Author Topic: MalZilla  (Read 257389 times)

0 Members and 1 Guest are viewing this topic.

June 17, 2008, 10:39:16 pm
Reply #135

sowhat-x

  • Guest
Maybe Synapse is of interest...
it provides support for both ftp/dns,works under both win32/*nix...
Heh,just noticed it also has some kind of support for OpenSSL also:
http://www.ararat.cz/synapse/doku.php/features

One older nice piece of code that I keep around for reference,
usable under both win32/*nix...in C though:
http://benoit.papillault.free.fr/c/socket/dns.c

June 18, 2008, 03:37:15 am
Reply #136

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Bobby,
For resolving you can use the Windows API :)

gethostbyname
gethostbyaddr

Both a part of the wsock32 DLL

I wrote an AX to do it for my server if you'd like a copy?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 18, 2008, 07:05:19 am
Reply #137

sowhat-x

  • Guest
...gethostbyname/gethostbyaddr functions are actually..."Berkeley sockets" API,lol...  ;)
http://en.wikipedia.org/wiki/Berkeley_sockets

June 18, 2008, 07:08:48 am
Reply #138

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 18, 2008, 08:15:27 am
Reply #139

sowhat-x

  • Guest
Winsock 2 functions for Delphi...Jedi provides that,
but my guess is that this info is not really something new/helpful to bobby...  :-\
http://jedi-apilib.sourceforge.net/
Here's also an alternative Winsock2 delphi unit implementation,
coded from Aphex,lol...semi-'hackish' source  :)

June 18, 2008, 12:17:22 pm
Reply #140

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Thanks Bobby

All i want to be able to do is get a file from FTP port 21 using Malzilla, more RFIs are now using FTP:// in place of HTTP:// 

For example heres an active one from last weeks logs,  ftp://193.253.223.43/tmp/trem/oldbisok

A fully featured FTP isnt required, neither is the ability to signin into the FTP port, i just want to grab the file and run. Iam currently using Lynx to do this, if that fails ive had success using a plain vanilla copy of Firefox. Ive never tried with IE, grabing live malware with IE doesnt appeal lol
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 18, 2008, 05:46:59 pm
Reply #141

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
This is a lot of posts to answer :)

@Orac
I'll try to make a simple FTP handling this weekend.

@sowhat-x
Malzilla uses Synapse for HTTP, and I'll use it for FTP  too.
There is a TraceRoute example in Synapse package, but it does not work always. It works well on trying traceroute to Yahoo, but never works for Google.

Here is the main problem - I think I have a solution to get the IP of a website, but I want to do it in one single step with the HTTP "GET" (opening a website).
If anyone can recall, Malzilla got the most attention exactly because it accessed MPack sites in one single step. If you use a downloader that does "HEAD" before "GET", it gets banned from MPack (and other *pack sites).
Now, I'm not sure if asking a DNS server for the IP in one step, and doing it again in HTTP "GET" would produce some false results. I guess it can do if the DNS server is malicious, or resolves to other IP every time you ask for a website.
See, I must find a way to do it in one single step, either by hacking Synapse to get the results right from HTTP "GET" command, or asking on Synapse mailing list if this is already implemented (I couldn't find it last night in the API), or as a last solution - rewrite Malzilla (not to use Synapse anymore, but to do low-level Winsocks calls).
I would not like to go away from Synapse. It would be a loooooooot of work to do.

So, thank you all on searching for a solution, but I need to get a solution for doing this by using Synapse, and to do it in one single DNS server access, which means I need to read the resolved IP address from Synapse at the step where Synapse is doing resolving the host in order to do HTTP GET.

June 18, 2008, 06:02:39 pm
Reply #142

sowhat-x

  • Guest
...seems that we got destructed with ideas related either to the 'easiness' of daily use,
and/or the implementations of socket-related functions,thereby...
we completely ignored the actual malware-related implications that are involved...  :(
=================

P.S:...not relevant with Malzilla itself...since the dns resolving thing got raised earlier,
I got interested today in searching around cross-platform sources for doing this...
Stumbled upon this one as well...if it's of interest to anyone:
http://aluigi.altervista.org/mytoolz/hostsdns.zip

June 18, 2008, 08:27:51 pm
Reply #143

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
@Orac
Basic FTP is implemented.
I need to fix some minor glitches before I upload a new build.

June 19, 2008, 10:38:15 am
Reply #144

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Many thanks Bobby :)
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 19, 2008, 10:34:11 pm
Reply #145

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Orac, can you test this version (attached)?

If you have a file to download from FTP, use GET button (just like for HTTP).
If you want to see a content of a folder on FTP, use CTRL + GET button (URL must be a folder).

If you need to login to the server, use the standard URL scheme:
ftp://user:password@server.com(:port)/folder/file.txt

If the user and pass are not supplied, the following will be used (you must provide login data even for Anonymous access):
user: Anonymous
pass: aa@aa.aa
In the future I'll make this to be set up by the user (settings for anonymous user name and pass). As for now it is hardcoded.

Clipboard Monitor still does not have FTP protocol implemented.

June 20, 2008, 09:26:00 am
Reply #146

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Bobby Ive downloaded (twice) but it wont open, all iam getting is
Quote
malzilla.exe is not a valid Win32 application



Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 20, 2008, 09:36:43 am
Reply #147

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Works fine here when I download it from my previous post.
Would you like that I upload it somewhere else for you?
Maybe you have connection problems at downloading from MDL.

June 20, 2008, 10:16:25 am
Reply #148

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
I tried a cold reboot of the whole system, downloaded it again but it woudnt open for the same reason :(

Then tried a few other tricks, such as running it in windows 95 compatabilty mode, no change.

Checked the downloaded file, its 0 bytes !!

Ive not had a problem downloading from MDL before but may be worth trying another location. Like MysteryFCM ive had problems in the past using RS and i know others in the UK that have too, i think its something with our ISPs. But never had this kind of problem either here or from any of the other forums we all know and use.

If no one else reports the same problem, then it has to be my end.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 20, 2008, 10:50:48 am
Reply #149

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
On a more positive note, just had the chance to use HTTPS for the first time, It worked great :)
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment