MalZilla

[bobby]

@MysteryFCM

There is no offense meant by putting your script there under such title. It is just so that you found an extraordinary example.
Breaking the unicode sequences in a such way like in your script - I didn't saw anything like that before, and I'm really happy that you found it.
It was a reason to add concatenating function to Malzilla and a good lesson (for me) that one must not forget to take a look at some simple things, not always searching for clues in some complicated functions.

I tried to blog about some interesting "species", but Blogspot is a real PITA when it comes to text formating:
http://malzilla.blogspot.com/
I gave up on that blog.

@sowhat-x

Do not undervalue your contribution to Malzilla and to this discussion.
I do not have a lot of feedback on Malzilla, and I appreciate every single post here. That gives me some motivation to work further.
Apart of this thread here, there is one more guy posting in forum provided by SourceForge, one contact per email (asking for Linux version which I promised to finish, but never got time to get it to the same level like Windows version) and some feedback on Ethical Hacker Network.
So, I appreciate your feedback a lot.

@TJS
I got some other reports on strange behavior of that splash screen (try Alt + Tab on single monitor).
I'll probably remove it from the next upload, as I really can't find whats wrong, as the code looks OK.


@all
Does the new handling of eval() function do a better job for you than previous hacks?

[tjs]

* I havent had any issues with the new eval() handling.
* I suggest that you put an option to not display splash screen instead of removing it (this seems to be a standard in software today).. that way you can still have a splash

TJS

[bobby]

@TJS

Try the script from Tutorial 5 on Malzilla's website to see the power of the new eval() handling.
After that, try the same script with older versions (pre-release 3) if you still have them (I've deleted them from the server).
In older releases you could only get some info by taking a look at the variables in debugger.
With new version you will get the complete script

[tjs]

Very nice!!

Does this introduce any additional security risk? I'll buy beer for anyone that finds a way to get malzilla to execute a payload using some scripting magic and discloses it to bobby in a responsible manner.

Another crazy suggestion:

How about a scripting API so that I can start using malzilla in an automated way against a list of URLs? Perhaps to be able to input a list of URLs and have malzilla automatically deobfuscate each one until certain conditions are met (ex. till a string [.exe|GET|etc] is found, or after n iterations) while writing each 'layer' to disk.


TJS

[cjeremy]

How about a scripting API so that I can start using malzilla in an automated way against a list of URLs? Perhaps to be able to input a list of URLs and have malzilla automatically deobfuscate each one until certain conditions are met (ex. till a string [.exe|GET|etc] is found, or after n iterations) while writing each 'layer' to disk.

Why not just use the SpiderMonkey API and a wrapper script to automate this for your standard JavaScript obfustication?  Before I started using Malzilla (which I love now) for most of my analysis I would use Perl wrapper scripts and the SpiderMonkey engine, pipe this output into a database which would then allow me to perform relational comparisons....  Not the end all be all solution, but done fairly easily.  Then for any obfucticated scripts you can't parse with your current script libraries use Malzilla, translating your findings into your automated scripts for future occurrences.  I say again, I love using Malzilla and Bobby has done an outstanding job, but an automated solution would be optimal....  On the other hand maybe an open API would boost support and use of Bobby's creation, maybe??? 

[bobby]

@TJS

If SpiderMonkey itself is vulnerable, then the Malzilla would also be vulnerable.
There is no additional risk added by this hack.
All that this hack is doing is to log what the eval() function got as arguments.
Each call will produce a file in eval_temp folder.
After script completes, Malzilla will eliminate duplicates in eval_temp, and show you the rest.

About automation, I did think about it (using PScript from Malzilla), but it is not so easy.
Malzilla is multi-thread application, and a lot of events are based on callback functions.
Using them in in environment that is not object-oriented is a real pain.

Example: when you run a script in decoder, Mailzilla's main thread (the user interface) is not waiting for the decoding thread to finish (that would freeze the interface). When the thread finishes, it calls a callback function in Malzilla, letting it know that the results are waiting to be displayed.

Thats just reminded me that there is bug in Malzilla
If you run a script which takes some time to finish, and create a new Decoder tab before the results are there, the results will be displayed on new tab, not on the tab from where you've sent them.

@cjeremy
Can you make a short tutorial on how you are running Malzilla under Wine on Linux? Please.

[MysteryFCM]

@MysteryFCM

There is no offense meant by putting your script there under such title. It is just so that you found an extraordinary example.
Breaking the unicode sequences in a such way like in your script - I didn't saw anything like that before, and I'm really happy that you found it.
It was a reason to add concatenating function to Malzilla and a good lesson (for me) that one must not forget to take a look at some simple things, not always searching for clues in some complicated functions.

I tried to blog about some interesting "species", but Blogspot is a real PITA when it comes to text formating:
http://malzilla.blogspot.com/
I gave up on that blog.

No offense taken

[cjeremy]

@bobby

Not much of tutorial I am afraid.  It is very simple if you can get the prerequisite wine installed and running.  There are a million tutorials for installing wine and specific instructions can depend upon which distro your using.  For Ubuntu/Kubuntu Gutsy (7.10) it is fairly simple just:

1.  sudo wget http://wine.budgetdedicated.com/apt/sources.list.d/gutsy.list -O /etc/apt/sources.list.d/winehq.list
2.  sudo apt-get update
3.  sudo apt-get install wine

Once wine is installed then it as simple as follows:

1.   wget http://superb-west.dl.sourceforge.net/sourceforge/malzilla/malzilla_0.9.3pre4.zip  (from your favorite sourceforge mirror)
2.   mv malzilla_0.9.3pre4.zip ~/.wine/drive_c/Program\ Files/
3.   cd ~/.wine/drive_c/Program\ Files/
4.   unzip malzilla_0.9.3pre4.zip
5.   cd malzilla_0.9.3pre4/
6.   wine malzilla.exe &  ( execute it with wine )

This works for me, but as anything in the world of software your mileage may vary! 

--jeremy



 

[bobby]

Guys, I apologize, but something is wrong with the previous upload.
At creating the ZIP to upload, my file manager didn't added the folders, just the files.
This is very important, as some function do not work without all the temp folders.
I've fixed this in the manner that Malzilla is now creating all the missing folders if these are not already there.
Some other interface bugs are fixed too.

Please download the new ZIP (0.9.2.5) from SourceForge.

[JohnC]

Is it possible to have the space between "Send script to decoder" and "Find objects" made smaller. Also the space below "Find objects", so that the main download part can be a tiny bit bigger. The bits I am talking about have black lines by them in the picture below.



Also could the space between "URL", "User Agent", "Referrer" and "Cookies" be made a little smaller so that the main download part can be a little bigger.

[bobby]

@JohnC

Done.
I also did that you can collapse/expand that panel.


@cjeremy

May I get your permission to post your tutorial on Malzilla's web site?

[cjeremy]

@bobby

No worries, go for it!  Not much of tutorial though

[sowhat-x]

...he-he,I really like the way that Malzilla has pretty much evolved in being THE standard,
when it comes to analyzing infected/obfuscated webpages... 
http://www.securityfocus.com/blogs/716

[tjs]

Nice catch sowhat-x... I am really proud that I'm involved with this project in some way.
Keep up the great work, bobby.

TJS

[bobby]

Thanks guys

I'll try to get another upload this weekend. Nothing special changed. There is one more redirection method detected in HTTP headers (thanks JohnC), and little GUI redesign to get more space for page source on Download tab.
I also started some other additions (take a look at right-click menu), but it is still not complete (just internal scripts are working for now).

One more thing is missing in case/log mode, and I'll try to fix it tomorrow.

Next Friday I'm going to vacancy for 3 weeks, and I won't have internet connection (neither a PC at all )