Saturday, August 1, 2009

Jsunpack-n Update v0.1d: Great New Features, Detection, and Other Improvements

The coolest feature in my opinion is demonstrated below using the sample-pdf.pcap file included in the archive:
$ ./jsunpack-n.py sample-pdf.pcap
[suspicious:2] trughtsa.com/
[impact=2] CVE-NO-MATCH (id 9) detected eval
[suspicious] [0]
[info] [iframe /] trughtsa.com/img/pfqa.php

[malicious:10] trughtsa.com/img/pfqa.php
[impact=2] CVE-NO-MATCH (id 9) detected eval
[suspicious] [0]
[suspicious] [0] decoded 25275 bytes
[impact=2] CVE-NO-MATCH (id 9) detected eval
[suspicious] [1]
[suspicious] [1] decoded 12269 bytes
[impact=10] CVE-2008-2992 (id 1) detected util.printf
[impact=10] CVE-2009-1493 (id 2) detected spell.customdictionaryopen
[impact=10] CVE-2009-1492 (id 3) detected getannots
[impact=10] CVE-2007-5659 (id 4) detected collab.collectemailinfo
[impact=10] CVE-2009-0927 (id 5) detected collab.geticon
[impact=3] CVE-NO-MATCH (id 8) detected string.fromcharcode
[impact=2] CVE-NO-MATCH (id 9) detected eval
[malicious] identified shellcode of length 1533
[info] XOR key [shellcode]: 33
[info] exploit_watch append [shellcode] trughtsa.com/img/uet.php
[malicious] [2]
[malicious] [2] decoded 4626 bytes

[malicious:10] trughtsa.com/img/uet.php
[incident] [0] Exploit successful [origin trughtsa.com/img/pfqa.php]
[incident] [0] Exploit successful [victim 192.168.203.60]
[incident] [0] Exploit successful [type MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit]


Notice that each URL is flagged as suspicious/malicious (or [benign] in case you use -v or -V). Check out the "rules" file, which uses a Snort-like syntax to express what exactly you want to detect. For now, it is very simple and only allows pcre-style detection rules, each of which must match for it to classify the URL according to the impact level (-1 is experimental, 0 is benign, 0-5 is suspicious, 6-10 is malicious). If you create some great new rules, post them as a reply to this thread or send them to me and I'll add them to the "rules" file that I distribute with jsunpack-n.

Another cool thing about this version is that you no longer need the pynids/libnids libraries for it to work with non-PCAP files. A lot of people wanting to use jsunpack-n been having issues installing this library so that is the reason I've made it optional. Here is an example of processing a PDF file on the local system (sample-pdf.file is an example file included in the jsunpack-n package for testing that your local installation functions properly).

$ ./jsunpack-n.py -V sample-pdf.file
Processing sample-pdf.file
[malicious:10] sample-pdf.file
[info] [0] found JavaScript
[info] [0] decoded 14602 bytes
[info] [1] found JavaScript
[malicious] analysis exceeded 30 seconds (125644 bytes, incomplete)
[info] [1] decoded 125644 bytes
[impact=10] CVE-2009-0927 (id 5) detected collab.geticon
[malicious] identified shellcode of length 35223
[info] XOR key [shellcode]: 33
[info] exploit_watch append [shellcode] b35.info/w/who.exe
[malicious] [2]
[malicious] [2] no JavaScript


One thing you will notice about this case is that collab.geticon is not visible from the immediate decoding (but is visible via a print "//jsunpack.called collab.getIcon". It also demonstrates the timeout on JavaScript evaluation (the -t command line option). The new command line arguments that are available can be listed via the following:

$ ./jsunpack-n.py -h
Usage:
./jsunpack-n.py [fileName]
./jsunpack-n.py [interfaceName]
jsunpack-network version 0.1d (alpha)

Options:
-h, --help show this help message and exit
-t TIMEOUT, --timeout=TIMEOUT
limit on number of seconds to evaluate JavaScript
(default 30 seconds)
-v, --verbose verbose mode displays status for all files, even if
they are benign
-V, --very-verbose shows all decoding errors (noisy)
-D, --debug (experimental) debugging option to profile memory
usage


Additionally, you can inspect the CHANGELOG file for all new features:
Updates 2009-08-01 version 0.1d
1) determination of whether the code is malicious or benign (see detection.py)
2) better tracking with exploit_watch and ability incident alert for infected IP address
3) pynids 'import nids' library is now optional due to user feedback
4) additional command line arguments -h (help), -t (timeout), -v (verbose), and -V (very verbose)
5) bug fixes and performance improvements
6) added debug option -D, which profiles memory usage (get Heapy from http://guppy-pe.sourceforge.net/#Heapy)