that... but no success..as these URLs are not recognized by search engines as such. getting some info if anyone has come across with URLs in this format or any tool or link to decode to get some direction...
Anyways thanks for your input.
Regards,

Anant Shrivastava
05-17-2012, 05:30 PM
not exactly this format but a simmilar kind of a format i have seen as part of malware. This url format was used to get the commands from the remote server. there was a whole bunch of domain names in sequence.

abhaythehero
05-20-2012, 07:14 PM
I too have the opinion that a malware has benn installed and it is communicating via HTTP using these urls. What perplexes me is that how can be such a url domain be allocated ? even dynamically ? I don't think Lookup tools will work here.

These URL are encoded. That is for sure. But are they being decoded by the malware itself :confused: But Immaturedevil says he got this in his proxy logs :confused: :confused:

xsxs
05-21-2012, 07:09 PM
hi Immaturedevil..
why don't you sniff your connection 1st..I thought it will help you to discover from where to where the information was sent..myb you can use wireshark (just my opinion)

//sorry for my bad grammar (hope somenone can correct it, if incorrect..thanks in advance

Anant Shrivastava
05-21-2012, 10:37 PM
I too have the opinion that a malware has benn installed and it is communicating via HTTP using these urls. What perplexes me is that how can be such a url domain be allocated ? even dynamically ? I don't think Lookup tools will work here.

These URL are encoded. That is for sure. But are they being decoded by the malware itself :confused: But Immaturedevil says he got this in his proxy logs :confused: :confused:

abhay check this out
Encyclopedia entry: Worm:Win32/Esfury.A - Learn more about malware - Microsoft Malware Protection Center (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FEsfury.A)

Once upon a time in distant past when i was tasked to review websense logs to catch perverts :D i also happen to stumble upon simmilar kind of request, the attraction factor was around 80K request per month which naturally means a lot more then what i can expect from a human. some deep diving and i was able to pin point on above linked stuff.

So yes people do comeup with varied means of spreading an infection.

abhaythehero
05-22-2012, 05:13 PM
abhay check this out
Encyclopedia entry: Worm:Win32/Esfury.A - Learn more about malware - Microsoft Malware Protection Center (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FEsfury.A)

Once upon a time in distant past when i was tasked to review websense logs to catch perverts :D i also happen to stumble upon simmilar kind of request, the attraction factor was around 80K request per month which naturally means a lot more then what i can expect from a human. some deep diving and i was able to pin point on above linked stuff.

So yes people do comeup with varied means of spreading an infection.

So that means lookup tools must give some information about these url ? Still confused about the domain though ? Are their any non commercial DNS servers that would give them the liberty to take such a url ?

webdevil
05-23-2012, 06:57 AM
Here is your answer.
Detailed Analysis - Troj/Koynnos-A - Viruses and Spyware - Threat Analyses - Threat Center - Sophos (http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Koynnos-A/detailed-analysis.aspx)

A more detailed post
ThreatExpert Report: Email-Worm.Rontokbro, W32.Rontokbro@mm, Troj/Koynnos-A (http://www.threatexpert.com/report.aspx?md5=8c3962eee85ab7c789dfcd6582e0cac6)

neo
05-23-2012, 10:13 AM
So that means lookup tools must give some information about these url ? Still confused about the domain though ? Are their any non commercial DNS servers that would give them the liberty to take such a url ?

You seem to have forgotten there are multiple . [dot] in the url so these can be subdomains the attacker only needs to register last part as domain.
So in that case the DNS query would go to his main domain and he can create dynamic subdomains which can expire every day or for that case after any specific amount of time he want. So only last high level domain wouldnt change in that case. And for the last domain also he can register some 10-20 domains as top level domain and use some of them based on algorithm.

(A Suggestion - Never forget your basic Tanenbom Networking TCPIP book)

abhaythehero
05-24-2012, 01:58 AM
Oops failed to see the dots between dashes. I get it now. But 0-0-0-0-0-0-0-0-0-0-0-0-0-34-0-0-0-0-0-0-0-0-0-0-0-0-0 as a domain still seems a little out of the way. Guess the domain controllers will allow such type after all.

B/w thanks for the suggestion. Tanenbaum always freaked me out during the semesters so I never touched the book ;) Would give it another chance.