Main » 2011 » Март » 16 » Reveal the exploits encrypted javascript malicious iframe Russian manual malzilla
12:36
Reveal the exploits encrypted javascript malicious iframe Russian manual malzilla
Being interested in information security, I often have to deal with contaminated sites containing frames on the exploits encrypted javascript, convoluted redirection ... To facilitate the work, I use open source software Malzilla. Unfortunately for the Russian expanses of the Internet very little information about the TOOLS, so I want to translate the official manual for it. Most in 6 parts, here comes a translation of the first of them.

  • Project website: malzilla.sourceforge.net
  • Download: malzilla.sourceforge.net / downloads.html


Part 1



Let's look at the following image:


This page content , the link that was sent to me with spam.
To get direct links to malicious software, we have to deal with the Javascript function: unescape (). This is not a problem, nuance
only in the fact that not all data transferred This function should be treated by it. Since we personally deal with that, you need to
care about what part should be omitted and what is not.
Click "Send script to Decoder", now in the active tab Decode click "Run script":


In the bottom panel we can see the result - to download malicious files using VBscript.
In this example we are dealing with a script that writes data directly to a binary file, bypassing the load.


Since it is written in VBscript, SpiderMonkey engine is not in a position to interpret, so we use the other functions Malzilla.
First you have to copy the source code in the script tab "Misc Decoders tab":


If you look at the first picture of the current example, you'll notice that the MZ the signature is written to a file on the first step, and all other data on the second. We will do both operations behind din step. On the previous screenshot, I added \ u4D5A in the beginning of the code that yavlyaetsya word MZ in ASCII encoding. Now we need to put a value "Override default delimiter" in \ u, because the next function will expect value % u, not \ u.
After pressing "UCS2 To Hex" we obtain the following result:


Now press "Hex To File" and save the results to our hard disk.
The test file on the VirusTotal.com:


The following example uses the more complex transformations, and math function to decrypt the data.
Function eval () used to perform the decryption result, Kojima is also the script:




,

We have changed the eval () on function document.write (), to see the source code of the script rather than execute it. The result will be VBscript:


As you can see we have a sequence of UNICODE code to convert.
Let's copy the code in the tab "Misc Decodres tab" and use the function Decode UCS2:





The result will transform the shellcode, and we see Address download malicious file.

The following example is slightly more complicated than in previous ones.
Then use a script known as dF (after the names of variables often used in this scenario, which varies by zX in our example):


After pressing the Send script To Decoder and the script we will see the following:


Only the first part of the script deciphered (highlighted in the screenshot). Now, scroll in his transcribed the script (without tags <script>):



and paste it over the original script, the part which is now solved:



running the whole script again and look at the result:


Clean the entire top tab to the original script and paste the generated code:



Again, click Run script:


Scrolling down a bit we will see the familiar UNICODE characters:


Decodes them as shown in the previous example:


As a result, we still have a shellcode with direct link to Malvar.

Finally another example:



Explanation of the code by hand will take a lot of time and effort ... In Malzilla you can just click Send script To Decoder send the script tab Decode, run it, and get the result:


URL in the screenshot is nothing like a direct link to the infected file!
Views: 612 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: