Wepawet issues

[Orac]

May not be the best place to post this, please move as neccesary SysAdMini

I tried the above URL Submission Feature yesterday, and it shows the following link as malware free

conex.justfree.com/PHPJackal.txt

In fact its hosting a shell script, to be fair i should mention it was only detected as malware 2/39 by VT

[SysAdMini]

I have started a new topic and moved Orac's posting here.

Here we can collect all Wepawet issues.

@Orac:

Your submission is a php script. Wepawet currently "only" analyzes javascript, flash and pdf files.

[mercutio]

Correct. To be a little bit more precise, it should only flag as malicious pages that attempt to perform some exploit. That is, all the various fake scan, fake codec pages will be marked as benign (or suspicious, at best).

In general, it's great if you report any problems you find.

[SysAdMini]

Doesn't recognize the javascript/exploit.

Code: [Select]

hxxp://222.188.91.241/ZXEduBaseData/Common/1.htm
http://wepawet.cs.ucsb.edu/view.php?hash=c1db4673fd8e5cc448c9f07e1c393768&t=1233903624&type=js

[SysAdMini]

Wepawet was able to decode this one

Code: [Select]

fuadrenal.com/mito/?t=2http://wepawet.cs.ucsb.edu/view.php?hash=16f542a1c1a65955c629f0a005e4d87c&t=1233780008&type=js

but is unable to decode a similiar one completely

Code: [Select]

hxxp://fuck-lady.com/prn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=9a234517053af6348b538f319798e327&t=1233921433&type=js

[mercutio]

OK, I gave a quick look at it and I think this is what happens.

In both cases, the PDF attack (which I could detect) and the SWF attack (which I cannot detect) do not trigger (I should have a fix for this soon).

Then, in the fuandrenal case, the last page contains the xml data binding exploit, for which we don't have a signature, but which is anomalous enough to make the page suspicious. Hence, the detection. In fact, the last eval block shows:

Code: [Select]

nextkey = '';
k = '';
attack_level = 0;
followed by the heapspray function, the shellcode, and the xml_bobo function, which launches the exploit.

In the fuck-lady case, the last page does not contain any exploit. Therefore, the page is marked as benign. In fact, the last eval (and, unfortunately, there is a bug that mixes the orders of evals in the report) only contains:

Code: [Select]

nextkey = '';
k = '';
attack_level = 0;

BTW, interesting encryption scheme to generate the exploit URL...

[SysAdMini]

BTW, interesting encryption scheme to generate the exploit URL...

Really interesting. I was thinking about publishing a Malzilla decoding howto.
Maybe A. will do it.

[SysAdMini]

Doesn't recognize the javascript/exploit.

Code: [Select]

hxxp://222.188.91.241/ZXEduBaseData/Common/1.htm
http://wepawet.cs.ucsb.edu/view.php?hash=c1db4673fd8e5cc448c9f07e1c393768&t=1233903624&type=js

Hello Marco,

any ideas to this case ?

[mercutio]

Should be better now:
http://wepawet.cs.ucsb.edu/view.php?hash=c1db4673fd8e5cc448c9f07e1c393768&t=1233969016&type=js

I was being a little too restrictive in the type of scripts I was accepting... Thanks!

[SysAdMini]

Exploits don't work:

http://wepawet.cs.ucsb.edu/view.php?hash=94bf47a94520ba0ba6afcf4dc8f96afb&t=1234100011&type=js

[mercutio]

Mmmh, assuming that you're referring to the fact that some exploits are not detected:
- we don't have a signature for the XML exploit (so you don't find it in the exploit list)
- the PDF exploit was not triggered (incorrectly)
- the snapshot exploit was detected
Please, let me know if you meant something else.

Anyways, I've done some changes so that the PDF exploit triggers:
http://wepawet.cs.ucsb.edu/view.php?hash=94bf47a94520ba0ba6afcf4dc8f96afb&t=1234224850&type=js

Unfortunately, I seem to have some problem extracting the JS from the PDF (did I mention that PDF support is more experimental than everything else? :-)), so we don't detect it yet.

[mercutio]

Unfortunately, I seem to have some problem extracting the JS from the PDF (did I mention that PDF support is more experimental than everything else? :-)), so we don't detect it yet.

The problem with PDFs should be fixed now:
http://wepawet.cs.ucsb.edu/view.php?hash=66315375f9d89d3e4850ebaf690c322c&t=1234231244&type=js
http://wepawet.cs.ucsb.edu/view.php?hash=11d02f5e15a36bdf8ff9a7f8779b5929&t=1234231130&type=js

Let me know if you find problems.

Thanks!

[GmG]

Tornado Exploit Pack

Code: [Select]

http://do21.net/cv/count.php?o=3

http://wepawet.iseclab.org/view.php?hash=e589b3bee49bdd62828222543d62fa02&t=1234520577&type=js

Wepawet was unable to decode

[mercutio]

I've done some fixes and I've regenerated the report for your visit:
http://wepawet.iseclab.org/view.php?hash=e589b3bee49bdd62828222543d62fa02&t=1234520577&type=js
Now, the code is decoded correctly.

Exploits were not detected during that visit, so the report still doesn't show them. I've done some other changes that should improve detection, but now the attack is no longer launched when I visit the page, so I cannot test.

Thanks reporting and, please, let me know if you find other problems with similar pages!

[SysAdMini]

Hello Marco,

thank you very much for your fast reponse to each reported issue.

Keep up the good work !