Dword2url
Jump to navigation
Jump to search
Description
DWORD based URLs are used by some malware to obfuscate the host. For example http://www.google.com could be represented as follows: http://3512046697. If you click on this latest, your browser will automatically point you to your favorite search engine.
How does that work?
Here is how a URL is obfuscated. First convert your host into IPv4:
$ nslookup somesite.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: somesite.com Address: 82.98.86.175
Then convert each number to hexadecimal:
| Dec | 82 | 98 | 86 | 175 |
|---|---|---|---|---|
| Hex | 52 | 62 | 56 | af |
The concatenation gives: 526256af
Convert it to decimal: 1382176431. That's it: http://1382176431
Proof of concept
dword2url
dword2url.py is a small python based script that:
- converts DWORD based URLs to IPv4 based URLs
- converts full URLs to obfuscated DWORD based URLS
Code
You can download it from packetstormsecurity.org here: http://packetstormsecurity.org/files/view/103943/dword2url.py.txt
#!/usr/bin/env python
# 20110811, Sebastien Damaye, www.aldeid.com
from urlparse import urlparse
from socket import gethostbyaddr
print """----- menu -----
1: dword -> url
2: url -> dword
3: quit
----------------"""
choice = raw_input("Choice: ")
if choice=="1":
# DWORD->URL
url = raw_input("DWORD to convert? Valid examples are\n http://1079984325/foo/bar or just 1079984325: ")
scheme = urlparse(url).scheme
host = urlparse(url).netloc
path = urlparse(url).path
if host == :
# scheme not specified (http, https, ftp, ...) e.g. "1079984325"
(scheme, host, path) = ('http', path, )
hx = "%X" % int(host)
ip = []
for i in range(0, 4):
ip.append(str(int(hx[i*2:i*2+2], 16)))
print "==> %s://%s%s" % (scheme, ".".join(ip), path)
elif choice=="2":
# URL->DWORD
url = raw_input("URL to convert? (e.g. http://www.dword.com/foo/bar/): ")
scheme = urlparse(url).scheme
host = urlparse(url).netloc
path = urlparse(url).path
ip = gethostbyaddr(host)[2][0]
print "==> %s resolves to: %s" % (host, ip)
hx =
for i in ip.split('.'):
if len("%X" % int(i))==1:
hx += "0%X" % int(i)
else:
hx += "%X" % int(i)
print "==> %s://%s%s" % (scheme, int(hx, 16), path)
elif choice=="3":
print "Good bye!\n"
Demo
DWORD to URL
$ ./dword2url.py ----- menu ----- 1: dword -> url 2: url -> dword 3: quit ---------------- Choice: 1 DWORD to convert? Valid examples are http://1079984325/foo/bar or just 1079984325: http://3512046698/download.jar ==> http://209.85.148.106/download.jar
A whois request provides us with the resolution:
$ whois -h whois.cymru.com 209.85.148.106 AS | IP | AS Name 15169 | 209.85.148.106 | GOOGLE - Google Inc.
URL to DWORD
$ ./dword2url.py ----- menu ----- 1: dword -> url 2: url -> dword 3: quit ---------------- Choice: 2 URL to convert? (e.g. http://www.dword.com/foo/bar/): http://www.hackers.org/download.swf ==> www.hackers.org resolves to: 68.178.232.143 ==> http://1152575631/download.swf