More signatures and better PDF decoding (pdf.py) with Ascii85Decode support!
I also added active mode (-a), which fetches any [not analyzed] URLs and can be used with URL fetching (-u):
$ ./jsunpack-n.py -u "www.bbkmobile.com" -a
URL fetch www.bbkmobile.com
(referer=www.google.com/trends/hottrends)
saved 1647 bytes to ./files/fetch_b8df4c6607205922a41d6448de0dda45d3885951
Active Mode, fetching x new URLs
[...cut...]
[nothing detected;children=malicious:10] (script) www.bbkmobile.com/
[suspicious:5] (script) www.crcf.org.cn/logo.gif?b
suspicious: DecodedIframe detected <iframe
[nothing detected;children=malicious:10] (iframe) knownsec.7766.org/wwj2/1.htm?
[...cut...]
More info from the CHANGELOG:
Updates 2009-09-18 version 0.1f
1) active fetching of with -a, and evaluation of urls with -u, use both (-u URL and -a) for purely active analysis
2) evaluation of multiple different client version strings:
2a) version enumeration: adobe reader for pdf
2b) version enumeration: IE7, IE8, Firefox, Opera
2c) cumulative evaluation time limits per decoding, and inference of code coverage based upon evaluation time
3) added pdf decoding support for ASCII85Decode and made other improvements to pdf decoding
4) rules updates
Get it here!
No comments:
Post a Comment