Page 1 of 2

1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:02 am UTC
by alvinhochun
Image

Title text: Better change the URL to 'https' before downloading.

All-caps URL always looks strange. It appears to be back to the old DOS days (though not mine).

Anyone notice there seems to be a mark below "DOCX"?

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:04 am UTC
by rhomboidal
Still, it doesn't have "setup", so I'm assuming it's safe...

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:05 am UTC
by moocow2024
I believe it is actually a Ç.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:07 am UTC
by Ailina
alvinhochun wrote:Anyone notice there seems to be a mark below "DOCX"?

I'm pretty sure it's a cedilla.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:09 am UTC
by alvinhochun
[joke]So, this file has to be suspicious because of the malformed "DOCX".[/joke]

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:11 am UTC
by asdfzxc
Every now and then Google image search gives me a PNG with some ridiculously long URL ending in either .php or a /. I do not have any idea how the hell Firefox (or Windows, for that matter) even identifies it as an image.

Also, that's a ç in the file name.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:17 am UTC
by sbkp
My next door neighbor downloads this file about every week or so.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:18 am UTC
by alvinhochun
asdfzxc wrote:Every now and then Google image search gives me a PNG with some ridiculously long URL ending in either .php or a /. I do not have any idea how the hell Firefox (or Windows, for that matter) even identifies it as an image.

Because browsers identify file type using the "Content-type" HTTP header in the first place, not mainly by the "file extension".
Something like this

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:19 am UTC
by pgn674
Here it is written out:

Code: Select all

HTTPS://65.222.202.53/~TILDE/PUB/CIA-BIN/ETC/INIT.DLL?FILE=__AUTOEXEC.BAT.MY%20OSX%20DOCUMENTS-INSTALL.EXE.RAR.INI.TAR.DOÇX.PHPHPHP.XHTML.TML.XTL.TXXT.0DAY.HACK.ERS_(1995)_BLURAY_CAM-XVID.EXE.TAR.[SCR].LISP.MSI.LNK.ZDA.GNN.WRBT.OBJ.O.H.SWF.DPKG.APP.ZIP.TAR.TAR.CO.GZ.A.OUT.EXE

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:25 am UTC
by Mego
Vienna, Virginia, for everyone wondering.

EDIT: Verizon Business... Makes me wonder exactly who this is.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:29 am UTC
by sehkzychic
C'mon Randall, you're better than this. Or am I missing the point of the joke here? It seems like the joke is "Hey, this file is clearly malware. How clearly? Well, it's so obvious that it is *totally* obvious." Is there more that I'm missing, or is it just a list of a bunch of indicators of questionable files strung together? Are we supposed to laugh at the fact that such a file would exist, even though it's unlikely it does; or is it that someone would download it, even though the only people who would are people so unused to computers that it's not really sporting to make fun of them for it? Please Randall...be funny again! Give me some raptor-paranoia! Or maybe more Beyonce-Sauron mashups! Or just make it crazy-weird and have BHG riding the red spiders into battle against the crew of Serenity!

Love,

(1/n)(The Internet) *

* Where n is an integer between 7,000,000,000 and 1

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:30 am UTC
by chernobyl
Cool, I'm going to use this name for all my email attachments!

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:37 am UTC
by goakley
65.222.202.53


That was clever; I almost missed that. Well played...

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:38 am UTC
by sonoftunk
The IP address in question is related to a current event.

Spoiler:
Every Freedom Hosting website went down simultaneously at around 6:40am ET on Saturday morning, about the same time news of Marques’s arrest hit the Internet. If and when the websites have returned since the downtime, many have been infected with Javascript exploits that may be able to identify visitors by grabbing a user’s cookies, logins, and IP address to send “home”—which, in this case, is the Verizon-owned IP address 65.222.202.53. The previously unknown exploit only affects Firefox version 17, which is exactly the version Tor uses.
http://www.dailydot.com/news/eric-marques-tor-freedom-hosting-child-porn-arrest/


Unsurprisingly the file does not exist, but does make for a good DDoSbR (DDoS by Randall).

Spoiler:

Code: Select all

HTTP://65.222.202.53/~TILDE/PUB/CIA-BIN/ETC/INIT.DLL?FILE=__AUTOEXEC.BAT.MY%20OSX%20DOCUMENTS-INSTALL.EXE.RAR.INI.TAR.DOÇX.PHPHPHP.XHTML.TML.XTL.TXXT.0DAY.HACK.ERS_(1995)_BLURAY_CAM-XVID.EXE.TAR.[SCR].LISP.MSI.LNK.ZDA.GNN.WRBT.OBJ.O.H.SWF.DPKG.APP.ZIP.TAR.TAR.CO.GZ.A.OUT.EXE

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 5:54 am UTC
by Quicksilver
No pr0n in the title? Looks legit.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 7:16 am UTC
by chridd
It's an exe. I don't have to worry about it since I have a Mac.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 7:36 am UTC
by rvloon
It would have been more fun if it had some reference to a yet-unreleased movie or something with naked-molpy-on-bicycle in the URL somewhere. Oh, and don't forget about [HDTV]-720p.

Ronald

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 7:41 am UTC
by Arky
It's kind of a shame that IP address doesn't redirect to an Easter Egg. Ah well.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 8:02 am UTC
by Wooloomooloo
rvloon wrote:It would have been more fun if it had some reference to a yet-unreleased movie or something with naked-molpy-on-bicycle in the URL somewhere. Oh, and don't forget about [HDTV]-720p.

Oh, but it does reference a movie - the 1995 "Hackers" - whatever the relation with the news about the arrest of the IP-referenced other "hacker" may or may not be. And considering the release date, the "xvid" / "cam" bits are probably more appropriate than the 720p, even if bluray IS mentioned too... :lol:

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 8:16 am UTC
by rivulatus
Am I the only one who is sad that ti doesn't link to a web site?
Some one should set it up as something.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 8:17 am UTC
by JimsMaher
Does this mean that the "corrupt" file I'm downloading won't be "corrupted"?

https://en.wikipedia.org/wiki/HTTP_Secure

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 8:44 am UTC
by hwillis19
Since when did malware developers code in LISP..?

Reminds me of the malware sharing service that was Kazaa. Rule #255 of the Internet: if you mash enough porn keywords into the filename, they won't notice the executable file extension...

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 9:04 am UTC
by PinkShinyRose
chridd wrote:It's an exe. I don't have to worry about it since I have a Mac.


There is a wine version for mac OS too right? You could try that, maybe they made it wine on mac OS compatible?

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 9:29 am UTC
by StClair
Seems legit.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 9:32 am UTC
by Synthetica
http://xkcd.com/272/, just replace "anti" with ""

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 9:42 am UTC
by Shakleton
Relevant make-my-URL-more-shady-looking-link:
http://www.shadyurl.com/

or, of course, the link applied to itself:
http://5z8.info/like-a-rose-for-emily-b ... ARD-XFER--

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 9:52 am UTC
by JOBGG
Shady urls turned www.xkcd.com into http://5z8.info/instant-purchase_i0v5rq_asian-brides
i honestly like that site.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 10:14 am UTC
by Klear
Quicksilver wrote:No pr0n in the title? Looks legit.


My thoughts exactly.

I especially like the BLURAY_CAM-XVID bit.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 10:29 am UTC
by filecore
chridd wrote:It's an exe. I don't have to worry about it since I have a Mac.


Don't worry, you're covered:

The malicious exe wrote:HTTPS://65.222.202.53/~TILDE/PUB/CIA-BIN/ETC/INIT.DLL?FILE=__AUTOEXEC.BAT.MY%20OSX%20DOCUMENTS-INSTALL.EXE.RAR.INI.TAR.DOÇX.PHPHPHP.XHTML.TML.XTL.TXXT.0DAY.HACK.ERS_(1995)_BLURAY_CAM-XVID.EXE.TAR.[SCR].LISP.MSI.LNK.ZDA.GNN.WRBT.OBJ.O.H.SWF.DPKG.APP.ZIP.TAR.TAR.CO.GZ.A.OUT.EXE


Other amusing bits include ~TILDE, CIA-BIN instead of CGI-BIN, the typoed PHPHPHP, the reference to Hackers (1995), the way he makes each part of the URI link to each other part... there is so much nerd comedy gold in this URL that I don't want to try and explain every single in-joke!

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 10:44 am UTC
by MrPotatoJunior
chridd wrote:It's an exe. I don't have to worry about it since I have a Mac.


Funny how you feel like you're safe from malware when you're using an OS that is malware by itself.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 11:17 am UTC
by Kredal
pgn674 wrote:Here it is written out:

Code: Select all

HTTPS://65.222.202.53/~TILDE/PUB/CIA-BIN/ETC/INIT.DLL?FILE=__AUTOEXEC.BAT.MY%20OSX%20DOCUMENTS-INSTALL.EXE.RAR.INI.TAR.DOÇX.PHPHPHP.XHTML.TML.XTL.TXXT.0DAY.HACK.ERS_(1995)_BLURAY_CAM-XVID.EXE.TAR.[SCR].LISP.MSI.LNK.ZDA.GNN.WRBT.OBJ.O.H.SWF.DPKG.APP.ZIP.TAR.TAR.CO.GZ.A.OUT.EXE


Anyone else notice the LNK.ZDA.GNN? Link, Zelda, Gannon!

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 12:09 pm UTC
by Flumble
sonoftunk wrote:The IP address in question is related to a current event.

Spoiler:
Every Freedom Hosting website went down simultaneously at around 6:40am ET on Saturday morning, about the same time news of Marques’s arrest hit the Internet. If and when the websites have returned since the downtime, many have been infected with Javascript exploits that may be able to identify visitors by grabbing a user’s cookies, logins, and IP address to send “home”—which, in this case, is the Verizon-owned IP address 65.222.202.53. The previously unknown exploit only affects Firefox version 17, which is exactly the version Tor uses.
http://www.dailydot.com/news/eric-marques-tor-freedom-hosting-child-porn-arrest/


Unsurprisingly the file does not exist, but does make for a good DDoSbR (DDoS by Randall).

So are we supposed to feed the verizon honeypot to draw attention away from the targeted people?

Also the news coverage is quite vague at this moment; I can't figure out whether Marques is a criminal or whether it's hunting season for the FBI (again) or why all sites hosted at Marques's would be injected with identification exploits.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 12:22 pm UTC
by PinkShinyRose
Flumble wrote:
sonoftunk wrote:The IP address in question is related to a current event.

Spoiler:
Every Freedom Hosting website went down simultaneously at around 6:40am ET on Saturday morning, about the same time news of Marques’s arrest hit the Internet. If and when the websites have returned since the downtime, many have been infected with Javascript exploits that may be able to identify visitors by grabbing a user’s cookies, logins, and IP address to send “home”—which, in this case, is the Verizon-owned IP address 65.222.202.53. The previously unknown exploit only affects Firefox version 17, which is exactly the version Tor uses.
http://www.dailydot.com/news/eric-marques-tor-freedom-hosting-child-porn-arrest/


Unsurprisingly the file does not exist, but does make for a good DDoSbR (DDoS by Randall).

So are we supposed to feed the verizon honeypot to draw attention away from the targeted people?

Also the news coverage is quite vague at this moment; I can't figure out whether Marques is a criminal or whether it's hunting season for the FBI (again) or why all sites hosted at Marques's would be injected with identification exploits.


Well, considering only a fraction of the sites are child pornography sites, and considering other relatively well known (I suppose by anyone who has sufficient knowledge to want to attack Marques's sites) were/are also targeted, it seems someone has ulterior motives (that someone being the someone who put up the identification link; ulterior being beyond fighting child pornography).

EDIT: I did not say what fraction...

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 12:32 pm UTC
by cellocgw
sehkzychic wrote:C'mon Randall, you're better than this. Or am I missing the point of the joke here? It seems like the joke is "Hey, this file is clearly malware. How clearly? Well, it's so obvious that it is *totally* obvious." Is there more that I'm missing, or is it just a list of a bunch of indicators of questionable files strung together? Are we supposed to laugh at the fact that such a file would exist, even though it's unlikely it does; or is it that someone would download it, even though the only people who would are people so unused to computers that it's not really sporting to make fun of them for it? Please Randall...be funny again! Give me some raptor-paranoia! Or maybe more Beyonce-Sauron mashups! Or just make it crazy-weird and have BHG riding the red spiders into battle against the crew of Serenity!

Love,

(1/n)(The Internet) *

* Where n is an integer between 7,000,000,000 and 1


You appear to have accidentally posted to forums.xkcd.com instead of your intended target, xkcdsucks.com.
PS TRWTF is that, despite its name ending in ".exe" this file is actually a ".plugh" file which can only be opened with a $500,000.00 application.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 1:02 pm UTC
by javahead
Mmmm file TAR.TAR!
Awesome with fish sticks.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 1:35 pm UTC
by Demki
RAR and ZIP? I think randall is going crazy.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 1:35 pm UTC
by Copper Bezel
I like that it's tar.co.gz, myself. = )

You appear to have accidentally posted to forums.xkcd.com instead of your intended target, xkcdsucks.com.

The title prompts a facile reading. The real goodness is in the address and extension, and the title-text is funny, but I do think it would have been funnier offered without context.

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 1:52 pm UTC
by suso
The first thing I thought: Whoa, Hackers is out on Blu Ray?

Actually, it isn't on Blu Ray yet. Or is that part of the bait? Nobody seems to be mentioning that.

Related: https://www.facebook.com/pages/Release-Hackers-on-Blu-Ray/188295297860020

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 2:07 pm UTC
by Dr. Diaphanous
filecore wrote:there is so much nerd comedy gold in this URL that I don't want to try and explain every single in-joke!

Can someone explain some of them to me plz?

Re: 1247: "The Mother of All Suspicious Files"

Posted: Mon Aug 05, 2013 2:12 pm UTC
by thesingingaccountant
If you download this file, Uncle Sam mails you a bobcat.