Sunday, December 30, 2012

Some update on PageScan (v0.2)

It's been a while since I wrote > 1000 lines of code for a security project tool, and sorry for not mentioning about the release of PageScan earlier.

For those of you who didn't know, I've released PageScan, a web content scraper for the purpose of web-based malware analysis. It assist on static analysis by scraping and listing any redirection, iframe, javascript, and links found inside the web page. Below are some of the output from the PageScan;

CLI output

HTML output

Features
- Scrap HTML content, JavaScript code (inline or external JS), iframe, and links
- Follow iframe and redirection (meta and 301/302 redirection)
- TXT/HTML output
- User-defined Referer and User Agent

Future Development
- Scrap iframe/redirection address from JavaScript (in document.write() or conditions)
- Properly execute JavaScript code (for obfuscated redirection or content)
- Yara signature module for scraped contents


Feel free to dig into the source code. This tool license is WTFPL, so do what ever you want to do with with the code. You can get the latest version of PageScan at https://github.com/d3t0n4t0r/pagescan.

Thursday, December 6, 2012

Another Implementation of Pseudo Random Domain for Web Malware

On my previous post, I've discussed about pseudo random domain generator used by RunForestRun malware variation.

In this post, we're going to look on the slightly different implementation of pseudo random domain generator.

Unlike previous use of random domain generator by RunForestRun which randomize the .ru domain, the new implementation makes full use of Dynamic DNS services from ChangeIP.




This pseudo random domain generator will generate a random subdomain to include with the domain mynumber.org. The advantage of using a dynamic DNS services is, the attacker doesn't have to buy domains but instead they just need to create the random subdomain generated for that particular date.

This technique however, still does not protect the future generated malicious site from being predicted by security researchers. By using the workaround that I've shown on my previous post, I generate 27 malicious domain (05 Dec - 31 Dec 2012) and out of 27, only 1 are currently pointing to an IP.

2012-12-05      gcrrracfwwwririp.mynumber.org   82.221.99.107
2012-12-06      fhgwhiaerijqcffd.mynumber.org
2012-12-07      hcwppefjcdmfwwcm.mynumber.org
2012-12-08      jhzcfzpwcpftmwci.mynumber.org
2012-12-09      mfdwmdrarorjprtg.mynumber.org
2012-12-10      pahrcidrwdwcjqjj.mynumber.org
2012-12-11      dpgzrefpargrwpop.mynumber.org
2012-12-12      raolzfqtwjfqolfj.mynumber.org
2012-12-13      wpfwotlwgopjcafg.mynumber.org
2012-12-14      imrfjfiwlrfcwfpz.mynumber.org
2012-12-15      ifpfdcmczferfeec.mynumber.org
2012-12-16      jqcwldpmpjizffhe.mynumber.org
2012-12-17      hrwflpcefmoowccc.mynumber.org
2012-12-18      pwempcgwpilwirpf.mynumber.org
2012-12-19      wrijhfzmjmpzwdor.mynumber.org
2012-12-20      tdwizgwwgtzpfwwe.mynumber.org
2012-12-21      glaphiwfamrgpmir.mynumber.org
2012-12-22      cdgeddrqhtwcdjip.mynumber.org
2012-12-23      cltwpiwpfawfpgho.mynumber.org
2012-12-24      gwpgaawammwdwdwp.mynumber.org
2012-12-25      filmdzgiiawjecww.mynumber.org
2012-12-26      awfrwlcthghwtiwe.mynumber.org
2012-12-27      jifzrwjewajiiwcm.mynumber.org
2012-12-28      mzwlitifzpjewewd.mynumber.org
2012-12-29      fjhwcfwwjqewcfpp.mynumber.org
2012-12-30      dheaefjwjwhiorae.mynumber.org
2012-12-31      rjdcgljzqcotejfz.mynumber.org