Author Topic: Wepawet issues  (Read 52991 times)

0 Members and 1 Guest are viewing this topic.

August 13, 2009, 09:36:28 am
Reply #90

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Good to hear, cheers :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 18, 2009, 07:20:24 am
Reply #91

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
210.51.187.45/lib/whichDont.pdf
210.51.166.239/lib/someS.pdf

Wepawet fails to decode it. It contains multiple javascript sections and has an interesting obfuscation technique.
Ruining the bad guy's day

August 18, 2009, 01:44:03 pm
Reply #92

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

September 02, 2009, 06:45:54 pm
Reply #93

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
Mmmh, I had missed these posts, sorry.

On the good side, I have rolled out a better domain summary page. For a given domain, it now reports:
- the IP/ASN it was found on (and links to the FIRE report for the given ASN)
- other domains found on the same IPs
- registration information (registrar, registrant, creation date) [for registrars that are supported]
- a list of the malicious and suspicious URLs detected on the domain
- a list of the exploits detected
- the latest URLs that were analyzed
- other domains that are reachable by visiting pages on the given domain
I find that this page generally gives a good overview of what is going on with a certain domain/server.

See for example the summary for findhereandnow.com, a well-known koobface domain:
http://wepawet.cs.ucsb.edu/domain.php?hash=e5f1e528c0b5656e62af4a049ecc9d6a&type=js

To reach a domain summary page, just click on the link "See the report for domain ..."  at the beginning of an analysis report.

Of course comments and suggestions are welcome!

October 13, 2009, 05:42:12 pm
Reply #94

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 23, 2009, 06:23:28 pm
Reply #95

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 23, 2009, 07:27:19 pm
Reply #96

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 26, 2009, 03:40:59 pm
Reply #97

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
Check this out,

wepawet reports that this is benign text/html as output.  The malicious server sent a content-type of text/html but the payload was really application/x-msdos-program, wepawet assumed the content was text and went no further

http://wepawet.iseclab.org/view.php?hash=a0db8a069663259f5e60b42a78668278&t=1256571703&type=js

Code: [Select]
GET /default.aspx?a6HIAYORwQ2Co-NWhqfRDIaWlQWBx8YF1ceUBdeSxg2BkJIHh5KXVoOXkFOCwMcysNCDBYek0VGExMYGhp-FVoaSwQSFwpQN15-CB4SWwQOHwJdT0sCXPbGXwgyNkPIzhpbBBYKV9zeFn-g82s2HQYSWwQWGovsEhpPHAIKfxQCE HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) WinNT 5.1
Host: 82.98.231.98
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 26 Oct 2009 15:04:15 GMT
Content-Type: text/html
Content-Length: 166400
Last-Modified: Mon, 26 Oct 2009 14:53:03 GMT
Connection: close
Accept-Ranges: byte

MZ......................@...............................................!..L.!This program cannot be run in DOS mode.
$.......................................................................Rich............PE..L......J...........!...
.r...........n......................................H


http://www.virustotal.com/analisis/159651a11584976aab194b7162bf01baccf2585cea4dd6511b145800b4c38ea2-1256572210  5/41

November 01, 2009, 04:46:22 pm
Reply #98

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
YES exploit kit, fails decoding

Code: [Select]
maghdfun.cc/
Ruining the bad guy's day

April 02, 2010, 09:26:41 am
Reply #99

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
wepawet is back online again

--gerhard