tag:blogger.com,1999:blog-4084167057123360612024-02-18T18:30:13.740-08:00jsunpack blogjsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.comBlogger41125tag:blogger.com,1999:blog-408416705712336061.post-16300376297476010542016-04-21T03:47:00.000-07:002016-04-21T03:47:59.441-07:00Guess who is back online: jsunpack3000After a long hiatus jsunpack.jeek.org is back online. I tried hosting from my apartment for as long as possible but it wasn't working out because my uplink became saturated and I had to put rate restrictions on the server. I was also being regularly kicked offline because either I was performing dns lookups for known malware domains or internet watchdogs would report URIs cached in jsunpack as abuse to the ISP. This is the same code that has been running for a long time and I want to work on a new version that has great new features. I will begin reaching out to some people for help this time to build Jsunpack3000.<br />
<br />
I would like to thank everyone who supports my efforts especially Steven Burn. Thank you!jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-38087080840371244252014-08-01T05:46:00.000-07:002014-08-01T05:46:39.301-07:00jsunpack onlinejsunpack is now online in a temporary capacity. the disk performance is worse than previous places jsunpack has been hosted so please let me know if its bearable. picture of the hosting environment below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSyR0hfEWvRRQjoXjvodHo0OenNxgDPvkd9x_XwCSIDyqQLevI4-19rts9oZlT7DPojksiSHJ-UBAqPKOY3PxvGcm6Yn6WQPtmS3UV0eH0rZN5zBTIiK-wxmApaoxCvebMD3zrlEsQJvs2/s1600/1406897075349.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSyR0hfEWvRRQjoXjvodHo0OenNxgDPvkd9x_XwCSIDyqQLevI4-19rts9oZlT7DPojksiSHJ-UBAqPKOY3PxvGcm6Yn6WQPtmS3UV0eH0rZN5zBTIiK-wxmApaoxCvebMD3zrlEsQJvs2/s1600/1406897075349.jpg" height="320" width="180" /></a></div>
<br />jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com2tag:blogger.com,1999:blog-408416705712336061.post-48011420199284584922014-03-20T19:22:00.000-07:002014-03-20T19:22:08.104-07:00Jsunpack offline (for now)jsunpack.jeek.org is offline today for expected downtime.<br />I hope to bring the server online soon, but I unfortunately don't know how soon.<div>
<br /><div>
More details if you email me at urule99 {on the} gmail </div>
</div>
<div>
<br /></div>
<div>
Blake</div>
jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com14tag:blogger.com,1999:blog-408416705712336061.post-50896008595967141342013-06-03T07:43:00.001-07:002013-06-03T14:33:48.798-07:00Jsunpack server migration in progressHey everybody, I'm upgrading the jsunpack server again. I'm hoping there will be no downtime during this period. Thanks.<br />
<br />
[Edit] All done! I love it when everything goes smoothly.jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com3tag:blogger.com,1999:blog-408416705712336061.post-77349387404974370432013-04-22T12:01:00.001-07:002013-04-22T12:01:54.411-07:00Update to Jsunpack PDF parsing<br />
Hey guys, I just added a patch from David Dorsey of <a href="http://visiblerisk.com/blog/">Visiblerisk, Inc.</a> (Thanks David, you are a boss!).<br />
<br />
Below is a sample PDF you can test with just to see how awesome it is:<br />
<a href="http://jsunpack.jeek.org/?report=2afae1f7a9b2552f2e38713e47c3371cc8a2d23c">http://jsunpack.jeek.org/?report=2afae1f7a9b2552f2e38713e47c3371cc8a2d23c</a><br />
<br />
David described a lot of the improvements and the analysis he performed at the following blog posts entitled "Analyzing Malicious PDFs or: How I Learned to Stop Worrying and Love Adobe Reader"<br />
Part 1: <a href="http://visiblerisk.com/blog/2013/4/8/analyzing-malicious-pdfs-or-how-i-learned-to-stop-worrying-a.html">http://visiblerisk.com/blog/2013/4/8/analyzing-malicious-pdfs-or-how-i-learned-to-stop-worrying-a.html</a><br />
Part 2: <a href="http://visiblerisk.com/blog/2013/4/15/analyzing-malicious-pdfs-or-how-i-learned-to-stop-worrying-a.html">http://visiblerisk.com/blog/2013/4/15/analyzing-malicious-pdfs-or-how-i-learned-to-stop-worrying-a.html</a><br />
<br />
In brief, this update improves pdf.py's XFA parsing, PDF encryption tags, and generally the update will help you to decode some malicious PDFs where jsunpackn.py had trouble decoding them before.<br />
<br />
Thanks to David and please if you see any bugs related to this update please report them at <a href="https://code.google.com/p/jsunpack-n/issues/list">https://code.google.com/p/jsunpack-n/issues/list</a> and I'll fix them.<br />
<br />
Blake<br />
jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com4tag:blogger.com,1999:blog-408416705712336061.post-14898857953927476172011-10-03T08:43:00.001-07:002011-10-03T08:45:41.987-07:00New jsunpack server!I brought a new server online for jsunpack.jeek.org over the weekend and everything should be operating normally now. I expect this server to last about 6 months based on the volume of past submissions. I hope you enjoy it!<br /><br />Blakejsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com9tag:blogger.com,1999:blog-408416705712336061.post-6890741912183531962011-06-15T15:56:00.000-07:002011-06-15T16:00:32.240-07:00The jsunpack website is accepting submissions againI removed the ability for people to submit URLs and files to http://jsunpack.jeek.org/, partially due to abusive submissions in late May. I brought the submissions interface back online today with some changes to help prevent further abuse. Please let me know if you encounter any sort of problems.jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com11tag:blogger.com,1999:blog-408416705712336061.post-24180353367232544392011-04-01T07:56:00.000-07:002011-04-01T08:32:31.177-07:00Temporary downtime for jsunpack websiteThe website for this project <a href="http://jsunpack.jeek.org/">jsunpack.jeek.org</a> has been down for the past 2 days because I was moving it to new hardware. The old hardware was running ESXi and caused all virtual machines to lock up repeatedly. While I was moving it the site was completely offline but I'm happy to say its back now!<br /><br />Keep in mind, if you had been running jsunpack-n locally then you wouldn't have experienced any problems (thats software is freely available and that is what the server is running). <br /><br />[off topic] I've seen a few people do a great job in downtime situations, none of which I did because this whole project is running from a single virtual machine with limited resources. For instance, when Netflix was recently down they acknowledged the problem and credited subscriber's accounts. When another site was down, they played a funny "Doh!" error message video from the Simpsons. In yet another case, DreamHost apologized and wrote a <a href="http://blog.dreamhost.com/2011/03/18/goin-down/">funny blog</a> about it (note: I do not use or endorse DreamHost but I do read their blog). Some quotes from that post:<br /><br />"I’d like compensation. You’ve earned it! You pay for 365 days of service – not 364.375"<br /><br />"Why didn’t you call me? We would have loved to reach out to every customer individually, but with over one million domains hosted, that could – quite literally – have taken all year. We’d have loved to email you too, but well, we had this little network problem blocking emails."jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-24352696876225456282010-12-22T11:08:00.000-08:002010-12-22T11:45:49.318-08:00Jsunpack Website Database OptimizationsI just published some new optimizations for the jsunpack.jeek.org database. This should dramatically improve the performance of the website. <br /><br />Contact me if you need anything related to this update. I removed the search functionality (and associated RSS feeds) because that was one of the most performance intensive features on the database. While this type of function is still possible, I think I'll either have to limit terms that may be searched for or build a separate index structure so that it is better optimized.<br /><br />[edit] In case you are curious, the jsunpack database has 186,459 submissions and 686,232 evalated scripts and URLs since 2010-01-29 14:17:36. This year was pretty active for web exploits. The majority of the submissions to jsunpack were publicly released in one of the RSS feeds with 167,356 submissions over this year. The opposite of that were the entries where users wished those submissions to remain private totaling 19,107 submissions.jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com5tag:blogger.com,1999:blog-408416705712336061.post-76541565829801238742010-12-01T07:14:00.000-08:002010-12-01T07:29:52.961-08:00Importing jsunpackn.py as a python libraryIn case you were wondering, it *IS* possible to import jsunpack-n from your own python programs. The benefits include:<br />1) greater control of the options (that you'd normally specify on the command line or in the configuration file) <br />2) control of the output in their native data structures (no more <code>$ ./jsunpackn.py file|grep -E "suspicious|malicious" >> readme.log</code>)<br /><br />Check out the new exampleImport.py script, now available in the <a href="https://code.google.com/p/jsunpack-n/source/browse/trunk/exampleImport.py">project's google code svn site</a>.<br /><br />If you review the main code for the exampleImport.py script, you will see that it defines a function that allows you to directly pass JavaScript... for example:<br /><code>main('eval("var a=123;");')</code><br /><br />Then you can see these loops in the main function:<br /><br /><code><pre> for type,hash,data in js.rooturl[url].files:<br /> print 'file type=%s, hash=%s, data=%d bytes' % (type,hash,len(data))<br /> for printable,impact,msg in js.rooturl[url].msg:<br /> print 'output message printable=%d, impact=%d, msg=%s' % (printable,impact,msg)</pre></code><br /><br />The point of this post is to show you that you can directly access these files and perform decoding using jsunpackn.py as a python library. If you need examples for how to operate on more than just JavaScript as the exampleImport.py shows, then try looking at the main function of jsunpackn.py, and you'll see how I process the various different types of input. <br /><br />Cheers,jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-38405707298629786322010-08-12T08:35:00.000-07:002010-08-12T08:46:31.302-07:00Jsunpack through a proxyI have a special guest blog from <a href="http://twitter.com/malc0de">http://twitter.com/malc0de</a> today. He submitted some proxy suggestions for jsunpack-n, which I've added to svn. Here is a description of the features. Thanks for the great new feature ideas, keep them coming! also check out his site at <a href="http://malc0de.com/">http://malc0de.com/</a> if you haven't already.<br /><br /><hr><br />In todays threatscape the ability to forward requests through proxy servers can come in handy in certain situations. Generally speaking a majority of drive-by exploit kits in the wild have logic built in that does not allow for duplicate requests originating from the same IP address. Since I primarily use jsunpack-n to investigate potentially malicious domains and am one of the many jsunpack-n users out there I thought it would be useful if jsunpack supported proxies. At first diving into the 1300+ lines of python was intimidating but after a few hours I had a working prototype that I sent to Blake who later modified (improved) and added to the svn repository. <br /><br />Once you have checked out a new copy (<a href="https://code.google.com/p/jsunpack-n/source/checkout">https://code.google.com/p/jsunpack-n/source/checkout</a>) you will notice two additional options: <br /><br />-p PROXY, --proxy=PROXY<br /> - use a random proxy from this list (comma separated)<br />-P CURRENTPROXY, --currentproxy=CURRENTPROXY<br /> - define a single proxy<br /><br />The first option -p allows you to specify a comma delimited list of proxies of which jsunpack will randomly pick one. <br /><br />Example <br />./jsunpackn.py -u "www.google.com" -p 189.3.47.146:3128,187.49.68.11:8080,187.45.175.66:3128<br /><br />URL fetch www.google.com<br />[fetch config] random proxy 187.45.175.66:3128<br />[fetch config] currentproxy 187.45.175.66:3128 <br /><br />The second option -P allows you to define a single proxy. <br /><br />Example<br />./jsunpackn.py -u "www.google.com" -P 187.45.175.66:3128<br />URL fetch www.google.com<br />[fetch config] currentproxy 187.45.175.66:3128<br /><br />For your convenience a perl script called getCurrentProxies.pl can be found in the tools directory. This script interfaces with a popular website named malwaregroup.com to retrieve an updated list of active proxies. The IP’s are printed out in a comma delimited format accepted by the new -p option. <br /><br />Example<br /><br />./tools/getCurrentProxies.pl<br />193.255.184.210:3128,193.110.187.209:3128,193.105.240.32:8080,190.200.151.23:8080,189.84.116.88:3128,189.3.177.146:8080,189.3.150.32:3128,189.3.47.146:3128,187.49.68.11:8080,187.45.175.66:3128,187.23.145.82:3128,187.0.80.180:3128,180.149.49.114:8080<br /><br />I enjoyed working on this project with Blake and would like to take this opportunity to encourage others to contribute their ideas. Jsunpack has come a long way since it was first introduced and continues to remain one of my favorite tools. <br /><hr>jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com3tag:blogger.com,1999:blog-408416705712336061.post-16905022888191880392010-07-02T13:40:00.000-07:002010-07-02T14:00:00.462-07:00I need your encrypted PDF filesI just released some major improvements to jsunpackn today in version 0.3.2c. The main new feature is the ability to parse encrypted PDF documents. One problem though, the output isn't quite perfect. For example, see one of these encrypted PDFs where jsunpackn extracted JavaScript:<br /><br /><a href='http://jsunpack.jeek.org/dec/go?report=2ed7fde3fbc8d7c2857bfd69878f78e3b008518e'>http://jsunpack.jeek.org/dec/go?report=2ed7fde3fbc8d7c2857bfd69878f78e3b008518e</a><br /><a href='http://jsunpack.jeek.org/dec/go?report=1873b5faccc1574ce065f6528e85e64464e4b09c'>http://jsunpack.jeek.org/dec/go?report=1873b5faccc1574ce065f6528e85e64464e4b09c</a><br /><br />Note, how certain characters in the output are not quite right, therefore the JavaScript decoding doesn't go beyond the first stage. If you find any PDF files with the string "/Encrypt" in them, please let me know, I'd like to test them to see if I can improve the parsing further. In the process of supporting the /Encrypt tag, I was able to build a testbed and was able to detect 20 new PDFs in my testcases with the new parsing!<br /><br />I would like to thank Dave Touretzky (from the Computer Science Department and the Center for the Neural Basis of Cognition at Carnegie Mellon University) for posting details of encrypted PDFs within his <a href='http://www.cs.cmu.edu/~dst/Adobe/Gallery/'>Gallery of Adobe Remedies</a>.jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-74576296545223557482010-06-18T15:02:00.000-07:002010-06-18T15:47:32.988-07:00Friday Link TrifectaHere are some cool things I ran into this week.<br /><br /><a href="http://blog.kotowicz.net/2010/06/ultimate-tostring-override.html">koto's Ultimate String override</a><br />koto gave a presentation to a polish owasp meeting describing how to detect and evade jsunpack. He also presents some ways to fix those evasions in Ultimate toString override. Great work!<br /><br /><a href="http://paulmakowski.wordpress.com/2009/09/30/from-pass_file-to-script-kiddies/">Paul Makowski's Blog</a><br />In this post, Paul uses his hacked sshd (it logs attempted usernames and passwords) in order to track down the tools used against his server. I was investigating some similar tools, so it was great to see this. One of the interesting tools Paul found was a Mac OSX IRC bot. They all seem to have some connection to "trance". I even found some new files "trance.pdf", which isn't really a PDF if you were wondering :)<br /><br /><a href="http://www.reddit.com/r/ReverseEngineering/comments/cfdr3/swf_disassembler_plugin_for_ida_pro_pdf/">SWF Disassembler Plug-in for IDA Pro [PDF]</a><br />This looks like a great plugin for IDA. If you want to try it with some live samples from jsunpack, monitor <a href="http://jsunpack.jeek.org/dec/go?search=%5BSWF%5D&list=search">this rss feed</a>.jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-62886764294938830572010-05-20T08:39:00.000-07:002010-05-20T08:46:11.785-07:00Jsunpack-n update 0.3.2b Custom Spidermonkey and Google Code SubversionI now distribute my own modifications to Spidermonkey with the project. This allows you to easily compile it with my preferred modifications. If you want to see what modifications I make, read the INSTALL.spidermonkey or INSTALL.spidermonkey.shellcode files.<br /><br />You can now get the source code for the project from <a href="https://code.google.com/p/jsunpack-n/">https://code.google.com/p/jsunpack-n/</a> (instead of my website).<br /><br />Updates 2010-05-20 version 0.3.2b<br /><br />1) added INSTALL.spidermonkey.shellcode instructions. This adds improved shellcode detection.<br />2) updated jsunpack class options structure. New options will always use file contents instead of filenames (where possible). Also, rules are now part of the options structure.<br />3) socket defaulttimeout now part of jsunpack class (it was global before). If you import jsunpack, make sure to set a timeout on your own.<br />4) you can use jsunpack.version to get the current version string<br />5) new performance option (-f "fasteval") for disabling non-critical features in favor of performance<br />6) fixed a bug in redoevaltime option affecting performance of malicious scripts<br />7) fixed a pdf parsing bug for /Page related to testcase samples/pdf-numPages.filejsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-14888317459153073462010-05-05T15:21:00.000-07:002010-05-05T15:27:51.626-07:00Three days ... of bug hunting (and a new release) I blame pythonThis is the worst bug related to the project that I've encountered so far and I just spent a few days trying to find what went wrong... Well, I just found and fixed it!<br /> <br />I'd highly recommend NOT using version 0.3.2 because of this bug, version 0.3.2a has only a few new features but YOU SHOULD UPGRADE immediately if you use 0.3.2. Version 0.3.2 is the only version affected by this bug and it prevents jsunpack-n timeouts from killing the SpiderMonkey process (if the script never terminates).<br /><br />Updates 2010-05-05 version 0.3.2a<br />1) implemented this.numPages, getPageNthWord, and getPageNumWords<br />2) fixed bug (python 2.6 only) for log_ips functionality<br />3) fixed REALLY BAD performance bug related to python dynamic types. This is why type checking is a good thing and why python sucks at it. Most of my python bugs are because I redefine another variable, wipe out a loop variable, or otherwise use a bad type.jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-40385560077512402252010-04-30T12:53:00.000-07:002010-04-30T12:56:58.517-07:00Jsunpack-n update 0.3.2: Major UpdatesHappy Friday! ;)<br /><br />I added LOTS of great new features in this release. Here's the CHANGELOG. <br />Sorry for the Friday update, it seems like I've still got lots of work left to do still!<br /><br />Updates 2010-04-30 version 0.3.2<br />1) added configuration command line option -c which replaces all former directories and filenames specified on the<br /> command line, now uses options.config instead<br />2) added command line option -J option to disable any decoding<br />3) added document.title parsing<br />4) js.files is now part of urlattr/rooturl structure<br />5) handle referrers in building the tree<br />6) detection now can be performed against full decoded stream (ie. between different decode levels on the same decoding)<br /> don't use decodedOnly filter in the rule if you expect to match on the full decoded stream<br />7) ipaddress logging upon detecting malicious contents with a 'options.config' option<br />8) make PDF headers available to future decodings<br />9) added navigator.plugins enumeration in pre.js<br />10) support getAnnot calls (note: previously getAnnots was supported only)<br />11) html parsing customizable configuration file (see htmlparse.config file)<br />12) fixed a bug in htmlparsing related to NULL bytes<br />13) added pdf app.plugIns enumeration<br />14) other bug fixesjsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com2tag:blogger.com,1999:blog-408416705712336061.post-64953211194623175582010-03-18T12:39:00.000-07:002010-03-18T12:43:56.592-07:00Jsunpack-n update 0.3.1e: Bug Fixes ReleaseI released an update to jsunpack-n that fix some bugs and add some new features. The detection updates for this release mostly involve improvements in PDF parsing. Some jsunpack users suggested that I add better detection capabilities for PDF files and content within deflated streams. That is not yet available, but I am planning to make those updates available in a future version.<br /><br />Updates 2010-03-18 version 0.3.1e<br />1) added LZW and RunLength decoding to pdf.py<br />2) fixed pdf.py so that streams that fail to decompress are not output<br />3) rooturl is now a member of jsunpack objects (to better support threading)<br />4) js.files now contains three entries [filename,origin,contents] (contents is new)<br />5) new command line argument -Q (for Quit-outputting-files), incase you plan to use the output from a python script<br />6) updated rulesjsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com4tag:blogger.com,1999:blog-408416705712336061.post-37479456150020368812010-02-17T08:04:00.000-08:002010-02-17T08:19:41.467-08:00Executables Feed for Malware AnalysisSomeone sent me an email wondering why I don't continue to publish a feed for recent executables (like the older version of jsunpack), and I do! I thought the answer could be useful to others wanting to perform malware analysis so keep reading if that interests you.<br /><br />You can perform a search with the term "executable" under the recent submissions of jsunpack.jeek.org. These are not guaranteed to be malicious, but there is a high likelihood that most of them are malicious. Many of the URLs are from decoded javascript or environment variables pointing to executables. <br /><br />Here are the links for you, <br /><br />Search <a href='http://jsunpack.jeek.org/dec/go?list=1&search=executable'>http://jsunpack.jeek.org/dec/go?list=1&search=executable</a><br />RSS Feed: <a href='http://jsunpack.jeek.org/dec/go?search=executable&list=search'>http://jsunpack.jeek.org/dec/go?search=executable&list=search</a><br /><br />For each executable you find, you may choose not to download it from the actual server (the server may not offer the file anymore). In that case, you can download the executables from jsunpack instead.<br /><br />Each link in the RSS feed contains a link to the decoding report like this:<br /><a href='http://jsunpack.jeek.org/dec/go?report=d6257c1932efa718fe424fbdd92ae7e0779aa9df'>http://jsunpack.jeek.org/dec/go?report=d6257c1932efa718fe424fbdd92ae7e0779aa9df</a><br /><br />If you replace the "go" part with "download" you'll get all the files created and the executable file. <br /><a href='http://jsunpack.jeek.org/dec/download?report=d6257c1932efa718fe424fbdd92ae7e0779aa9df'>http://jsunpack.jeek.org/dec/<b>download</b>?report=d6257c1932efa718fe424fbdd92ae7e0779aa9df</a><br /><br />Please enjoy and send me any reports for malware that you analyze and I'll post them on the site.jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-18668632424157822612010-02-09T06:57:00.000-08:002010-02-09T07:04:47.034-08:00Shmoocon Recap and Presentation SlidesShmoocon was great! At the Own the Con talk hosted by Bruce Potter, the event organizer, he explained one of the reasons for limiting the con to 1500 people given that his house, living room, and garage become full of swag. He also mentioned that at the open bar on Saturday night Shmoocon attendees created a bar tab of $28k!<br /><br />He also said attendance was great given that we just experienced the worst snowstorm in Washington DC's history. (about 95 percent attendance)<br /><br />Thanks to Bruce, his wife, and all the volunteers for putting on another awesome Shmoocon this year! I put the slides from my presentation online for those of you that couldn't make it:<br /><br /><a href="http://jsunpack.jeek.org/BlakeHartstein_Shmoocon_Jsunpack_20100206.pdf">http://jsunpack.jeek.org/BlakeHartstein_Shmoocon_Jsunpack_20100206.pdf</a>jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-55044803771044595092010-02-04T12:00:00.000-08:002010-02-04T12:02:59.321-08:00Shmoocon and New ReleasesHi everyone,<br />If you make it to Shmoocon this weekend I'll be presenting jsunpack on Saturday at 10am. Also, check out the <a href='http://jsunpack.jeek.org/dec/go'>improved web interface</a>!<br /><br />See you there!<br />Blakejsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com1tag:blogger.com,1999:blog-408416705712336061.post-1453321556191574662010-01-08T08:20:00.000-08:002010-01-08T08:31:11.193-08:00Jsunpack-n update 0.3.1c: Decoding and Functionality UpdatesI just released a new version of jsunpack-n, this version has some great new features! First off, it handles new decoding techniques like PDF annots. What are Annots you ask? Well, its just like getElementByID but for PDF files. This allows exploit authors to store arbitrary content within a PDF file then access that content directly from javascript using the getAnnots() function. Similarly, attackers have been using the "this.info.title" variable also! This version of jsunpack-n supports both of these new obfuscation techniques.<br /><br />I also added many improvements to PDF decoding and added a few new detection rules for new exploits. You will find that I've also added many new sample-* files for jsunpack-n users to test with and see what jsunpack-n is capable of. <br /><br />IDEA: I've been considering creating an svn repository to store high volumes of pcaps and malicious samples ... if there is interest contact me or let me know if you would find it valuable.<br /><br />Updates 2010-01-08 version 0.3.1c<br />1) pdf improvements<br />1a) handling and decoding of pdf annots (see sample-pdf-annots.file)<br />1b) octal-based object decoding support<br />1c) handling of obfuscation for this.info.title (see sample-infoTitle.pcap)<br />2) graphing in verbose mode now displays all nodes rather than just malicious ones, increased node limit to 60<br />3) bug fix for gzip python library to better handle IOError case for 'Not a gzipped file'jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-3992566379759568742009-12-21T15:25:00.000-08:002009-12-21T15:47:27.898-08:00Rule2Alert Project ReleaseThis is an idea I had a while ago and the Rule2Alert project implemented it (awesome work Josh)<br /><br />Step1. Take a snort rule like this:<br />alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)<br /><br />Step2. Create a pcap (packet capture file) or network traffic to trigger this rule.<br />(Mind you certain things like pcre are incredibly challenging to implement)<br /><br />Why is this useful you say?<br />I can see many uses - <br /><br />1) You can test your rules to make sure they work<br /><br />2) You can determine if overlap exists between one or more different rule (therefore, consider disabling one, or merging the rule into one). This was a goal of one of the public community/EmergingThreats/Sourcefire project that I think has dropped off the radar since it was initially started.<br /><br />3) You can also test other non-snort Intrusion Detection Engines for known signatures to determine how much overlap exists.<br /><br />4) An attacker could also use this tool to do some sneaky things. I won't go into much detail here, but leave a comment if you think of anything.<br /><br />More on the project from "New Project - Rule2Alert" at <a href='http://malforge.com/node/22'>http://malforge.com/node/22</a> or get the source code from <a href='http://code.google.com/p/rule2alert/'>http://code.google.com/p/rule2alert/</a>jsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-76637933923540721542009-12-08T11:12:00.000-08:002009-12-08T11:18:10.327-08:00Jsunpack-n update 0.3.1b: Functionality UpdatesToday I am releasing a new version of jsunpack-n that fixes several different bugs and increases the functionality of jsunpack-n.<br /><br />This release REQUIRES an up to date version of YARA (1.3 or greater), because the rules file makes use of the new rule syntax. If you experience problems compiling the YARA rules, this is likely the reason.<br /><br />In this release, I added support for lastModified, which attackers have used in attacks to prevent analysis (this will only work if you use a pcap file), since it is part of the network traffic that an attacker sends from a malicious server.<br /><br />Here is the full CHANGELOG below:<br /><br />1) rule updates for yara 1.3 rule language<br />2) fixes in PDF JavaScript parsing<br />3) improvements to the tree structure, made appending children better<br />4) cmdline options for logging and temporary directories<br />5) additions to pre.js and post.js to handle App.eval, String.eval, and better definitions for Adobe version variables<br />6) handle document.write and document.writeln with multiple parametersjsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0tag:blogger.com,1999:blog-408416705712336061.post-56917832647694069242009-10-08T11:27:00.000-07:002009-10-08T11:42:36.948-07:00Using a Custom Spidermonkey Version and bug fixesI've added instructions within "INSTALL.spidermonkey" showing how to build a js-1.8.0rc1 custom version of spidermonkey with hooked eval() statements. Upon doing so, your decodings will be more reliable and effective!<br /><br />Attackers can use techniques that change the scope of variables, therefore JavaScript hooks are not sufficient to handle them. When you modify the spidermonkey engine in this manner, you do not change the scope and such cases will continue to decode successfully. I do not distribute spidermonkey with jsunpack-n so you still have some choices in this area, and therefore I did not disable the eval() hooks in pre.js, which this spidermonkey modification replaces. <br /><br />I've been working much more on parsing SWF files and I have a development version of a Flash Decompiler (for ActionScript code) in the works, stay tuned for that!<br /><br />From the CHANGELOG: <br />Updates 2009-10-08 version 0.3.1a<br />1) bug fixes release<br />1a) I now distribute an optional gzip.py file (on by default)<br /> This file was built to fix gzip decompression errors (from python2.5), you may not want to use js this if you use python2.6<br />2) rule detection updates<br />3) updates to pre.file<br />4) added instructions for compiling and using custom spidermonkey version INSTALL.spidermonkey<br />5) (not new) you can type "make clean" to destroy all temporary and log filesjsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com2tag:blogger.com,1999:blog-408416705712336061.post-47314171575013208112009-09-25T12:10:00.000-07:002009-09-25T12:16:40.109-07:00Jsunpack-n update v0.3a: SWF parsing and Bug fixes releaseThe main new feature in this release is the "swf.py" file, as a standalone you can run it like this:<br /><br /><blockquote>$ ./swf.py sample-swf-js.file<br />processing flash file [version 4] (length 115, actual length 115)type=0x9 length=3 name=SetBackgroundColor<br />type=0x18 length=31 name=Protect<br />type=0xc length=46 name=DoAction<br /> actionCode 0x83 len(42) ActionGetURL javascript:eval(fV6("ZlY4KGZWMSwxKQ=="))<br /> actionCode 0x0 len(0) unknownAction<br /><br />tags (with counts) of length=0<br />End:1, ShowFrame:1<br />sample-swf-js.file ['javascript:eval(fV6("ZlY4KGZWMSwxKQ=="))']</blockquote><br /><blockquote>$ ./swf.py sample-swf-url.file<br />processing flash file [version 8] (length 1125772, actual length 1125772)type=0x45 length=4 name=FileAttributes<br />type=0x9 length=3 name=SetBackgroundColor<br />type=0xc length=65 name=DoAction<br /> actionCode 0x83 len(45) ActionGetURL http://5173vip.seawww.cn/cuteqq.htm (_blank)<br /> actionCode 0x96 len(12) ActionPush datatype[0]=string(text)<br /> actionCode 0x1d len(0) ActionSetVariable<br /> ...</blockquote><br />As you can see, you can embed both URLs and javascript within Flash SWF files. jsunpack-n uses this module to follow those links and report any obtained information.<br /><br />The changelog follows:<br /><br />Updates 2009-09-25 version 0.3a<br />1) new extraction of URLs/JavaScript from Flash files (CWS/FWS) with swf.py<br />2) significant performance improvements in shellcode processing<br />3) bug fixes<br />3a) fixed tree structure of urls (specific to pcap processing)<br /> when a node could detatch itself from the tree incorrectlyjsunpackhttp://www.blogger.com/profile/16380424012076240146noreply@blogger.com0