malzilla is a very helpful tool for us!

[luntrus]

Howdy to the malware hunters among my good forum friends,

This sandboxed malcode analyzing tool can be downloaded from here: http://malzilla.sourceforge.net/
It is described as: "Malzilla is a tool for malware-hunters. It contains downloader/HTML browser, JavaScript interpreter based on Mozilla SpiderMonkey, some decoders for various types of encoded data (used on web sites) etc, all in order to find the download link to the malicious file".
See how it can be helpful here:
http://forum.avast.com/index.php?topic= ... 473311#new
and here:
http://forum.avast.com/index.php?topic= ... #msg473295
I used it here in combination with info from http://www.unmaskparasites.com
and Norton_Safe_Web_from_Symantec
But I think the folks here that wanna analyze some malcode script that NS has to protect us from can also use this tool to their benefit. As there is no manual online, see http://www.offensivecomputing.net/?q=node/505
some introduction to using it: http://holisticinfosec.org/toolsmith/docs/july2009.html
I like you that use it to report back your findings here about what info this intricate but helpful tool can provide for you.
Like to hear all of your comments,

luntrus

[tenkoji]

ah, i have another one but no so informative as

Code: Select all

http://www.unmaskparasites.com/security-report/?page=

*lol*

it's

Code: Select all

http://www.google.com/safebrowsing/diagnostic?site=

has anyone here uses IPCop, snort altogether ? i wanna know how you update, append the newly reported sites for private use o.O

Basically, a home user like me and my family can use something useful like those technologies mentioned above. Simply, just to remain protected/stealth in a safe environment



*btw, topic has been subscribed* would love to see any replies

[luntrus]

Hi tenkoji,

You could bookmark these two sites in the browser, also use Norton Safe Web online to give in a domain, but that scanner is acting more like a reputation scanner, but gives the names of all the specific threats for a site found in a listed report. Another source is an upload to Wepawet and Anubis. Example for wepawet here: http://wepawet.cs.ucsb.edu/view.php?has ... bc&type=js
You can also use Wepawet to anlyse websites and give in URLs there.
And then there is this one to be bookmarked as well:
http://www.novirusthanks.org/services/s ... r-iframes/

Combine online analysis and that of tools. Firekeeper has snortlike rules, if one could port the snort rules to Firekeeper format this would bring some extra security to the Fx browser,

Mind you that even unmasked parasites can give you a wrong indication, while malcreants keep an eye on the next time the crawler will get by and after cleansing their slate will reinfect after google visited. We are out in the trenches and it is an ongoing battle, such a good thing that malcreants cannot touch the protection of NS, especially combined with RequestPolicy, but for the average browser user the going is getting more and more narrow to escape the classical drive-by-download of malcode, fake-AV, keylogger, malware all sorts,

luntrus

[tenkoji]

@wepawet what do i see for after uploading a sample javascript?im not good with hex, in fact i dont understand whats the twist seeing hex, sorry

luntrus, I've recently received a link like

Code: Select all

http://iohjk2h4jkdsdfs/yutube/

the above is not the actual URL

is there a trick to see whats "behind the link", some friend of mine said it's a virus.. ?

I managed to get the ip but it looks like a gateway IP ***.***.***.0

[luntrus]

Hi tenkoji,

I have forwarded your question to me at the avast virus and worms section, and as I got a reaction from my forum friend, DavidR, I give you the link, so you can read his reply posting there yourself. Link: http://forum.avast.com/index.php?topic=56805.0

Hoped that was helpful, (my nick at the avast webforum is @polonus by the way)

luntrus