A String of Numbers before a web address in a URL link (SPAM)

Any networking guy is well aware that an IP address can be used in the place of a domain name in a link.

http://173.194.196.138 for example, will take you to www.google.com

Did you know, however, that the IP address itself in a link can also be represented in different ways?

For example, a DWORD integer value? If I convert that Google IP address to a decimal number, I get this: 2915222666. Now if you were to click on http://2915222666, it would also take you to Google’s homepage just like the other two links above.

To most people, that would not look like a valid link to anything, but it is. There are also plenty of other valid ways to represent an IP address in a link, and this is no new trick, as I read all about it on this site that was apparently written in 1999.

The reason I discovered all this, is because of a link in a spam/malware email sent to some users at work. The link was along the lines of this: http://[ten digit number]/wwwdotrealwebsitedotcom/mail. Now keep in mind, the email made no attempts beyond this to mask the link. It was not hidden until you hovered over it, or anything like that. It even had a “helpfully” fully written out version of the link for users with trouble to copy and paste into the browser.

It claimed to be a link to an encrypted email message, so the strange URL seemed almost plausible.

The link really lead out to the IP address represented by that ten digit number and not the real, unrelated, domain included in the link. The malware website was clearly designed to have the valid URL included in its address, but hid the real domain (IP address) behind that DWORD integer. The link lead to a Russian owned IP address that wanted to download a Trojan disguised as a MS word compatibility pack.

I normally have a very sharp eye when it comes to spotting bullshit URLs, and other things like this. So, the fact that this one looked weird to me, but didn’t set off any alarm bells right away could have been a very bad thing, and this bothered me.

After my research, I now have a much better understanding of an older, somewhat sophisticated, technique to mask where a bullshit link really leads. I wanted to share that information, in one place, in a hopefully easier to find way.

Maybe this was just a weird fluke, or maybe we are going to start to see more attacks like this.

Advertisements

PeerBlock

Been meaning to post this for a couple weeks. This is a quick follow up to my previous post about PeerGuardian. I learned not to long after from reading on wikipedia that PeerGuardian was no longer supported by it’s creators, I also noticed it wasn’t really getting any of the black lists.

The creators of PeerGuardian are now supporting a program called PeerBlock. To me, it looks and functions exactly as PeerGuardian does (and rightfully so as it is designed with that as base). The lists actually update with this software so this is the software to get. The only thing is, now that the blocking is actually working, I found myself quickly turning off the HTTP\HTTPS filtering. The program wanted to block a popular site that is known for not giving out the IPs of it’s users. Lets call it “The Swashbuckler’s Cove”.

Anyway, everything I said in the previous post should just be applied to this software, PeerBlock. You can download it here.

-Dave out

PeerGuardian

EDIT 6/18/2010: You should be looking for a program called PeerBlock, not PeerGuardian. See this post for more details.

I learned about this program from an acquaintance at work during a discussion about Bittorrent this week. I have the program, which is open source freeware, downloaded and installed as I type this.

What is it? From their site:

PeerGuardian 2 is Phoenix Labs’ premier IP blocker for Windows. PeerGuardian 2 integrates support for multiple lists, list editing, automatic updates, and blocking all of IPv4 (TCP, UDP, ICMP, etc), making it the safest and easiest way to protect your privacy on P2P.

The program runs in the background, and takes little resources. It will act as a firewall, but, as it’s creators mention in the FAQ page, should not be treated as a replacement for traditional security software. PeerGuardian, as the name suggests, is designed primarily to protect your privacy on file sharing P2P networks, such as the almighty BitTorrent protocol.

While installing, you have the simple choices to block items based on “lists”. Some examples include P2P (which is checked by default), adware, malware, and government. These each then refer to a list created and maintained by the programs creators to give PeerGuardian a Black/White list.

You can configure PeerGuardian to check for automatic updates for these lists as well as the software itself daily, weekly, or whenever you feel like it really. You can also create your own custom lists. The software also blocks http/https by default. This can be disabled, but I have yet to notice it interfere with any of my standard surfing.

I have just started using the software but it seems to be a really good thing to install, especially on a computer used for less than legal activities. But there are plenty of legitimate uses for this software, and it is not by itself illegal. It looks, however, to only be available for Windows platforms.

Phoenix Labs PeerGuardian 2

-Dave out