Saturday, August 1, 2009

Jsunpack-n Update v0.1d: Great New Features, Detection, and Other Improvements

The coolest feature in my opinion is demonstrated below using the sample-pdf.pcap file included in the archive:
$ ./ sample-pdf.pcap
[impact=2] CVE-NO-MATCH (id 9) detected eval
[suspicious] [0]
[info] [iframe /]

[impact=2] CVE-NO-MATCH (id 9) detected eval
[suspicious] [0]
[suspicious] [0] decoded 25275 bytes
[impact=2] CVE-NO-MATCH (id 9) detected eval
[suspicious] [1]
[suspicious] [1] decoded 12269 bytes
[impact=10] CVE-2008-2992 (id 1) detected util.printf
[impact=10] CVE-2009-1493 (id 2) detected spell.customdictionaryopen
[impact=10] CVE-2009-1492 (id 3) detected getannots
[impact=10] CVE-2007-5659 (id 4) detected collab.collectemailinfo
[impact=10] CVE-2009-0927 (id 5) detected collab.geticon
[impact=3] CVE-NO-MATCH (id 8) detected string.fromcharcode
[impact=2] CVE-NO-MATCH (id 9) detected eval
[malicious] identified shellcode of length 1533
[info] XOR key [shellcode]: 33
[info] exploit_watch append [shellcode]
[malicious] [2]
[malicious] [2] decoded 4626 bytes

[incident] [0] Exploit successful [origin]
[incident] [0] Exploit successful [victim]
[incident] [0] Exploit successful [type MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit]

Notice that each URL is flagged as suspicious/malicious (or [benign] in case you use -v or -V). Check out the "rules" file, which uses a Snort-like syntax to express what exactly you want to detect. For now, it is very simple and only allows pcre-style detection rules, each of which must match for it to classify the URL according to the impact level (-1 is experimental, 0 is benign, 0-5 is suspicious, 6-10 is malicious). If you create some great new rules, post them as a reply to this thread or send them to me and I'll add them to the "rules" file that I distribute with jsunpack-n.

Another cool thing about this version is that you no longer need the pynids/libnids libraries for it to work with non-PCAP files. A lot of people wanting to use jsunpack-n been having issues installing this library so that is the reason I've made it optional. Here is an example of processing a PDF file on the local system (sample-pdf.file is an example file included in the jsunpack-n package for testing that your local installation functions properly).

$ ./ -V sample-pdf.file
Processing sample-pdf.file
[malicious:10] sample-pdf.file
[info] [0] found JavaScript
[info] [0] decoded 14602 bytes
[info] [1] found JavaScript
[malicious] analysis exceeded 30 seconds (125644 bytes, incomplete)
[info] [1] decoded 125644 bytes
[impact=10] CVE-2009-0927 (id 5) detected collab.geticon
[malicious] identified shellcode of length 35223
[info] XOR key [shellcode]: 33
[info] exploit_watch append [shellcode]
[malicious] [2]
[malicious] [2] no JavaScript

One thing you will notice about this case is that collab.geticon is not visible from the immediate decoding (but is visible via a print "//jsunpack.called collab.getIcon". It also demonstrates the timeout on JavaScript evaluation (the -t command line option). The new command line arguments that are available can be listed via the following:

$ ./ -h
./ [fileName]
./ [interfaceName]
jsunpack-network version 0.1d (alpha)

-h, --help show this help message and exit
-t TIMEOUT, --timeout=TIMEOUT
limit on number of seconds to evaluate JavaScript
(default 30 seconds)
-v, --verbose verbose mode displays status for all files, even if
they are benign
-V, --very-verbose shows all decoding errors (noisy)
-D, --debug (experimental) debugging option to profile memory

Additionally, you can inspect the CHANGELOG file for all new features:
Updates 2009-08-01 version 0.1d
1) determination of whether the code is malicious or benign (see
2) better tracking with exploit_watch and ability incident alert for infected IP address
3) pynids 'import nids' library is now optional due to user feedback
4) additional command line arguments -h (help), -t (timeout), -v (verbose), and -V (very verbose)
5) bug fixes and performance improvements
6) added debug option -D, which profiles memory usage (get Heapy from