Should we block potentialy unwanted code..

General discussion about the NoScript extension for Firefox
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Should we block potentialy unwanted code..

Post by luntrus »

Hi users of NS and RP,

The bounderies between heavily obfuscated scamming adcode and non-benign code is blurring, and there might be reasons for some among us to block certain code from running in the browser. Here a recent example: Tried to analyze the javascript file at WepaWet: http://wepawet.iseclab.org/view.php?has ... 82&type=js
See the remarks there:
jsunpack: http://jsunpack.jeek.org/dec/go?report= ... de0cbef424

I do think it is benign as it is not flagged online, but there are scamming issues involved, see my report here:

and here:
http://www.virustotal.com/nl/analisis/4 ... 1276464623
link88.be is given as clean by URLVoid, but there was malcode there last on 2010-06-08
Yes, this site has hosted malicious software. It infected 8 domain(s), including haokan123.info/, sebaidu.net/, 174.139.140.0/. http://www.webboar.com/net/174.139.140.0/ Krypt Technologies
http://www.trustedsource.org/query/174.139.140.0/22
Notorious for scammer support: http://report-online-scams.com/blog/200 ... -scammers/
blacklisted spam site:
md5:e00da03b685a0dd18fb6a08af0923de0:139
md5:2ceea9830bba0a8263ab64cf60c08da9:139.140
md5:8ca6e4e0b315138540b0a6e32e445005:139.140.0
md5:824d74341835349209497cb8156e5763:139140
md5:0cc9e2292b3787fd9ade9ac8508ea00e:1391400
md5:1385974ed5904a438616ff7bdb3f7439:140
md5:ac9b657f0751dd78c0711f2154b0a531:140.0
md5:f0dd4a99fba6075a9494772b58f95280:1400
md5:bf8229696f7a3bb4700cfddef19fa23f:174
md5:19ef21b2d04edeeb99a459fcd3dcd82f:174.139
md5:4c63deea4ceaa8cb69814fbad9c452cd:174.139.140
md5:48c220ce3dd62135805752d63ecbec66:174.139.140.0
md5:45cebd2c93dd20220eec230189224feb:174139
md5:35272174eebeb5bacf885db2bc52ad15:174139140
md5:a64668c47331ac7ec11f814f9144439e:1741391400

So what is the policy, block the code right out for reasons that we do not know what it is exactly doing.
It is as with UPX, because some malcreants use it heuristic scanners block it and then start to analyze.

What do the others here have to say on the matter?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.16) Gecko/2010010414 Firefox/3.0.16 Flock/2.5.6
Top
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Should we block potentialy unwanted code..

Post by dhouwn »

UPX is not really the right tool for code obfuscation, nor was it ever intended to.
Mozilla/5.0 (Windows; U; Windows NT 6.1; WOW64; en-US; rv:1.9.3a6pre) Gecko/20100615 Firefox/3.7
Top
Post Reply

Return to “NoScript General”