RSS

Dotted Decimal URL Obfuscation

20 May

Spamming with dotted decimal URL (a dotted decimal URL refers to the four-byte IP address notation as a sequence of four decimal numbers separated by dots) is one of the most often seen URL-obfuscation techniques employed by spammers. Unfortunately, to the computer, an IP address is just a 32-bit binary number, and a dotted decimal is just one out of the many numeral systems for IP address expression. With this flexibility in interpretation, spammers have developed a new way to obfuscate their URLs; they start converting their dotted decimal URLs into different numeral systems.

Below are some of the IP address numeral system obfuscation techniques Symantec has observed of spammers. (All of the samples below are just different numeral representations of the IP address for Symantec.com)

An IP address converted to hexadecimal format. (Hexadecimal is a base-16 numeral system.)

http://0xD80C9114
An IP address converted to dotted hexadecimal format.

http://0xD8.0x0C.0x91.0x14
An IP address converted to dotted octal format. (Octal is a base-8 numeral system.)

http://0330.0014.0221.0024
A combination of Hexadecimal and Octal

http://0xd8.000000014.0×9114
Previously, spammers only took advantage of hexadecimal obfuscation in their attacks.

However for the past few days, the number of “hexadecimal and octal” combination-obfuscation attacks have increased drastically.

Fortunately or unfortunately for the average email user, most Web browsers or email applications will translate these numeral encodings; furthermore, dotted decimal URLs are often associated with virus attacks. For this reason, end users should, as usual, not click on links to Web sites they are not familiar with.

Here are some best practices to try and limit the impact of spam attacks.

Be selective about the Web sites where you register your email address.
When entering personal or financial details online, ensure the Web site has SSL encryption (look for https, a padlock, or a green address bar).
Avoid clicking on suspicious links in email or IM messages as these may be links to spoofed Web sites. We suggest typing Web addresses directly in to the browser rather than relying upon links within your messages.
Always be sure that your operating system is up-to-date with the latest updates, and employ a comprehensive security suite. For details on Symantec’s offerings of protection, visit http://www.symantec.com.
Do not open unknown email attachments. These attachments could infect your computer.
Do not reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.
Do not fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details through email. When in doubt, contact the company in question through an independent, trusted mechanism, such as a verified telephone number, or a known Internet address that you type into a new browser window. Do not click or cut and paste from a link in the message.
Do not buy products or services from spam messages.
Do not open spam messages.
Do not forward any virus warnings that you receive through email. These are often hoaxes.

Thanks to Dylan Morss for contributed content.

Advertisements
 
Leave a comment

Posted by on May 20, 2011 in Information Security

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: