Hi users of NS and RP,
The bounderies between heavily obfuscated scamming adcode and non-benign code is blurring, and there might be reasons for some among us to block certain code from running in the browser. Here a recent example: Tried to analyze the javascript file at WepaWet: http://wepawet.iseclab.org/view.php?has ... 82&type=js
See the remarks there:
jsunpack: http://jsunpack.jeek.org/dec/go?report= ... de0cbef424
I do think it is benign as it is not flagged online, but there are scamming issues involved, see my report here:
and here:
http://www.virustotal.com/nl/analisis/4 ... 1276464623
link88.be is given as clean by URLVoid, but there was malcode there last on 2010-06-08
Yes, this site has hosted malicious software. It infected 8 domain(s), including haokan123.info/, sebaidu.net/, 174.139.140.0/. http://www.webboar.com/net/174.139.140.0/ Krypt Technologies
http://www.trustedsource.org/query/174.139.140.0/22
Notorious for scammer support: http://report-online-scams.com/blog/200 ... -scammers/
blacklisted spam site:
md5:e00da03b685a0dd18fb6a08af0923de0:139
md5:2ceea9830bba0a8263ab64cf60c08da9:139.140
md5:8ca6e4e0b315138540b0a6e32e445005:139.140.0
md5:824d74341835349209497cb8156e5763:139140
md5:0cc9e2292b3787fd9ade9ac8508ea00e:1391400
md5:1385974ed5904a438616ff7bdb3f7439:140
md5:ac9b657f0751dd78c0711f2154b0a531:140.0
md5:f0dd4a99fba6075a9494772b58f95280:1400
md5:bf8229696f7a3bb4700cfddef19fa23f:174
md5:19ef21b2d04edeeb99a459fcd3dcd82f:174.139
md5:4c63deea4ceaa8cb69814fbad9c452cd:174.139.140
md5:48c220ce3dd62135805752d63ecbec66:174.139.140.0
md5:45cebd2c93dd20220eec230189224feb:174139
md5:35272174eebeb5bacf885db2bc52ad15:174139140
md5:a64668c47331ac7ec11f814f9144439e:1741391400
So what is the policy, block the code right out for reasons that we do not know what it is exactly doing.
It is as with UPX, because some malcreants use it heuristic scanners block it and then start to analyze.
What do the others here have to say on the matter?
luntrus
Should we block potentialy unwanted code..
Should we block potentialy unwanted code..
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.16) Gecko/2010010414 Firefox/3.0.16 Flock/2.5.6
Re: Should we block potentialy unwanted code..
UPX is not really the right tool for code obfuscation, nor was it ever intended to.
Mozilla/5.0 (Windows; U; Windows NT 6.1; WOW64; en-US; rv:1.9.3a6pre) Gecko/20100615 Firefox/3.7