|
So I got halfway through analysis of my first Javascript obfuscation discovered via spam, when another came in, and then another! And then I realized -- these were sent from botnet-controlled mailers that were slipping past my no-DSL filters at Despammed. So how many were getting blocked? Turns out, a lot. Like, a lot. So I'm going to have plenty of grist for this mill -- and the very fascinating thing is that it sure looks like there is a change in tactics each day. So I'm going to try to go back through older instances and hope that people haven't fixed their servers yet for some, and I'm going to put up some early warnings to tell me about new ones -- but this is truly, truly fun. Each of these mails has a faux news headline: "Michael Vick escapes from Federal jail", or "Beijing Olympics canceled", the one that first drew my attention. Then the body of the mail has a different headline, and a link. Turns out that different headline is drawn from the same list. So I can check the Despammed.com spam archive (1.2 million spam emails on file at the moment) for other emails with that subject. And so on. This should allow me to build a database of subjects really, really easily. And then I can simply scan for those subjects to find new instances. If they select their headlines randomly (and I have no reason to believe they don't) this should allow me to find all their headlines and keep up with new ones at the same time. Fun! Once I've got that coded, I'll post a database page in real time. [Updated to include link.] That will be even more fun. And then I can resume the de-obfuscation effort. Actually, I've dusted off some old project idea notes and started work on the monkeywrench to help me organize this stuff. Note to anybody interested: the design philosophy of the monkeywrench is essentially a Hofstadter parallel terraced scan. But operated by a human (for now) in a workflow paradigm. I can sloooowly start to feel the various bits of my life coming together.
|
|
Over the past couple of days as I datamined the Despammed spam archives for Storm botnet spam, I've grown to really enjoy their madcap subjects (latest here). But today?
Guys! "Obama bribing countrymen" or "McCain picks Osama bin Laden as VP" are hilarious! But "Video News"? "Top stories"? Come on! If you're going to hijack a million people's machines to spam us all, the least you can do is to continue to be entertaining about it. This? This is beneath you.
|
|
2008-08-11 botnet If, like me, you've been wondering when the Storm people would do something new, your answer would have to be: an hour ago. Here's the analysis for the new page, although I've just barely started.
|
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.