HOWTO: How do Spammers encode or obfuscate HTTP links (URLs)?

Expand / Collapse
 

HOWTO: How do Spammers encode or obfuscate HTTP links (URLs)?


This article applies to:

  • Trustwave SEG/MailMarshal SMTP

Question:

How do Spammers encode or obfuscate HTTP links (URLs)?

Causes:

Spammers encode or obfuscate URLs in different ways to bypass spam filtering or mask spamming activity.

Procedure:

Spammers insert encoded characters into URLs to bypass spam filtering or mask spamming activity. A basic understanding of binary, octal, decimal and hexdecimal  number systems and how to convert from one system to another is assumed in the following examples. The following techniques and examples explain how spammers encode URLs with the number systems. 

Decimal Encoding:

Internet Explorer interprets an IP address that is encoded to a single decimal number as an actual IP address. For example, you can encode the loopback address, http://127.0.0.1/, using the decimal numbering system. 

  1. Convert each octet (each part of the IP address) into binary. Remember to pad each binary number on the left (most significant bit, or MSB) with zeroes to give you 8 bits.

    127 = 01111111
    0 = 00000000
    0 = 00000000
    1 = 00000001  

  2. Join all the binary numbers together:

    01111111000000000000000000000001

  3. Convert the result to decimal, yielding:

    2130706433

  4. Insert the result into the URL or in a link. Your browser will interprets the following as 127.0.0.1.

    http://2130706433/ 

Octal Encoding:

  1.  Convert each octet of the IP address into octal. Remember to pad each octal number on the left with a zero. In each case the MSB (leftmost) digit needs to be 0.

    127 = 0177
    0 = 0
    0 = 0
    1 = 01

  2. These octal numbers can now be used in the URL, and the browser will interpret as 127.0.0.1:

    http://0177.0.0.01/  

Hex Encoding

  1. Convert the IP address to decimal. See result from the previous decimal encoding example.
  2. Convert the decimal result from the decimal encoding  example to hexadecimal.
    Decimal 2130706433 = Hex 7F000001
  3. Insert 0x in front of the number.
  4. Create the URL, yielding:

    http://0x7F000001/

ASCII Value encoding

Since individual characters in the URL can be represented by their equivalent ASCII decimal or hex value, the encoded characters can be applied to some or all of the characters in the URL. These ASCII encoded addresses cannot be used directly in the browser URL locator, but your browser decodes these obfuscated links correctly if used in a HTML page or HTML Spam message. For example, you can encode the URL for the Trustwave website, http://www.trustwave.com/, in the following progression to create a highly obfuscated URL:

  • In ASCII, the 'w' character can be represented by its hex value of %77 or its decimal value of &#119:

    http://%77%77&#119.trustwave.com/

  • The http part of the link can be encoded:

    ht%74p://w%77w.trustwave.com/

  • It is possible to apply the ASCII encoding on IP addresses already encoded in Octal, Decimal or Hexadecimal. For example, combining hex encoding with ASCII encoding, and applying to 127.0.0.1, can give the following highly obfuscated URL:

    ht%74p://0%787F0%300001/

Notes:

You can use the Microsoft Windows Calculator in Scientific mode to translate Decimal, Hex, Octal, and Binary.

This article was previously published as:
NETIQKB45792

To contact Trustwave about this article or to request support:


Rate this Article:
     
Tags:

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.

Details
Article ID: 10537
Last Modified: 7/11/2008
Type: HOWTO
Rated 2 stars based on 20 votes.
Article has been viewed 12,195 times.
Options