Thursday, August 12, 2010

Jsunpack through a proxy

I have a special guest blog from today. He submitted some proxy suggestions for jsunpack-n, which I've added to svn. Here is a description of the features. Thanks for the great new feature ideas, keep them coming! also check out his site at if you haven't already.

In todays threatscape the ability to forward requests through proxy servers can come in handy in certain situations. Generally speaking a majority of drive-by exploit kits in the wild have logic built in that does not allow for duplicate requests originating from the same IP address. Since I primarily use jsunpack-n to investigate potentially malicious domains and am one of the many jsunpack-n users out there I thought it would be useful if jsunpack supported proxies. At first diving into the 1300+ lines of python was intimidating but after a few hours I had a working prototype that I sent to Blake who later modified (improved) and added to the svn repository.

Once you have checked out a new copy ( you will notice two additional options:

-p PROXY, --proxy=PROXY
- use a random proxy from this list (comma separated)
- define a single proxy

The first option -p allows you to specify a comma delimited list of proxies of which jsunpack will randomly pick one.

./ -u "" -p,,

URL fetch
[fetch config] random proxy
[fetch config] currentproxy

The second option -P allows you to define a single proxy.

./ -u "" -P
URL fetch
[fetch config] currentproxy

For your convenience a perl script called can be found in the tools directory. This script interfaces with a popular website named to retrieve an updated list of active proxies. The IP’s are printed out in a comma delimited format accepted by the new -p option.



I enjoyed working on this project with Blake and would like to take this opportunity to encourage others to contribute their ideas. Jsunpack has come a long way since it was first introduced and continues to remain one of my favorite tools.