Author Topic: MalZilla  (Read 295126 times)

0 Members and 1 Guest are viewing this topic.

June 15, 2008, 02:47:42 pm
Reply #120

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
A little preview of what I'm working on:
http://rapidshare.com/files/122620084/malzilla_preview.zip.html

News:
- handling HTTPS by using OpenSSL (saw a malware last week, which was hosted on a HTTPS)
- minor GUI changes
- internal minimalistic HTML render (still does not handle all HTML tags)
- better Format Code (at least I think it is better). Major difference is that FC will not touch anything inside quotation marks. FOR loops handling is also done better.
- Link Parser - it does Line select now, a click on a line will select the whole line
- Tools - some improvements and new edit functions
- Download tab - please test new option in tab's right-click menu: New tab (next step). Current URL will be a referrer on new tab, and cookies are set. Note that cookies set by scripts in HTML code are not handled, just cookies from HTTP headers are processed by Malzilla

Bugs:
- JSEncode decoder goes messy with Unicode chars in code (JSEncode does not work with Unicode, one need to translate the code page, and even worse - one need to know which code page was in use)
- probably more bugs
- probably even more bugs

ToDo:
- implement more DOM objects (href, location etc.)
- stop working on Malzilla if Symantec and SANS guys keep cropping the screenshots so that the title "Malzilla by bobby" gets cut off from the pictures they post in the blogs. More than that, make a JScript that Symantec and SANS guys can't decode with current Malzilla, and tell them you won't improve Malzilla until they post the whole screenshots
- or implement nag screens which will affect just the Symantec guys (and others who feel embarrassed if they mention that they are using Malzilla) :)

Regressions:
- some JS functions not working anymore (alert, dialogs)

To explain the regression with some JS functions - as of moving the complete interaction with SpiderMonkey into a separate thread, and as a thread isn't a part of GUI (GUI is part of main thread), SpiderMonkey can't access any GUI-related things anymore. This is the next thing I'll work on.

June 15, 2008, 02:54:30 pm
Reply #121

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Can you upload it here please? (I've tried numerous times but I'll be damned if I can get the RS captcha correct  ??? )
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 15, 2008, 03:05:24 pm
Reply #122

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
http://malzilla.sf.net/malzilla_preview.zip

Too big to be attached to a post here. I've uploaded to Malzilla site.

Please report bugs, both in GUI and in handling JavaScripts.
If anyone want to send me a script which can't be handled, please save it from Malzilla as a project file (Settings > Download > Add project info to saved files) or please provide the complete URL, referrer, User Agent and cookies.
A lot of scripts are depending on these parameters, and can't be deobfuscated if these are not known.

June 15, 2008, 03:16:22 pm
Reply #123

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Nice one, cheers :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 15, 2008, 05:39:41 pm
Reply #124

sowhat-x

  • Guest
In a real hurry at the moment,can't really reply properly...  :-\
Quote
Too big to be attached to a post here.
For future reference:
since people have complained more than a few times about it,he-he...  :D
i've increased attachments' file size up to 2mb...

Quote
- handling HTTPS by using OpenSSL
Won't say more - that's really damned good news  8)
Just something that quickly came to mind,
not a suggestion,just trying to give out ideas...
maybe you'd also like to have a look at MatrixSSL:
http://www.matrixssl.org/
It's 'supposedly' more lightweight/easy to use than OpenSSL...

Quote
- probably more bugs
- probably even more bugs
Lmao!  ;D
We all put 100% trust on you -> but I guess you already knew that...  ;)
So,I translate this to:
Quote
- probably more of excellent hard work from bobby

June 15, 2008, 09:14:30 pm
Reply #125

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Ive had a quick play with the preview, really like the "New tab (next step)" and can see that coming in useful.

Ive had problems with HTTPS a few times in recent months, this addition will be a major help.

Also like the mini HTML view that should prove to have its uses.

Will comment further when ive used it for a few days.


Many thanks for all the hard work you do for us all :)

Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 16, 2008, 07:14:18 pm
Reply #126

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
I got a new bug to report today...

Found a drive-by that pads script with nulls... Malzilla really didn't like this, and neither did textpad's search/replace function.

Here is the original malicious page:
hxxp://ch.moneybee.net/blog/kehker/hker.htm

Let me know if it goes down and you need a copy attached.

Ex:
3C00000000000068000000007400000000006D00006C00003E0000000000000D0A0000000000002000000000000000200000000000003C7300000063000000000000007200000000000000690000007000000000000000007400000000000000

TJS

June 16, 2008, 08:11:02 pm
Reply #127

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
@tjs
Attached to this post is an updated EXE with additional function to remove nulls.
Right click on text box containing NULLs (Decoder, Download, any other text box) > Run Script (internal) > Remove NULLs

June 16, 2008, 08:26:25 pm
Reply #128

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Forgot to say - Concatenate function is updated too.
Now it can handle even something like the following:
"T" + 'e' & "s" + 't'

June 16, 2008, 10:45:20 pm
Reply #129

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
You rock!

June 17, 2008, 12:18:17 pm
Reply #130

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
One small point.

With Malzilla 0.9.3pre5 we have a box that can be check marked for "Auto-redirect" under Settings/Download

This box is missing from the new version, and instead we get a pop up asking if we want to follow the redirect.

Persoanlly iam finding this pop up to be a bit of a pain, would it be possible to have the Auto-redirect check box back as per 0.9.3pre5
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 17, 2008, 01:20:02 pm
Reply #131

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
 :-[ Ooopppppppps forget my post above, just found it on the download page  :-[
* Orac books an appointment with the opticans
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 17, 2008, 03:36:24 pm
Reply #132

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hi Orac,

It is my fault I didn't mentioned it.
I found it more useful to be on the first page.

I'm not known as someone who is taking notes of what is done/changed/etc. You can see that from the changelogs :)

Next few days I'll do a review of the code. I need to take a look if everything is logged in log/case mode.
After that I'll push another official download on Malzilla's website.

Any suggestions that can be implemented with less work/modifications?

After this version, I'll really go for implementing more DOM objects.
The easiest way is to have them as templates that implements new DOM objects in realtime.
This way anyone can make his own templates which would implement the missing DOM objects.
Guess some of you have no clue what I'm talking about, but it will be much easier when I show that with examples.

June 17, 2008, 04:58:56 pm
Reply #133

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Quote from: Bobby
Any suggestions that can be implemented with less work/modifications?

I have no idea how much work or modifications would be involved with either of these, but do have two "wish list" items

1. Porting Malzilla for FTP.
2. In the HTTP header section adding resloved DNS and IP connection(s).
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 17, 2008, 06:44:18 pm
Reply #134

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hi Orac,

What would you exactly want about FTP?
Just a possibility to download a file from FTP, or a full-featured FTP client (two panels - local and remote folder etc.)
Just getting a file from FTP isn't so hard to do. For Filezilla-alike client I would need a lot of time.

About resolving DNS and such - I have no clue how to do that. I know almost nothing about the theory of resolving DNS servers, lookups and such.