Author Topic: Online de-obfuscation service...  (Read 6944 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29856
  • malware fighter
Online de-obfuscation service...
« on: December 05, 2009, 10:44:17 PM »
Hi malware fighters,

Malcoders and spammers try to hide the purpose of their code through obfuscation. Here is a link where to de-obfuscate: http://www.gooby.ca/decrypt/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 79067
  • No support PMs thanks
Re: Online de-obfuscation service...
« Reply #1 on: December 05, 2009, 11:43:22 PM »
I have tried that site before and didn't have a great deal of success in decrypting/deobfuscation in the past trying to make sense of some of the scripts that avast has alerted on.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 17.8.2318/ Outpost Firewall Pro9.3/ Firefox 52.4.0 ESR, uBlock Origin, RequestPolicy/ MailWasher Pro7.8.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29856
  • malware fighter
Re: Online de-obfuscation service...
« Reply #2 on: June 06, 2010, 03:21:28 PM »
Hi malware fighters,

URL encoding can be done online: http://urlencode.it/  or   http://url-encode.com/

An url obscuring tool: http://fravia.com/zipped/urlcalc.zip
online javascript obfuscation: http://www.javascript-obfuscator.com/

For URL analysis you can use this tool: http://www.finjan.com/Content.aspx?id=574

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29856
  • malware fighter
Re: Online de-obfuscation service...
« Reply #3 on: June 06, 2010, 03:39:29 PM »
Hi malware fighters,

Best to give an example with an obfuscated iFrame attack:
See attached pics...
I won't give the general way this attack could be performed for obvious reasons,
we are malware fighters here, alas you still have to count the redirects..
and there are some adware blockers they may interfere to perform it...
So under all circumstances protect with NS and RP in your mozilla browser of choice,
that is the best advice I can give you and rely on the avast shields protection,
see: http://forum.avast.com/index.php?topic=45223.0

polonus

« Last Edit: June 06, 2010, 03:46:55 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29856
  • malware fighter
Re: Online de-obfuscation service...
« Reply #4 on: June 06, 2010, 03:57:59 PM »
Hi malware fighters,

A Javascript onlike packer: http://dean.edwards.name/packer/
One site to unpack packed javascript code is here: http://www.strictly-software.com/unpack-javascript.aspx

Enjoy, the Javascript Unpacker,

polonus
« Last Edit: June 06, 2010, 03:59:47 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29856
  • malware fighter
Re: Online de-obfuscation service...
« Reply #5 on: June 17, 2010, 12:41:51 AM »
Hi malware fighters,

Why it was found that av struggled with the detetcion of obfuscated javascript, you can read here:
http://research.zscaler.com/2010/06/antivirus-struggling-with-obfuscated.html
I found it an interesting read, my friends,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29856
  • malware fighter
Re: Online de-obfuscation service...
« Reply #6 on: June 19, 2010, 10:03:38 PM »
Hi malware fighters,

Here some recent examples of an iFrame exploit on a Russian site:

Viruses
Threat Name:    IFrame.Exploit
Location:    htxp://getajobfromus.com/
   
Threat Name:    IFrame.Exploit
Location:    htxp://www.getajobfromus.com/
   
Drive-By Download
Threats found: 1

Threat Name:    HTTP Malicious Toolkit IFrame Injection
Location:    htxp://www.getajobfromus.com/

Redirection to commportal.biz detected
http://wepawet.iseclab.org/view.php?hash=6a57b5e68b4de59d35da30e82186edb6&t=1276977629&type=js

Man in the middle attack: "gettokenvalue" attack previous cookie theft
http://forums.java.net/jive/thread.jspa?threadID=68619&tstart=567

polonus
« Last Edit: June 19, 2010, 10:11:49 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29856
  • malware fighter
Re: Online de-obfuscation service...
« Reply #7 on: July 14, 2010, 11:36:40 PM »
Hi malware fighters,

Another online tool to work with: http://www.searchlores.org/sonjas33.htm
some javascript that does the conversions nicely, if you have to converse to be able to go somewhere, as you all will know what I mean, but you eventually can get a "11004 [11004] Valid name, no data record (check DNS setup)" error

polonus

P.S. Nice tool to use: http://www.secdev.org/projects/scapy/
« Last Edit: July 15, 2010, 12:11:16 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29856
  • malware fighter
Re: Online de-obfuscation service...
« Reply #8 on: July 15, 2010, 06:55:09 PM »
Hi malware fighters,

Another nice online tool: http://www.tuxgraphics.org/toolbox/network_address_calculator_add.html

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29856
  • malware fighter
Re: Online de-obfuscation service...
« Reply #9 on: July 15, 2010, 09:16:43 PM »
Hi malware fighters,

You are trying to find a haystack txt inside malware digits, here is a helpful source for finding them or hiding them..

http://www.cs.columbia.edu/~zeph/3261/hw/haystack.txt

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29856
  • malware fighter
Re: Online de-obfuscation service...
« Reply #10 on: August 11, 2010, 04:57:09 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!