Wednesday, September 2, 2009

Jsunpack-n Update v0.1e: Graphical output, directory output, command line options and fixes

A new version of jsunpack-n is available 0.1e! This version makes some major improvements in the rule language (using Yara) and allows you to make pretty pictures like this:

One thing I think you will like is the new output ./files/ directory and command line options! Enjoy.

Here is it running with the sample files included in the archive:

$ ./ sample-http-exploit.pcap
[impact=5] DecodedGenericCLSID detected F0E42D60-368C-11D0-AD81-00A0C90DC8D9
[impact=10] MSOfficeSnapshotViewer detected F0E42D60-368C-11D0-AD81-00A0C90DC8D9
[impact=5] ObfuscationPattern detected location eval
[impact=10] MSIENestedSpan detected CDATA[<image SRC=http://&# DATAFORMATAS= <SPAN DATASRC= DATASRC= DATAFLD=
[info] find_urls: [javascript var]

$ ./ sample-pdf.pcap
[impact=5] DecodedIframe detected <iframe
[info] [iframe /]

[impact=10] PDFexploit detected util.printf Collab.getIcon getAnnots Collab.collectEmailInfo spell.customDictionaryOpen
[malicious] identified shellcode of length 1533 (./files/shellcode_9ac3a76f70caef94f2773abc1043e9511d2d0f09)
[info] XOR key [shellcode]: 33
[info] shellcode url [xor]
[impact=5] ObfuscationPattern detected eval String.fromCharCode

[incident:10] [0] requested by
[incident:10] [0] origin
[incident:10] [0] method=GET type=shellcode
[incident:10] [0] filetype MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

$ ./ sample-pdf.file
[malicious:10] sample-pdf.file
[impact=10] PDFexploit detected collab.getIcon
[suspicious] likely NOP sled shellcode variable of length 167
[malicious] identified shellcode of length 1526 (./files/shellcode_da344d16e814e40dec67592bdccdf3ad50e0069d)
[info] XOR key [shellcode]: 33
[info] shellcode url [xor]
[suspicious] likely NOP sled shellcode variable of length 2048
[suspicious] likely NOP sled shellcode variable of length 1714
[suspicious] likely NOP sled shellcode variable of length 522574

More from the RELEASE notes:

Updates 2009-09-02 version 0.1e

First and foremost, thanks to Victor! (for creating the Yara detection library)
Yara is now a required dependency and the supported format for the 'rules' file

1) improved URL tracking using 'urlattr' class and urls dictionary
1a) new command line option -g, to create a URL graph (only when pcap contains 10 or fewer URL requests)
2) bug fixes for stream reassembly and pdf parsing
2a) stream reassembly now handles all streams when processing a pcap file,
regardless of whether the nids state is in end_states
4) detection of NOP sled shellcode and performance improvements in shellcode processing
(this was one of the performance bottlenecks)
5) new output format with ./files/ directory or -d OUTDIR command line option
6) CVE references are available in the 'rules' file but are temporarily unavailable in alerts

No comments:

Post a Comment