Author Topic: MalZilla  (Read 196043 times)

0 Members and 1 Guest are viewing this topic.

March 19, 2010, 02:42:15 am
Reply #330

denmilu

  • Jr. Member

  • Offline
  • **

  • 10
Hi MysteryFCM,

I think i need your help again, I have two files containing encrypted content, but this encrypt is not similar with some script i have seen, So can you show me how to decode them? And do you have any intruction if I use Firebug in this case?

I have attached 2 files bellow, and waiting your answer.

Thanks

March 19, 2010, 01:53:36 pm
Reply #331

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
The first is a standard Gumblar script and decodes just fine without modification, in Malzilla.

The second requires you modify the script a bit, so the div becomes a var (using the id= as the var name). In this case;

Code: [Select]
<div style="display:none" id="aots2010">60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62</div>
Becomes;

Code: [Select]
var aots2010 = "60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62";
You then just make the necessary removal in the unescape string;

Code: [Select]
var%20ww%20%3D%20document.getElementById%28%22aots2010%22%29.innerHTML
Becomes;

Code: [Select]
var%20ww%20%3D%20aots2010
I don't use Firebug I'm afraid, so can't help with that one.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 19, 2010, 01:57:04 pm
Reply #332

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I forgot to mention btw, the decoded result would be;

Code: [Select]
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}
You'd then need to throw this together with the first, so it becomes;

Code: [Select]
var aots2010 = "60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,106,112,99,101,114,116,46,111,114,46,106,112,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62";

var c = unescape('var%20ww%20%3D%20aots2010%3Bvar%20xx%20%3D%20ww.split%28%22%2C%22%29%3Bfor%20%28i%3D0%3B%20i%3Cxx.length%3B%20i++%29%7Byy%20%3D%20String.fromCharCode%28xx%5Bi%5D%29%3Bdocument.write%28yy%29%3B%7D');eval(c);
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}

Which decodes to;

Code: [Select]
var ww = aots2010;var xx = ww.split(",");for (i=0; i<xx.length; i++){yy = String.fromCharCode(xx[i]);document.write(yy);}<iframe src="http://www.jpcert.or.jp" style="display:none;" width="0" height="0"></iframe>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 24, 2010, 02:21:23 am
Reply #333

denmilu

  • Jr. Member

  • Offline
  • **

  • 10
Hi MysteryFCM,

Thanks for all of your helping, I was completed my lecture, and I think it was a success lecture. In my individual, I has learnt more about malware analysic and that will help me more on my work.
  :D
Best Regards,

Den.

March 24, 2010, 01:42:14 pm
Reply #334

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
My pleasure :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 20, 2010, 06:19:50 am
Reply #335

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27
MysteryFCM pointed out I should link my thread to here as I've spotted something for a potential update to Malzilla. :]
 
http://www.malwaredomainlist.com/forums/index.php?topic=4006.0

Exploit obfuscating itself from automated analysis with NULLs scattered throughout the file.

December 31, 2013, 10:01:42 pm
Reply #336

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Updated user agent file for anyone using this. Let me know if there's any others that should be added.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net