I have a special guest blog from http://twitter.com/malc0de today. He submitted some proxy suggestions for jsunpack-n, which I've added to svn. Here is a description of the features. Thanks for the great new feature ideas, keep them coming! also check out his site at http://malc0de.com/ if you haven't already.
In todays threatscape the ability to forward requests through proxy servers can come in handy in certain situations. Generally speaking a majority of drive-by exploit kits in the wild have logic built in that does not allow for duplicate requests originating from the same IP address. Since I primarily use jsunpack-n to investigate potentially malicious domains and am one of the many jsunpack-n users out there I thought it would be useful if jsunpack supported proxies. At first diving into the 1300+ lines of python was intimidating but after a few hours I had a working prototype that I sent to Blake who later modified (improved) and added to the svn repository.
Once you have checked out a new copy (https://code.google.com/p/jsunpack-n/source/checkout) you will notice two additional options:
-p PROXY, --proxy=PROXY
- use a random proxy from this list (comma separated)
-P CURRENTPROXY, --currentproxy=CURRENTPROXY
- define a single proxy
The first option -p allows you to specify a comma delimited list of proxies of which jsunpack will randomly pick one.
Example
./jsunpackn.py -u "www.google.com" -p 189.3.47.146:3128,187.49.68.11:8080,187.45.175.66:3128
URL fetch www.google.com
[fetch config] random proxy 187.45.175.66:3128
[fetch config] currentproxy 187.45.175.66:3128
The second option -P allows you to define a single proxy.
Example
./jsunpackn.py -u "www.google.com" -P 187.45.175.66:3128
URL fetch www.google.com
[fetch config] currentproxy 187.45.175.66:3128
For your convenience a perl script called getCurrentProxies.pl can be found in the tools directory. This script interfaces with a popular website named malwaregroup.com to retrieve an updated list of active proxies. The IP’s are printed out in a comma delimited format accepted by the new -p option.
Example
./tools/getCurrentProxies.pl
193.255.184.210:3128,193.110.187.209:3128,193.105.240.32:8080,190.200.151.23:8080,189.84.116.88:3128,189.3.177.146:8080,189.3.150.32:3128,189.3.47.146:3128,187.49.68.11:8080,187.45.175.66:3128,187.23.145.82:3128,187.0.80.180:3128,180.149.49.114:8080
I enjoyed working on this project with Blake and would like to take this opportunity to encourage others to contribute their ideas. Jsunpack has come a long way since it was first introduced and continues to remain one of my favorite tools.
Subscribe to:
Post Comments (Atom)
How do I donate to you? I've found this site extremely helpful in finding hidden code on some of my sites. Thank you!
ReplyDeleteAnother thing. People trying to inject malicious code is seeming more and more common. Is this something that you've noticed as of late also? I have some sites hosted on mediatemple. Are they especially vulnerable? How about dreamhost?
I am not currently accepting donations, but if you find any interesting or difficult scripts to decode you can send them to me or contribute to the project in other ways.
ReplyDeleteI don't know if certain hosts are generally more vulnerable than others. The best question to ask is how quickly they apply patches to fix wordpress, php bulletin boards, and other web-based software. If they are good at patching those, then they should be less vulnerable.
However, this isn't the full story since attackers also often steal user's FTP credentials and put malware on sites in that manner. In this case, it would be the user's fault not the hosting provider. Similarly, custom web-based software can often be the user or programmer's fault, and not the hosting provider.
This comment has been removed by a blog administrator.
ReplyDelete