MalZilla

[JohnC]

Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.

It was previously released only as a private beta, but has now moved to a public beta stage. You can download MalZilla at the MalZilla sourceforge page here.

There is a guide for using MalZilla made available here http://malzilla.sourceforge.net/tutorial_01/index.html

[bobby]

Malzilla updated to 0.9.2
Also a new tutorial in Documents section.

http://malzilla.sourceforge.net/

[bobby]

I apologize, 0.9.2 was a broken release
Fixed and uploaded as 0.9.2.1
The download mirrors will be updated (hopefully) in one hour.

[bobby]

Anyone willing to translate Malzilla to other languages?

I'm preparing next release, and I would like to include a couple of translations with the release.

There is some 200 strings to translate. Unicode is supported, so one can even translate to Chinese or Arabic.
Translation tool is also available.

I'm still polishing the interface, so the string list is still not complete, but if anyone applies for translating, I would prepare the list in ~10 days.

[sowhat-x]

I'll try my best to get an exact translation for Greek,
whenever you think the strings' list is ready,pass it over... 

[bobby]

I apologize for late reply.
I have uploaded a 0.9.3 pre-release on http://malzilla.sourceforge.net/

Please try to play a bit with translation, and tell me if buttons/labels are big enough for the translated text to fit in.
If not, I would need to play a bit with buttons size or with font size.

Translator folder contains a basic translating tool. It is still not polished, as it shows the resource numbers, but I've coded it today and didn't have time to make it better.
The uploaded default.lng is also done in hurry, it does not contain the messages and dialogs, but it is good enough to test the interface/GUI translation.

[tjs]

Thanks, Bobby!

Do you prefer if we post bugs & suggestions here or on the sourceforge forum? I've already found a few in 0.9.3pre.

TJS

[bobby]

Thanks, Bobby!

Do you prefer if we post bugs & suggestions here or on the sourceforge forum? I've already found a few in 0.9.3pre.

TJS

Hi TJS,

I check both forums every day, so both are equally good for posting bugs & suggestions.

regards
bobby

[jimmyleo]

chinese_simply language ready!
mailed to u, bobby~

[sowhat-x]

Lol,jimmyleo...was it that easy doing it under chinese?What's your secret? 
Damn it...'cause I've run into quite a bit of trouble doing this for greek,
not only I couldn't find the equivalent technical terms,
but the resulting boxes should be huge afterwards...I'll see what can be done... 

[jimmyleo]

hi sowhat-x,
I only couldn't found "find" resource ID in "decoder" tab...
and some of them should be wider for better presentation.
I translated most of them, and only little hasn't been translated.because they are reseved in Chinese.
and some of technical names which I know maybe my FreShow experience

[tjs]

Hello Bobby,

Here are some issues and suggestions inspired by your latest pre-release of malzilla.

• Update version number not in sync (reads 0.921 instead  of 0.9.2.1)
• Clipboard doesn’t work properly (on vista)
  - functional but throws an error
  - locks clipboard in other apps [this is annoying]
  - Suggestion: clipboard feature disabled by default
• Regression from previous version – url no longer opens without http or www
  - Suggestion: add support for hxxp, default to http for protocol and support non www.* links (ex. blah.com)
• Suggestion: Option to enable/disable hilighting
• Suggestion: Option to hide/show comments (<!-- -->) [some obfuscation puts them everywhere]
• Hex viewunder download tab is agreat idea-- what's the point of the 'hex view' tab?

Thank you very much for your hard work on this great utility!
tjs

[bobby]

@jimmyleo
This pre-release was just a test to see how the translating engine is working. There is more strings missing in that default.lng file.
I will release a complete list at the moment we know which features will get into 0.9.3 release.

@TJS,

About the minor issues:

====
- version number does not matter at the moment as long as you know if you have the newest version. You see, there is a HTML file on the Malzilla's site that contains a string with current version number. I can convert a string to float, and compare it with a number stored as variable in Malzilla. Thats how it is done, and thats why the version is stored as 0.921 (float, floating point number).
If I would like to report it in the form of 0.9.2.1 I would need to write a parser and extra code for comparing these version numbers. I'll keep it simple for now.

====
- about URLs and annoying messages - I did try to prevent the user to enter FTP or HTTPS URLs, as the Malzilla gets stuck for a long time if one is entered. Malzilla does not support these protocols, neither it will support.
I'll code it in different way, as it is really annoying as it is.

===
- Enable/Disable Highlighters - will be done. If I get enough time I'll also make them configurable (select colors the way you like).

====
- Hex View under Download tab is just an experiment. I wanted to see how useful/useless it can be. Let the both Hex Views stay where they are, and we will see in the next release which one is for TrashCan.



About the major issues:

====
- Clipboard monitor is really a pain. It is useful if you copy a long list from some forum/site, but it is a pain as it also gets triggered at internal copy/paste in Malzilla.
Also, there is some bug (not in my code, maybe Delphi or Windows) that triggers the Clipboard Monitor twice for each URL on the clipboard. Thats why it clears clipboard after URL is detected and pasted to the list.
Hmmm... I was thinking that I solved that locking of Clipboard for other applications (in the fact - clearing the clipboard, not really locking).
I will get back to this Clipboard Monitor latter, I have some more important thing to do first.
Can you give me some info which error it triggers on Vista? I do not have Vista, all is done on XP (half-working Linux version is also there)

====
- Hide comments - this one will need some coding. See my list of priorities (follows in this post).



ToDo list:

====
Lately I see a lot of scripts using arguments.calee().toString in a way which obviously gives very funny results in Malzilla.
(I guess all of you already knows this, but...) arguments.calee().toString differs between SpiderMonkey (Mozilla, FireFox, Malzilla...) and Internet Explorer.
As I see, a lot of scripts I'm seeing lately are using this in the way that is making the script "IE-only".
I already know what to try, I just need some time to test my idea.

====
History/Log/Case - no, that are not 3 options needed, it is just one feature. I received a request of keeping tracks what and how was something done and to group things in something like a Project/Case.
Guess I'll do it in the form of a button "Start/stop logging", where every action will be recorded (URLs, HTML content, decoded content etc. etc.). I think this would be very useful feature.

====
More Download tabs (something like tabbed browsing in FireFox). Well, it sounds complicated to me to have unlimited number of tabs (a looooot of coding needed, and there is a danger of memory leaks), so I'm thinking about having some 5 (or say 10) Download tabs that the user can open.



btw. did someone already saw the debugger? (just type some nonsense in Decode tab, and try to run the script)
It wasn't intended to be there in this pre-release, but I forgot to disable it before doing the upload.
Unfortunately, you got half-backed debugger, as some options were disabled.

This debugger is not my code, it is part of the wrapper I use to access SpiderMonkey, but it seems that nobody from the team who published the wrapper knows how to use/access this debugger from the program code (I asked on the mailing list), so I'm on my own here.

[tjs]

I just did some testing on XP and noticed that the clipboard issue occurs here too. When I click 'send script to decoder' in the text tab, I occasionally get an error from malzilla saying it cannot open the clipboard. On vista, I get this error when I start the application sometimes as well.

As for the debugger, I like it, but I think it should be integrated as another tab instead of a popup... Specially because it's not always useful (particulary when you have multiple nested obfuscated scripts). In many cases it throws errors about 2nd degree script variables not being defined, even though the obfuscation is properly decoded in the decode tab. I'd rather not have to close the debugger every time I run a script.

Maybe you can make the debugger configurable (whether to use it or not)...

Also, a random point, I HIGHLY recommend that you set 'clear cache on exit' as default. The cache is usually full of malware and AV scanners hate it.

TJS

[bobby]

@tjs
I just changed the code for Send script to decoder. It does not use Clipboard anymore.
About errors with Clipboard, I didn't have any of them here, so I have no idea whats wrong. Maybe it is a conflict with some software you use on both XP and Vista.

As for debugger - it is external code, programed in a such way that it can't be so easy transformed into another tab.
Only thing I can do is a checkbox 'debug', where you can chose to use debugger or not, or a separate button for debugging.

As for Clear cache on exit - I can do it if you prefer so. I prefer not to clear the Cache, and I do not run any AV on this PC (with some 50GB of malware on my HDD, AV would go crazy).