Dword2url

From aldeid
Jump to navigation Jump to search

Description

DWORD based URLs are used by some malware to obfuscate the host. For example http://www.google.com could be represented as follows: http://3512046697. If you click on this latest, your browser will automatically point you to your favorite search engine.

How does that work?

Here is how a URL is obfuscated. First convert your host into IPv4:

$ nslookup somesite.com
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	somesite.com
Address: 82.98.86.175

Then convert each number to hexadecimal:

Dec 82 98 86 175
Hex 52 62 56 af

The concatenation gives: 526256af

Convert it to decimal: 1382176431. That's it: http://1382176431

Proof of concept

dword2url

dword2url.py is a small python based script that:

  • converts DWORD based URLs to IPv4 based URLs
  • converts full URLs to obfuscated DWORD based URLS

Code

You can download it from packetstormsecurity.org here: http://packetstormsecurity.org/files/view/103943/dword2url.py.txt

#!/usr/bin/env python
# 20110811, Sebastien Damaye, www.aldeid.com

from urlparse import urlparse
from socket import gethostbyaddr

print """----- menu -----
1: dword -> url
2: url -> dword
3: quit
----------------"""
choice = raw_input("Choice: ")

if choice=="1":
    # DWORD->URL
    url = raw_input("DWORD to convert? Valid examples are\n http://1079984325/foo/bar or just 1079984325: ")
    scheme = urlparse(url).scheme
    host = urlparse(url).netloc
    path = urlparse(url).path
    if host == :
        # scheme not specified (http, https, ftp, ...) e.g. "1079984325"
        (scheme, host, path) = ('http', path, )
    hx = "%X" % int(host)
    ip = []
    for i in range(0, 4):
        ip.append(str(int(hx[i*2:i*2+2], 16)))
    print "==> %s://%s%s" % (scheme, ".".join(ip), path)

elif choice=="2":
    # URL->DWORD
    url = raw_input("URL to convert? (e.g. http://www.dword.com/foo/bar/): ")
    scheme = urlparse(url).scheme
    host = urlparse(url).netloc
    path = urlparse(url).path
    ip = gethostbyaddr(host)[2][0]
    print "==> %s resolves to: %s" % (host, ip)
    hx = 
    for i in ip.split('.'):
        if len("%X" % int(i))==1:
            hx += "0%X" % int(i)
        else:
            hx += "%X" % int(i)
    print "==> %s://%s%s" % (scheme, int(hx, 16), path)

elif choice=="3":
    print "Good bye!\n"

Demo

DWORD to URL

$ ./dword2url.py
----- menu -----
1: dword -> url
2: url -> dword
3: quit
----------------
Choice: 1
DWORD to convert? Valid examples are
 http://1079984325/foo/bar or just 1079984325: http://3512046698/download.jar
==> http://209.85.148.106/download.jar

A whois request provides us with the resolution:

$ whois -h whois.cymru.com 209.85.148.106
AS      | IP               | AS Name
15169   | 209.85.148.106   | GOOGLE - Google Inc.

URL to DWORD

$ ./dword2url.py
----- menu -----
1: dword -> url
2: url -> dword
3: quit
----------------
Choice: 2
URL to convert? (e.g. http://www.dword.com/foo/bar/): 
http://www.hackers.org/download.swf
==> www.hackers.org resolves to: 68.178.232.143
==> http://1152575631/download.swf

Comments