Author Topic: Wepawet issues  (Read 56757 times)

0 Members and 1 Guest are viewing this topic.

May 15, 2009, 11:08:31 am
Reply #75

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Says invalid hostname;

time-for-mumpreneurs.site90.net\images\index.php

It's IP is actually: 64.235.47.65 (srv19.000webhost.com)

http://hosts-file.net/?s=time-for-mumpreneurs.site90.net

worked for me and also many times in the past as it seems
http://wepawet.iseclab.org/domain.php?hash=449a2e524b30f201ae5d4c94d72ddd94&type=js

was distributing Zbot in the past (listed on MDL)
Mal-Aware

May 15, 2009, 11:13:43 am
Reply #76

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I can click those URL's in the one you referenced, and it works just fine, but if I pop it into the URL box on the homepage, it consistently returns "invalid hostname"? (just tried again after seeing your reply and it did the same thing) - definately wierd.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 15, 2009, 11:21:06 am
Reply #77

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware

May 15, 2009, 12:19:46 pm
Reply #78

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Sporadic DNS issues maybe? (on the server side that is, obviously)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 15, 2009, 12:25:43 pm
Reply #79

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I have seen this issue yesterday.
I tried the same domain 2 times within 2 minutes.
First time it failed, next time it worked.
Ruining the bad guy's day

May 16, 2009, 08:19:46 pm
Reply #80

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
http://202.73.57.11/arwe/?736361acd09ca9717c9462514beb5205

http://wepawet.cs.ucsb.edu/view.php?hash=431b10d27b2ffd05b7e39a496f058966&t=1242616227&type=js

Says Still processing...

But does not finish.

May 17, 2009, 10:04:37 am
Reply #81

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
For the DNS issues, I've added some redundancies. Hopefully, that will work.

JohnC: we had too many submissions... For now, just reducing the number of outstanding submissions. Adding machines in the next days (but I'll be traveling so it won't be super quick :-( )

May 20, 2009, 08:08:05 pm
Reply #82

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 27, 2009, 02:24:25 pm
Reply #83

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Hello Mercutio,

is there a chance to get those new Luckysploit variants decoded ?

examples:
Code: [Select]
poppka.net/pore/?7876256053563003de306eb5c094240d
cameronzfunz.com/spl1/?29e898d7718e8d86e0436480200291b7
Ruining the bad guy's day

May 31, 2009, 09:39:44 pm
Reply #84

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
SysAdMini: still traveling, but it's definitely on the TODO list. Hopefully, I'll have time this week.

July 02, 2009, 03:32:08 pm
Reply #85

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Just an FYI, Wepawet is failing on this one (also fails if you directly feed it the .js file);

Code: [Select]
trustshield.info/?p=WKmimHVlbHKHjsbIo21zdYWMpYOInKOjY4nT1m6uqI61h8WilnGbk4F5bw==
Previously, you could just decode then analyze the .js file, and determine the URL to use in order to obtain the file, for example;

Code: [Select]
http://guardincorp.info/build[n]_[n].php?cmd=getFile&counter=

> http://guardincorp.info/build08_12.php?cmd=getFile&counter=

This example resulted in a file called Setup_build-1_7.exe. Now however, they seem to have changed it to prevent this, as I'm now seeing it serve a 0KB file if the correct n params are not fed. I've got one here at present that I've decoded, see if you can determine the correct params (going to run it live once I've posted this, to see if I can identify what they've changed).

Code: [Select]
trustshield.info/build93_102.php?cmd=getFile&counter=1&query
This URL was identified via the following code, hidden in the encoded .js file;

Code: [Select]
kPromo.getDownloadURL=function(){return"build"+kPromo.strategy.properties.ls+"_"+kPromo.strategy.properties.uid+".php?cmd=getFile&counter="+kPromo.common.downloadAttemptsCount+"&"+kPromo.base.queryParameters};
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 02, 2009, 03:38:32 pm
Reply #86

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
If you want to save yourself some time, the thing they've changed is the now added requirement of the "p=" var and query having to be present. The URL that I've just seen and checked is;

Code: [Select]
trustshield.info/build93_102.php?cmd=getFile&counter=1&p=nKmimHVlbHKHjsbIo21zdYWMpYOInKOjY4nT1m6uqI61h8WilnGbk4F5bw==
Where 93 and 102 are NOT static numbers (these can still be changed), as can the p= param, aslong as it *looks* like a base64 encoded string. For example;

Code: [Select]
trustshield.info/build9_12.php?cmd=getFile&counter=1&p=WKmimHVlbHKHjsbIo21zdYWMpYOInKOjY4nT1m6uqI61h8WilnGbk4F5bw==
Which is just 1 letter away from the original
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 15, 2009, 10:09:13 pm
Reply #87

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Wepawet is failing with this one too :( (says it's benign but it isn't)

Code: [Select]
http://lipesr.com/update/?eb70c8bc3e184ffe5a98905e484546d9
http://wepawet.cs.ucsb.edu/view.php?hash=0e28254bfce6009968e5b2982f0c7c33&t=1247695990&type=js
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 17, 2009, 08:09:12 pm
Reply #88

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 12, 2009, 09:17:20 pm
Reply #89

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
Folks,

Thanks for reporting issues. I haven't had much time to fix them, but will work on them :-)

In the meanwhile, I've added support for msplinks URLs. Now you can submit them and the links are automatically followed, as in this koobface case:
http://wepawet.cs.ucsb.edu/view.php?hash=4ba993341247cd972535d2e2e400fa1a&t=1250092042&type=js