Thursday, August 12, 2010

Jsunpack through a proxy

I have a special guest blog from today. He submitted some proxy suggestions for jsunpack-n, which I've added to svn. Here is a description of the features. Thanks for the great new feature ideas, keep them coming! also check out his site at if you haven't already.

In todays threatscape the ability to forward requests through proxy servers can come in handy in certain situations. Generally speaking a majority of drive-by exploit kits in the wild have logic built in that does not allow for duplicate requests originating from the same IP address. Since I primarily use jsunpack-n to investigate potentially malicious domains and am one of the many jsunpack-n users out there I thought it would be useful if jsunpack supported proxies. At first diving into the 1300+ lines of python was intimidating but after a few hours I had a working prototype that I sent to Blake who later modified (improved) and added to the svn repository.

Once you have checked out a new copy ( you will notice two additional options:

-p PROXY, --proxy=PROXY
- use a random proxy from this list (comma separated)
- define a single proxy

The first option -p allows you to specify a comma delimited list of proxies of which jsunpack will randomly pick one.

./ -u "" -p,,

URL fetch
[fetch config] random proxy
[fetch config] currentproxy

The second option -P allows you to define a single proxy.

./ -u "" -P
URL fetch
[fetch config] currentproxy

For your convenience a perl script called can be found in the tools directory. This script interfaces with a popular website named to retrieve an updated list of active proxies. The IP’s are printed out in a comma delimited format accepted by the new -p option.



I enjoyed working on this project with Blake and would like to take this opportunity to encourage others to contribute their ideas. Jsunpack has come a long way since it was first introduced and continues to remain one of my favorite tools.


  1. How do I donate to you? I've found this site extremely helpful in finding hidden code on some of my sites. Thank you!

    Another thing. People trying to inject malicious code is seeming more and more common. Is this something that you've noticed as of late also? I have some sites hosted on mediatemple. Are they especially vulnerable? How about dreamhost?

  2. I am not currently accepting donations, but if you find any interesting or difficult scripts to decode you can send them to me or contribute to the project in other ways.

    I don't know if certain hosts are generally more vulnerable than others. The best question to ask is how quickly they apply patches to fix wordpress, php bulletin boards, and other web-based software. If they are good at patching those, then they should be less vulnerable.

    However, this isn't the full story since attackers also often steal user's FTP credentials and put malware on sites in that manner. In this case, it would be the user's fault not the hosting provider. Similarly, custom web-based software can often be the user or programmer's fault, and not the hosting provider.

  3. This comment has been removed by a blog administrator.