Author Topic: MalZilla  (Read 196107 times)

0 Members and 1 Guest are viewing this topic.

February 25, 2008, 04:23:13 pm
Reply #30

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
@TJS
Many thanks for locating this bug.
I did saw it a couple of times, but I didn't located whats producing the bug.

About the sending all the scripts (or should I better say - all the relevant data) - it is not so trivial.
There is a lot of scripts which are using multiple begin and end tags (like in your example), but I also saw a lot of scripts where a part of malicious code is in HTML part:

<html>
<script>function decode_and_run(a){....}</script>
<body
 onLoad="decode_and_run('AF123400AA (encrypted data/code) ...')"></body></html>

See, I would need to build some heuristics that can decide if some of the normal HTML events are also relevant, and I do not know how to do that (in the fact, I have an idea, but I do not think that I'll ever have enough time to code it, just like I do not have time for my other ideas like using Malzilla as a scanner that would have signatures of various exploits, or adding more standard DOM objects and functions etc.)

If it would be OK just to have some kind of "Append to Decoder" button (as addition to Send to Decoder), that will be done in 5 minutes.

@jimmyleo
Unfortunately, I didn't succeed to get any results from the files you uploaded.
Do you use IE to run these or are you using any SpiderMonkey-based app (FireFox, Malzilla...)?

February 25, 2008, 04:57:42 pm
Reply #31

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Finding script start and end points fixed for the given case.

What to do with multiple script tags, Append or Send All?

February 25, 2008, 06:20:45 pm
Reply #32

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Append could get messy if you start doing cross-domain stuff (i dont want to manually have to clear decoder every time i work on a different site), so maybe a new button to send all to decoder is a good idea. But append is also a good idea because i'm sure there will be cases where your users dont want to send *all* scripts on a page to the decoder....

 ???

Has anyone else run into this issue? Does anyone have an opinion here?

February 25, 2008, 06:45:35 pm
Reply #33

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
You won't need to clear decoder anymore in the recent future.
Development version on my PC has tabbed interface (multiple tabs for Download and Decoder)
I will upload it as soon as we get (re)solved the emerging bugs/suggestions.

February 26, 2008, 12:55:30 am
Reply #34

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
Re bobby:
I'm truly sorry for my not explanation.
I used IE to excute this script.
and you can see a following casser decoding.
and you can do the same issue to it.

regards,
jimi.

February 26, 2008, 05:48:42 am
Reply #35

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
I'm very excited about the tabs feature. :)

February 26, 2008, 04:49:25 pm
Reply #36

sowhat-x

  • Guest
Quote
...just like I do not have time for my other ideas,
like using Malzilla as a scanner that would have signatures of various exploits,
or adding more standard DOM objects and functions etc...

...just thought that this mailing-list thread might be of some interest to you...'Obfuscated web pages':
http://seclists.org/focus-ids/2008/Feb/0016.html

February 27, 2008, 10:50:28 pm
Reply #37

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Another weird bug for you... still testing with 0.921

The malware script on the URL below breaks malzilla:
hxxp://updatez.info/etc/count.php?o=22

It throws the following error and does not properly decode the script:

Malzilla
-------
Some violation occured
in SpiderMonkey engine
      [  OK  ]

The page is attached in case the URL gets taken down.

TJS

February 28, 2008, 05:01:54 am
Reply #38

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hi TJS,

There is a trap (or bug) if you change or override eval() function.
The script will stuck in a loop until it gets all the memory/buffers full.

I'll take a closer look at it this evening, after I get back from the job.
I can't decode it neither as it uses document.createElement, and Malzilla does not have this DOM implemented.

Until then, use the following link to grab the exe file (got it from the debugger):
hxxp://updatez.info/etc/getexe.exe?o=1&t=1204173798&i=1416818079&e=1



Hi sowhat-x,

I'll take a look this evening. Thanks.

regards
bobby

February 28, 2008, 09:30:32 pm
Reply #39

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Uploaded new snapshot:
http://sourceforge.net/project/showfiles.php?group_id=203466&package_id=242804

Please test and report suggestions/bugs

regards
bobby

February 28, 2008, 10:13:01 pm
Reply #40

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Nice one :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

February 28, 2008, 11:59:57 pm
Reply #41

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Hi Bobby...

Thanks for the new beta... looks like another solid release. I'm very excited about the tabs feature and it's great to see it coming to a reality!

I've found a bunch of bugs in 0.922 and have some suggestions. They are included below.

Thanks again, and keep up the great work!

-TJS


-----
BUGS
-----

default nab name numbering reuse
- Create new tab [New Tab (2)]
- Close first tab [New Tab (1)]
- Create new tab [expected: New Tab (3), actual: New Tab (2)]

'Decode' - 'Selection length' doesn't display selection length when selection occurs due to a 'Find' operation.

Tools: Numbered list Maker is buggy. It puts a random number of \n before the output. Also, if input contains a blank line then the number of \n in output is much larger... sometimes the output is blank. Never noticed this behavior before.

Inconsistent capitalization in tabs (examples - Numbered list Maker vs. Templated list maker, should M be caps or not?) [I know it's a silly bug]

Settings tab, when maximized (on 1024x768) seems broken. The 'Clipboard monitor triggers' section covers most of the replace eval() section. [i can provide a screenshot if you want it]

Putting & in a URL causes the char to get underlined in tab name (ex. h&ttp://blah.com causes t to get underlined [this is a Windows issue but you can escape it i think])

--------------
SUGGESTIONS
--------------
* CTRL-W to close tab
* Send to decoder to bring decoder window into focus (don't do this for append though)
* make tabs include the top tabs so that you dont need to worry about keeping decode tabs in syc with download tabs
* add a concatenate feature to misc decoders (too many times i see URLs that are split up with "ht"+"tp"+":/".. etc
* download/debugger load from file (sometimes i want to just view a file locally without putting it on a webserver)
* download all (with referrer/proxy/cookie/user agent) on numbered list maker (i think everyone uses this for malware with names like 1.exe or loader1.exe) ;)
* option to disable URL history (i hate autocomplete.. it's good in real browsers, not so much here) :)

February 29, 2008, 05:07:48 am
Reply #42

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hi TJS,

- default tab name numbering reuse - I'll need to think how to generate the tab numbers
- Decode > Selection length - I can't reproduce. Selection length is in next line under Find function here
- I think I just fixed Numbered list maker
- Capitalization - fixed
- Settings tab - will take a look the Align parameter of components, as I can't reproduce
- & in name - I can just filter this character out of the name. It can't be escaped
- CTRL-W - I do not have defined any keyboard shortcuts, will do it in the future for whole app
- Send to Decoder to bring focus - just to make it optional. It was set once, and it is annoying in a lot of cases
- include top tabs - will test that
- concatenate - not so trivial if one variable is concatenated in more than one line
- load from file - option exists, please take a look at right click menu
- Download all is present on Clipboard Monitor page. I'll need to re-think about inclusion of Clipboard Monitor in future versions, as it mess Clipboard.
- URL history - will be optional in future

Which screen resolution you use?

regards
bobby

February 29, 2008, 06:36:22 pm
Reply #43

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Quote
Settings tab, when maximized (on 1024x768) seems broken. The 'Clipboard monitor triggers' section covers most of the replace eval() section. [i can provide a screenshot if you want it]

Sorry, didn't saw that you already mentioned the screen resolution. I saw what you mean.
I'll re-design Settings tab.

February 29, 2008, 07:34:47 pm
Reply #44

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Another suggestion:

Can you add a checkbox for 'Use Referrer' because sometimes I don't want to use one. Also, I don't like how when I put a new URL it keeps the old Referrer... I understand how this is useful, but I would prefer if when I try to malzilla a new URL it uses the new URL as the referrer or leaves it blank by default.

It would also be nice to have a 'Get to new tab' button in the download section.

Selection length repro:
* Get http://www.malwaredomainlist.com/ then copy/paste page source into decoder
* Search 'Malware', click 'Find'
* 'Malware' is selected, but selection length is 0

Download all in clipboard monitor page makes sense.. I'd still like to avoid having to use the clipboard monitor feature but that's easy enough to work around.

Thanks,
TJS