Wednesday, May 23, 2012

Site and Code Checking

As the attack vector over the years has shifted from external attacks on the network to client side exploits via Web browsers, it's become important for an intrusion analyst to be able to determine if a site is malicious and to be able to do some manner of analysis of mobile code. Analysts without a programming background are at a disadvantage here, as sorting though lines and lines of obfuscated Javascript and other code can be difficult at best. Fortunately there are some very good resources to help learn the process (the Handler's Diary on the Internet Storm Center has some great articles by folks like Tom Liston and others). In the mean time, there are also sites that can do some of the heavy lifting by automating analysis. It's not a substitute for having the technical knowledge of how to disassemble heavily obfuscated code, but it can help quite a bit.
Here are a few sites I've found over the years that might help:

http://jsunpack.jeek.org/dec/go
http://www.darkfader.net/toolbox/convert/
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx
http://www.rishida.net/tools/conversion/
http://jsbeautifier.org/
http://centricle.com/tools/ascii-hex/
http://meyerweb.com/eric/tools/dencoder/
http://www.crypo.com/tools/index.php
http://www.greymagic.com/security/tools/decoder/
http://home.paulschou.net/tools/xlate/
http://www.yellowpipe.com/yis/tools/encrypter/index.php
https://isc.sans.edu/tools/base64.html

 And here are some sites that will attempt to determine if the site is running malicious code:

http://wepawet.iseclab.org/
http://zulu.zscaler.com/
http://www.ipvoid.com/
https://www.virustotal.com/#url
http://www.robtex.com/
http://global.sitesafety.trendmicro.com/
http://safeweb.norton.com/

A nice little tool for code/site analysis is Malzilla, which can be found at:
http://malzilla.sourceforge.net/



You should heed the warning on the jsunpack site and run these tools with a limited user account, with No-Script turned on, and preferably from a virtual machine or a throw-away test box on an isolated network segment.

No comments:

Blog Archive