Author Topic: MalZilla  (Read 257452 times)

0 Members and 1 Guest are viewing this topic.

June 20, 2008, 10:52:23 am
Reply #150

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Try to grab the files from here:
http://malzilla.sourceforge.net/builds/
Grab just the Malzilla.exe if you already have the DLL files from your previous downloads.

June 20, 2008, 10:58:57 am
Reply #151

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
On a more positive note, just had the chance to use HTTPS for the first time, It worked great :)

Here is how and where I test Malzilla:

Test of GZiped transfer - http://carsten.codimi.de/gzip.yaws/
Test of sent HTTP headers - http://c2.com/cgi/test/
Test of HTTPS - www.gmail.com - follow the first redirection

I still need to find where I can test FTP functionality. As for now, I'm doing it by testing the communication with FTP server of MyCity forum. I would like to find some test server, like the C2 test for HTTP headers.

June 20, 2008, 11:47:55 am
Reply #152

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
That download worked.

Just tested it on some live ftp malware links, and it works perfectly :)

Thanks Bobby thats a great job youve done, next time your in the UK i owe a few beers, afraid i cant help with suitable test sites, the only links ive got are either live malware, or they have been cleaned up.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 20, 2008, 08:53:43 pm
Reply #153

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
I just downloaded the build from http://malzilla.sourceforge.net/builds/ and found several bugs:

* when using a link with hxxp, the tab name is named hxxp: instead of domain name
   example:
   hxxp://test.com (tab title: hxxp:)
   http://test.com (tab title: test.com)
* check for new updates says that a new update is available
* names in 'about' all have a space before them

Thanks,
TJS

June 20, 2008, 08:58:51 pm
Reply #154

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)

June 20, 2008, 09:13:03 pm
Reply #155

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
I just downloaded the build from http://malzilla.sourceforge.net/builds/ and found several bugs:

* when using a link with hxxp, the tab name is named hxxp: instead of domain name
   example:
   hxxp://test.com (tab title: hxxp:)
   http://test.com (tab title: test.com)
* check for new updates says that a new update is available
* names in 'about' all have a space before them

Thanks,
TJS
Hi TJS,
- hxxp thing - fixed (fxp is translated to ftp too). I fixed this once, but it seems that it is gone after I reverted some changes (anyone recall my trying to make a splash screen?)
- spaces in about box fixed
- these are just test builds, neither the update info on the server or the version info in the Malzilla are set up. These are just test builds for us here. I'll set the right values for the formal release on SourceForge

Thanks for testing and reporting :)


Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
Hi JohnC,

I have set a limit for that box (-255, 255), is that OK?
I'm not sure if it will work with Unicode in the way it works with ANSI/ASCII.

June 20, 2008, 09:31:18 pm
Reply #156

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Please download fixed build from http://malzilla.sourceforge.net/builds/
I have fixed the bugs reported by TJS.

June 20, 2008, 09:32:46 pm
Reply #157

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thanks for adding the little box to choose how much to increase/decrease on Misc Decoders tab, works great :)
Hi JohnC,

I have set a limit for that box (-255, 255), is that OK?
I'm not sure if it will work with Unicode in the way it works with ANSI/ASCII.

That should be fine, thank you.

June 20, 2008, 09:38:11 pm
Reply #158

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
If I try to retrieve this directory with Malzilla using CTRL + GET

ftp://193.253.223.43/tmp/trem/

I see

Quote
06-19-08  10:50PM                  681 1
06-19-08  10:50PM                20673 2
06-19-08  10:50PM                 1244 old
06-19-08  10:50PM                 1929 oldbisok

But if I try and get the file oldbisok, with just GET, I get the response:
"550 /tmp/trem/oldbisok: Le fichier spécifié est introuvable. "

But the file is definitely there and available for download because I grabbed it with an FTP client to make sure.

June 20, 2008, 09:45:26 pm
Reply #159

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
If I try to retrieve this directory with Malzilla using CTRL + GET

ftp://193.253.223.43/tmp/trem/

I see

Quote
06-19-08  10:50PM                  681 1
06-19-08  10:50PM                20673 2
06-19-08  10:50PM                 1244 old
06-19-08  10:50PM                 1929 oldbisok

But if I try and get the file oldbisok, with just GET, I get the response:
"550 /tmp/trem/oldbisok: Le fichier spécifié est introuvable. "

But the file is definitely there and available for download because I grabbed it with an FTP client to make sure.
I know that one, I tried it at testing Malzilla's FTP capabilities. I got the same results.
After that I wanted to be sure, and tried it from Firefox, and I got exactly the same error like in Malzilla.
Which FTP client you have used and succeed in downloading the file?

June 20, 2008, 09:48:54 pm
Reply #160

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
FlashFXP. It sends RETR oldbisok

June 20, 2008, 09:53:56 pm
Reply #161

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hmmm... I just got the file by using Total Commander's integrated FTP client.
So, there is something with settings, as Malzilla and Firefox does not get it, but normal FTP clients does.

There is one basic difference between a ordinary FTP client and Malzilla.
FTP client logs in on the servers, and does not log out until you say so.
Malzilla logs in and out for every click on GET button.

I'll take a look now at connection parameters, to see if it has something to do with PASSIVE settings.
Some servers needs that mode for transferring binary files.

June 20, 2008, 09:58:58 pm
Reply #162

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Sometimes a server will need PASV mode enabled/disabled to do stuff, in this case I just checked and it works either way. After logging in It also sends "TYPE I", if that helps you.

June 20, 2008, 10:34:00 pm
Reply #163

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
I saw where is the trick  ;D
The file on the server has a malformed name - it contains space at the end.
Malzilla trim the spaces at the begin and end of the URL by default. This way I prevent mistakes done by bad copy/paste of links from text files or websites.
It seems that FireFox does it too.

What to do now?
To trim spaces or not to trim?

June 20, 2008, 11:19:07 pm
Reply #164

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
OK, get the new EXE from http://malzilla.sourceforge.net/builds/
Hold SHIFT at clicking on GET button, and the whitespaces will not be trimmed out.

To summarize the functions of GET button:

HTTP URLs:
- SHIFT = no trim

FTP URLs:
- SHIFT = no trim
- CTRL = LIST (works only if URL points to a folder)
- SHIFT + CTRL = no trim + LIST

btw. if you get LIST results and try to select (with cursor) behind the oldbiosk file, you will see that you have just one whitespace behind the filename.

FTP unit in Malzilla is now changed a lot (PASV + TYPE I + different parsing of filename and path from URL). Please report if something got broken that downloaded successfully with previous build (worked before changes, now does not work).