Tuesday, October 27, 2009

Using a Hex Decoder

On my last post, I mentioned that
some malware distributors use hex
encoding to install software on
other people's computers.

That is to say, they hide what
they've done to compromise your
web page by hiding their intrusion
as hex encoding.

Hex is hexadecimal. It is a base
16 number system.

You can read more about hexadecimal here:

Wikipedia hexadecimal article

In order to make the hexadecimal
readable, you need to decode the
hexadecimal somehow.

Decoding the hexadecimal can be
helpful as malware URLs are often
encoded in hexadecimal. Not always,
but often.

A malware URL is simply an address.
It is the address of a bad, very bad,
website. It's bad because it does
bad things to your computer.

One way to read the hexadecimal is
with a hexadecimal decoder. Here's
a decoder I've used:

Hexadecimal decoder

Note that hexadecimal decoders are
also called hexadecimal translators
or just hex translators.

To use one, you place your hexadecimal
encoded URL in the hexadecimal window.

Next, you press the button.

Last, you look to see what the hexadecimal
encoded URL looks like in the text window.

Here are the steps again:

  1. Find yourself a hex decoder on the web.
  2. Copy and paste the hexadecimal into the hex window.
  3. Press the decode button.
  4. Look for the text window.
  5. Read the web address of the bad guys in the text
    window. There's where you will find their web address decoded.

Let me take a step backward here. Here's
the code the hexacdecimal is likely to appear
inside of:

<script language="javascript">
document.write( unescape( 'Note: This part is fake! Hex appears here!' ) );
</script>

See the single quotes? The hexadecimal would
appear between the single quotes where my
fake message is.

Look for the above code, or something similar, if
you feel that your website has been compromised by
someone trying to install malware on other people's
computers.

A good place to start looking for hex encoded URLs is
the bottom of the web page.

Be aware that this is not the only way to do this. I'm
just showing you one example, one way, of mis-directing
your web visitors to a bad-guy website.

Unfortunately, the bad guys are endlessly clever. Tricky
people are tricky for a reason. They spend a lot of
wasted time thinking and scheming and trying to do evil.

To me, this is a wasted life. If not totally wasted,
pretty close.

More later.

Ed Abbott
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)