Friday, January 8, 2010

Jsunpack-n update 0.3.1c: Decoding and Functionality Updates

I just released a new version of jsunpack-n, this version has some great new features! First off, it handles new decoding techniques like PDF annots. What are Annots you ask? Well, its just like getElementByID but for PDF files. This allows exploit authors to store arbitrary content within a PDF file then access that content directly from javascript using the getAnnots() function. Similarly, attackers have been using the "" variable also! This version of jsunpack-n supports both of these new obfuscation techniques.

I also added many improvements to PDF decoding and added a few new detection rules for new exploits. You will find that I've also added many new sample-* files for jsunpack-n users to test with and see what jsunpack-n is capable of.

IDEA: I've been considering creating an svn repository to store high volumes of pcaps and malicious samples ... if there is interest contact me or let me know if you would find it valuable.

Updates 2010-01-08 version 0.3.1c
1) pdf improvements
1a) handling and decoding of pdf annots (see sample-pdf-annots.file)
1b) octal-based object decoding support
1c) handling of obfuscation for (see sample-infoTitle.pcap)
2) graphing in verbose mode now displays all nodes rather than just malicious ones, increased node limit to 60
3) bug fix for gzip python library to better handle IOError case for 'Not a gzipped file'