Avast WEBforum
Other => General Topics => Topic started by: polonus on December 05, 2009, 10:44:17 PM
-
Hi malware fighters,
Malcoders and spammers try to hide the purpose of their code through obfuscation. Here is a link where to de-obfuscate: http://www.gooby.ca/decrypt/
polonus
-
I have tried that site before and didn't have a great deal of success in decrypting/deobfuscation in the past trying to make sense of some of the scripts that avast has alerted on.
-
Hi malware fighters,
URL encoding can be done online: http://urlencode.it/ or http://url-encode.com/
An url obscuring tool: http://fravia.com/zipped/urlcalc.zip
online javascript obfuscation: http://www.javascript-obfuscator.com/
For URL analysis you can use this tool: http://www.finjan.com/Content.aspx?id=574
polonus
-
Hi malware fighters,
Best to give an example with an obfuscated iFrame attack:
See attached pics...
I won't give the general way this attack could be performed for obvious reasons,
we are malware fighters here, alas you still have to count the redirects..
and there are some adware blockers they may interfere to perform it...
So under all circumstances protect with NS and RP in your mozilla browser of choice,
that is the best advice I can give you and rely on the avast shields protection,
see: http://forum.avast.com/index.php?topic=45223.0
polonus
-
Hi malware fighters,
A Javascript onlike packer: http://dean.edwards.name/packer/
One site to unpack packed javascript code is here: http://www.strictly-software.com/unpack-javascript.aspx
Enjoy, the Javascript Unpacker,
polonus
-
Hi malware fighters,
Why it was found that av struggled with the detetcion of obfuscated javascript, you can read here:
http://research.zscaler.com/2010/06/antivirus-struggling-with-obfuscated.html
I found it an interesting read, my friends,
polonus
-
Hi malware fighters,
Here some recent examples of an iFrame exploit on a Russian site:
Viruses
Threat Name: IFrame.Exploit
Location: htxp://getajobfromus.com/
Threat Name: IFrame.Exploit
Location: htxp://www.getajobfromus.com/
Drive-By Download
Threats found: 1
Threat Name: HTTP Malicious Toolkit IFrame Injection
Location: htxp://www.getajobfromus.com/
Redirection to commportal.biz detected
http://wepawet.iseclab.org/view.php?hash=6a57b5e68b4de59d35da30e82186edb6&t=1276977629&type=js
Man in the middle attack: "gettokenvalue" attack previous cookie theft
http://forums.java.net/jive/thread.jspa?threadID=68619&tstart=567
polonus
-
Hi malware fighters,
Another online tool to work with: http://www.searchlores.org/sonjas33.htm
some javascript that does the conversions nicely, if you have to converse to be able to go somewhere, as you all will know what I mean, but you eventually can get a "11004 [11004] Valid name, no data record (check DNS setup)" error
polonus
P.S. Nice tool to use: http://www.secdev.org/projects/scapy/
-
Hi malware fighters,
Another nice online tool: http://www.tuxgraphics.org/toolbox/network_address_calculator_add.html
pol
-
Hi malware fighters,
You are trying to find a haystack txt inside malware digits, here is a helpful source for finding them or hiding them..
http://www.cs.columbia.edu/~zeph/3261/hw/haystack.txt
polonus
-
Hi malware fighters,
http://www.colddata.com/developers/online_tools/obfuscator.shtml#obfuscator_view
polonus