Author Topic: Wepawet issues  (Read 54114 times)

0 Members and 1 Guest are viewing this topic.

January 31, 2009, 11:40:31 am
Read 54114 times

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
May not be the best place to post this, please move as neccesary SysAdMini

I tried the above URL Submission Feature yesterday, and it shows the following link as malware free

conex.justfree.com/PHPJackal.txt

In fact its hosting a shell script, to be fair i should mention it was only detected as malware 2/39 by VT
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

January 31, 2009, 11:54:36 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I have started a new topic and moved Orac's posting here.

Here we can collect all Wepawet issues.

@Orac:

Your submission is a php script. Wepawet currently "only" analyzes javascript, flash and pdf files.

Ruining the bad guy's day

January 31, 2009, 06:59:23 pm
Reply #2

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
Correct. To be a little bit more precise, it should only flag as malicious pages that attempt to perform some exploit. That is, all the various fake scan, fake codec pages will be marked as benign (or suspicious, at best).

In general, it's great if you report any problems you find.

February 06, 2009, 06:50:57 am
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Doesn't recognize the javascript/exploit.
Code: [Select]
hxxp://222.188.91.241/ZXEduBaseData/Common/1.htm
http://wepawet.cs.ucsb.edu/view.php?hash=c1db4673fd8e5cc448c9f07e1c393768&t=1233903624&type=js
Ruining the bad guy's day

February 06, 2009, 12:30:02 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Wepawet was able to decode this one
Code: [Select]
fuadrenal.com/mito/?t=2http://wepawet.cs.ucsb.edu/view.php?hash=16f542a1c1a65955c629f0a005e4d87c&t=1233780008&type=js

but is unable to decode a similiar one completely
Code: [Select]
hxxp://fuck-lady.com/prn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=9a234517053af6348b538f319798e327&t=1233921433&type=js
Ruining the bad guy's day

February 06, 2009, 07:24:11 pm
Reply #5

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
OK, I gave a quick look at it and I think this is what happens.

In both cases, the PDF attack (which I could detect) and the SWF attack (which I cannot detect) do not trigger (I should have a fix for this soon).

Then, in the fuandrenal case, the last page contains the xml data binding exploit, for which we don't have a signature, but which is anomalous enough to make the page suspicious. Hence, the detection. In fact, the last eval block shows:
Code: [Select]
nextkey = '';
k = '';
attack_level = 0;
followed by the heapspray function, the shellcode, and the xml_bobo function, which launches the exploit.

In the fuck-lady case, the last page does not contain any exploit. Therefore, the page is marked as benign. In fact, the last eval (and, unfortunately, there is a bug that mixes the orders of evals in the report) only contains:
Code: [Select]
nextkey = '';
k = '';
attack_level = 0;

BTW, interesting encryption scheme to generate the exploit URL...

February 06, 2009, 07:30:07 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
BTW, interesting encryption scheme to generate the exploit URL...

Really interesting. I was thinking about publishing a Malzilla decoding howto.
Maybe A. will do it. :)
Ruining the bad guy's day

February 06, 2009, 11:18:37 pm
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Doesn't recognize the javascript/exploit.
Code: [Select]
hxxp://222.188.91.241/ZXEduBaseData/Common/1.htm
http://wepawet.cs.ucsb.edu/view.php?hash=c1db4673fd8e5cc448c9f07e1c393768&t=1233903624&type=js

Hello Marco,

any ideas to this case ?
Ruining the bad guy's day

February 07, 2009, 12:57:58 am
Reply #8

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
Should be better now:
http://wepawet.cs.ucsb.edu/view.php?hash=c1db4673fd8e5cc448c9f07e1c393768&t=1233969016&type=js

I was being a little too restrictive in the type of scripts I was accepting... Thanks!

February 08, 2009, 01:25:20 pm
Reply #9

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

February 10, 2009, 12:26:17 am
Reply #10

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
Mmmh, assuming that you're referring to the fact that some exploits are not detected:
- we don't have a signature for the XML exploit (so you don't find it in the exploit list)
- the PDF exploit was not triggered (incorrectly)
- the snapshot exploit was detected
Please, let me know if you meant something else.

Anyways, I've done some changes so that the PDF exploit triggers:
http://wepawet.cs.ucsb.edu/view.php?hash=94bf47a94520ba0ba6afcf4dc8f96afb&t=1234224850&type=js

Unfortunately, I seem to have some problem extracting the JS from the PDF (did I mention that PDF support is more experimental than everything else? :-)), so we don't detect it yet.


February 10, 2009, 01:49:20 am
Reply #11

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
Quote
Unfortunately, I seem to have some problem extracting the JS from the PDF (did I mention that PDF support is more experimental than everything else? :-)), so we don't detect it yet.

The problem with PDFs should be fixed now:
http://wepawet.cs.ucsb.edu/view.php?hash=66315375f9d89d3e4850ebaf690c322c&t=1234231244&type=js
http://wepawet.cs.ucsb.edu/view.php?hash=11d02f5e15a36bdf8ff9a7f8779b5929&t=1234231130&type=js

Let me know if you find problems.

Thanks!

February 13, 2009, 10:15:10 am
Reply #12

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
Tornado Exploit Pack
Code: [Select]
http://do21.net/cv/count.php?o=3

http://wepawet.iseclab.org/view.php?hash=e589b3bee49bdd62828222543d62fa02&t=1234520577&type=js

Wepawet was unable to decode

February 13, 2009, 08:56:33 pm
Reply #13

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
I've done some fixes and I've regenerated the report for your visit:
http://wepawet.iseclab.org/view.php?hash=e589b3bee49bdd62828222543d62fa02&t=1234520577&type=js
Now, the code is decoded correctly.

Exploits were not detected during that visit, so the report still doesn't show them. I've done some other changes that should improve detection, but now the attack is no longer launched when I visit the page, so I cannot test.

Thanks reporting and, please, let me know if you find other problems with similar pages!

February 13, 2009, 09:16:11 pm
Reply #14

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Hello Marco,

thank you very much for your fast reponse to each reported issue.

Keep up the good work !
Ruining the bad guy's day