This code was found in an online signature. It was malicious and if run, it would delete data. The monks may be surprised to learn how code can be obfuscated to appear innocent, but actually be dangerous. Go here to see the code and an explanation of what it does.

Replies are listed 'Best First'.
Re: Malicious Code
by cog (Parson) on Apr 19, 2005 at 09:24 UTC
    Interesting... if it weren't for the fact that it is old news!!!

    I used that very same code last year in both Belfast and London, in my Perl Black Magic talk.

    And IIRC, that code was already old news when I used it.

Re: Malicious Code
by zentara (Archbishop) on Apr 19, 2005 at 21:03 UTC
    You might find this instructive, it was a comment by John Krahn, about this obfu.
    # krahn # Just change the "s;;$_;see" at the end to "print" to # see the command as it really is perl -le '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;; +print'

    I'm not really a human, but I play one on earth. flash japh
Re: Malicious Code
by hubb0r (Pilgrim) on Apr 23, 2005 at 05:37 UTC
    Ok, so I've read the talk on obfuscation where the offending code is explained, and I do understand the basic s/// and y// parts of the code, but can someone explain how that translates into an system "rm -f /" call?? I don't see the connection, although obviously it does.

      The key is the y///. The code simplifies into this:

      $_ = '=]=>%-{<-|}<&|`{'; y/ -\/:-@[-`{-}/`-{~" -/;

      The y operator is the same thing as the tr operator. The mapping looks like this:

      -/:-@[-` ---> `-{~ {-} ---> " -

      That's the range of space through forward-slash, concatented with the range of colon through at-sign, and left-square-bracket through backquote, maps onto the range from ` to left-curly-bracket, plus the tilde character. If we check the ASCII character set, we can simplify this into:

      -/ ---> `-o :-@ ---> p-v [-` ---> w-{~ { ---> " | ---> space } ---> -

      So now, we can rewrite this as:

      $_ = '=]=>%-{<-|}<&|`{'; tr/!-\//a-o/; tr/:-@/p-v/; tr/[-^/w-z/; tr/`/~/; tr/{/"/; tr/|/ /; tr/}/-/; print;

      It's just a sneaky way to map punctuation characters into alphabet letters.

Re: Malicious Code
by BUU (Prior) on Apr 18, 2005 at 23:06 UTC
    Holy cow! People can write code that deletes data! Thank you for bringing this to our attention, I never would have thought of deleting data with code!
      Don't be an ass. If the OPs post prevents one person from running obfu without understanding it, then it was worth it.

      thor

      Feel the white light, the light within
      Be your own disciple, fan the sparks of will
      For all of us waiting, your kingdom will come

        /me reads box of matches "do not light and then poke in eye"....sure glad they pointed that out.

        Realy I agree though. I just wish people didn't need such things pointed out.


        ___________
        Eric Hodges
      A real obfu would be data that deletes code!

        IN SOVIET UNI . . . ah, never mind.

      Yep... and I always try out mysterious obfus by running them as root. :-)