Anubis Sandbox now analyses malicious URLs

[JohnC]

http://anubis.iseclab.org/?action=home

From the Anubis homepage: "Choose the URL that you want to analyze. The URL will be analyzed in Internet Explorer."

http://82.103.138.10/ls/?t=24
http://anubis.iseclab.org/?action=result&task_id=fb15235604d4de54e567328a554ea63e&format=html
http://24aspx.com/cgi-bin/index.cgi?script
http://anubis.iseclab.org/?action=result&task_id=e165f2dbe72bc0343536d28331ac29af&format=html
http://lite.ff-freehosting.com/vip/index.php
http://anubis.iseclab.org/?action=result&task_id=483203831f3ccc444d332fff83ef7202&format=html
http://pluscount.net/strong/190/
http://anubis.iseclab.org/?action=result&task_id=0cf77d3101999b24511f7f96c1beaaed&format=html
http://nudestaff.com/x/
http://anubis.iseclab.org/?action=result&task_id=112c48d1012dac34313c5bacc3e13e7e&format=html


A fully updated Internet Explorer I would be guessing. Those sites get a threat rating of 1/2/3/4 out of 10. They are drive-by-download sites. What would cause a site to have a higher threat rating?

http://www.wrmfwp.cn/one/a26.htm
http://anubis.iseclab.org/?action=result&task_id=2f785cc2f9c0a6d4898aec5170013747&format=html
http://wsxhost.net/count.php?o=2
http://anubis.iseclab.org/?action=result&task_id=69cbdd42040facf4a10f763f5144554d&format=html
http://adwords.google.com.index.main.update.qwertycn.cn/myspace.cn/index.php
http://anubis.iseclab.org/?action=result&task_id=fdd6d7902ba180c42973b4c1319ababe&format=html
http://66.212.19.146/g/index.php
http://anubis.iseclab.org/?action=result&task_id=7d951187accd11e479a9f9fe995f7b02&format=html

It now also has an advanced submission page: http://anubis.iseclab.org/?action=advanced_form

So that if there are any dependencies which would normally stop the file from running as it should, you can upload them aswell.

Before these changes were implemented the site had been down for about a week. So there may have been changes made to the regular file analysis service aswell. I have not checked yet.

[MysteryFCM]

Nice one, cheers dude

[JohnC]

http://anubis.iseclab.org/?action=result&task_id=b3f0c31552e6f084159e3d1f226e75a1

Error - No Executable File
Unfortunately your file could not be executed.
Either your file is not a valid Windows executable or some of its startup-dependencies have not been met.

According to the Unix file command your file is of the following type:
MS-DOS executable, MZ for MS-DOS

Back to the start

Shouldn't it be able to run it with ntvdm.exe?

[SysAdMini]

It's not a MS-DOS executable. It is a PE file, but something is wrong with the file.
It looks like someone has replaced all zeroes by 20h (space).

[JohnC]

My bad...

http://www.virustotal.com/analisis/4ee8e2d49f061e692920226d2a6fd306
http://anubis.iseclab.org/?action=result&task_id=5877a698f4255b84d1b61c49bbb5dd73&format=html

[sowhat-x]

First Cutwail.exe uploaded above is not a valid PE file (at first glance,it seems to be download-corrupted).
Cutwail.bin is a valid PE file,and here's what it extracts...password is "infected",as usual...

...and urls in plain text view there?Heh...that's something we're not really used to,he-he... 

hxxp://bestdiabetesdrugs.com/?
hxxp://mexicandrugstor.com/?
hxxp://superdrugsworld.com/?
hxxp://superdrugssite.com/?
hxxp://bestanxietydrugs.com/?
hxxp://georgescheapdrugs.com/?
hxxp://buydrugsonlinehere.com/?
hxxp://ulcerdrugsonline.com/?
hxxp://bestdrugsinternational.com/?
hxxp://besttopicaldrugs.com/?

[Kayrac]

apparently someone mentioned that the scanner simply checks if the website does any modifications, flash or java, appear to give the website a 'high risk rating' for 'file changes' etc

weird

for comodo.com

http://anubis.iseclab.org/?action=result&task_id=24ee6cf752bd1924058a4e692b9f2e70&format=html

and many many others it does the same thing.......looks like they still got some work to do