
Dissecting a spammer's spam script - jmadsen
https://jelleraaijmakers.nl/2016/04/dissecting-spammers-spam-script
======
tronje
Maybe I'm too naive, but I really don't get why people do this (the spamming,
not the dissecting). Whoever did this could probably land a nicely paying
programming job, no? Is spamming that lucrative or what's going on?

~~~
ryanlol
>Is spamming that lucrative or what's going on?

Yes, it is. There's not that many programming jobs where you can easily make
500k+ a year.

For example, if you're phishing for credit cards with VBV info you might very
well get $20 or more per card when selling in bulk (or twice that if you
aren't). 10000 emails takes a couple of minutes to send and if you get a 1%
success rate that's $2000

------
tmaly
I had a wordpress site hit with one of these attacks years back. I took it
apart to see how it worked. It was a pretty messy hack, but I give them credit
for working within the constraints they had.

------
bluedino
I've seen some code from vendors using ZendGuard and kind of wondered how it
worked - I'm assuming any dissections of their obfuscation algorithm or code
would be served a takedown notice real quick.

~~~
tyingq
Zend is more sophisticated than the techniques described in this story. It's
at the opcode level.

[http://xcon.xfocus.org/XCon2006/archieves/Darkne2s&A1rsupp1y...](http://xcon.xfocus.org/XCon2006/archieves/Darkne2s&A1rsupp1y-Decode_PHP_Zend.pdf)

Somewhat similar to what Dropbox does to obfuscate their Python client. They
provide a custom built python interpreter that uses a non-standard opcode
mapping, as well as "encrypting/decrypting" with a key hidden in the code.

~~~
gkya
Why they would not just provide it with no obfuscation though? The essence of
their system is the server-side anyways, why bother?

~~~
tyingq
Dropbox? My guess is that they are trying to protect the "tray login" thing
where the client runs without prompting you for your dropbox credentials, but
that's just a guess.

There's an article about the reverse engineering of the client here:
[http://www.techrepublic.com/blog/it-security/researchers-
rev...](http://www.techrepublic.com/blog/it-security/researchers-reverse-
engineer-the-dropbox-client-what-it-means/)

------
batat
That was pretty straightforward. Check this
[http://ideone.com/VImf2v](http://ideone.com/VImf2v) :)

