August 26, 2008

Here is a pretty awesome tool to connect to links hosting malicious code, spoof your Useragent settings, use a proxy, download malware, and deobfuscate and observer the source of hostile Javascript, pretty bad ass.  The tool is called Malzilla.  Then you can download the malware and analyze or reverse it. 

This can be used with other tools like Fiddler which is a web debugging proxy which can do all kinds of cool stuff.

Of course if you want to be sort of safe testing malicious links, run it through the Firefox plugin

An attack vector trend that is currently in vogue is exploiting legitimate websites such as via SQLinjection attacks to plant hostile IFrames into the websites pages, somtimes all of them, that are invisible because their properties are 0x0 in dimension.  The content of these IFrames are highly javascripts which bounce to other IFrames over and over and finally wind up at a site hosting a malicious webpage constructured to identify user agent settings (IE What browser you are using) and then run a version/product/platform/geographic region specific series of exploits against the users system which has unpatched vulnerabilities either in the OS/Browser or now the trend is in exploiting ancilliary applications such as Browser helper activeX objects, and file parsers such as flash, Jpeg, quicktime. 

Sometimes it takes a whole organization to set this up but there are entire packages that can enable this crimeware to work and even report (enterprise reporting style via digital dashboards back to the operator).  Fortunately there is a lot of competition now and access to these kits are getting easier.  They typically rely on PHP and other scripting languages with a typical database backend. 

When this whole enchilada works however you basically have organizations PWNing their own customers and facilitating the theft of their information.  Each victim that visits the site gets a nasty little downloaded piece of malware, mostly likely packed to get around their antivirus, injected into their explorer.exe process to evade firewalls, and opcode instructed via shellcode to do a reverse shell out of their organization or dump additional modular capabilities.  All in all its an ugly day. 

Some of these are even under the guise of intellectual property protection.


Get every new post delivered to your Inbox.