.

Malzilla

<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Sat Feb 23, 2008 3:31 pm

Malzilla

Hello everyone!

I've been real busy with my new job and I haven't been really participating in EH-Net lately, but that doesn't mean I don't come here and read the latest happenings. Today I would like to mention a cool tool for Windows that I use in my work almost everyday which really helps me explore malicious websites for my Incident Report. It's called 'Malzilla'.

As the authors puts it, Mazilla is a
Malware hunting tool


Basically, Mazilla is a useful tool for analyzing websites containing malicious code. It allows you to request websites and retrieve its full source code, like wget, without visiting the site and potentially harming your computer. This program has the option to switch your user agent and choose your own referrer. It also has proxy capabilities, various decoders and most importantly what I really like about this tool, deobfuscation of javascript code, all in one application.

For Malware Incident Response, our security department required us to investigate the how, when, why, what, where of malware incidents. The majority of the incidents we see in our company is users visiting what appears to be innocuous websites containing embedded malicious obfuscated javacript code in order to exploit vulnerable computers. Before finding out about this tool, thanks to my colleague (Pedro), we'd use various tools and methods to investigate malicious sites which took some time to analyze. Thats where Mazilla comes in, using this tool really speed things up and it has made my job easier.

Mazilla can be downloaded here:

http://malzilla.sourceforge.net/

Make sure to check out the author's tutorial in this page and familiarize yourself with this tool.

Well, gotta go, I just wanted the EH-Net members to know about this cool tool.
Last edited by blackazarro on Sat Feb 23, 2008 3:36 pm, edited 1 time in total.
Security+, OSCP, CEH
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sat Feb 23, 2008 7:26 pm

Re: Malzilla

Sweet, it sounds really useful. I've not heard of it before. Thanks for sharing! :) (off to download...)
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Sat Feb 23, 2008 7:46 pm

Re: Malzilla

Yeah, it's a cool tool.

There's more stuff that this tool can do that I forgot to mention, for instance, it shows you the http headers , it can gather all the links and iframes of such website, cookies and etc. Like it a lot.
Security+, OSCP, CEH
<<

bobby

Newbie
Newbie

Posts: 8

Joined: Tue Feb 26, 2008 12:40 pm

Post Tue Feb 26, 2008 12:43 pm

Re: Malzilla

Hi, bobby here (Malzilla's author).

I'll release a new version very soon (probably next weekend).
Do anyone have some suggestions/bug reports?

regards
bobby
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Tue Feb 26, 2008 1:24 pm

Re: Malzilla

Hey Bobby,
  Thanks for stopping by. Looks like a nice project. I will play around with it and get back to you.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Feb 26, 2008 2:05 pm

Re: Malzilla

Hey Bobby,

Good to hear directly from the author and thanks for joining our growing community.

For lack of a better phrase, I run the joint. So if you need anything, just PM me.

All the best,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Tue Feb 26, 2008 10:22 pm

Re: Malzilla

Bobby,

First of all, welcome to the club. Thanks for a wonderful tool.

Anyways, at the mean time I have one suggestions and a bug:

- It would be wonderful to have the user and pass for the proxy settings to be hidden. You could make this an option.

Bug:

- Not sure if its a bug, but when I have Malzilla running, the copy and paste functionality in Windows gets funky, for example, when I want to copy a content from the web browser and try to paste it in notepad, it sometimes won't work. I have to close Malzilla in order to have it function properly. I'm pretty sure it has to do with Malzilla's Clipboard Monitor feature.

Once again thanks and I'm looking forward to your new release.
Security+, OSCP, CEH
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Tue Feb 26, 2008 10:44 pm

Re: Malzilla

Hey Bobby,

Forget about the bug thing. I just discovered that you can disable the Clipboard Monitor feature by right clicking Mazilla's system tray icon and removing the check mark. Upon doing this, copy and paste in other applications works. Sorry for that.
Security+, OSCP, CEH
<<

bobby

Newbie
Newbie

Posts: 8

Joined: Tue Feb 26, 2008 12:40 pm

Post Tue Feb 26, 2008 11:55 pm

Re: Malzilla

@all
Thanks for the warm welcome

@blackazarro
Indeed, Clipboard Monitor is messing the things around. I know about this issue.
At the moment I'm thinking to remove this "feature", but I need some feedback about it - is someone using Clipboard monitor at all?

If I do not clear the clipboard after some content is received - that will also mess the things up. If I do (like it is now) - you already know whats happening.


About hiding the user and password in proxy settings - it can be done.
It is just so that I didn't think that someone will use Malzilla at places where this needs to be hidden.
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Feb 27, 2008 12:22 am

Re: Malzilla

Yeah, the thing is our security department is pretty new and it is not isolated from normal users. But anyways, I just don't want anybody passing by to take a peek at my credentials, even my colleagues. Just a little paranoid.

Got a question, on what occasion is Clipboard Monitor best used?
Security+, OSCP, CEH
<<

bobby

Newbie
Newbie

Posts: 8

Joined: Tue Feb 26, 2008 12:40 pm

Post Wed Feb 27, 2008 11:43 am

Re: Malzilla

I use the Clipboard monitor on some forums/boards where pretty big lists of malware links are posted, and the links are mostly scrambled by turning "http" into "hxxp" or similar (precaution to not have clickable link).
As no download manager detects these, I use Malzilla to catch them from clipboard. I save the list then and download the content either from Malzilla or from some other download manager.

Thats the lazy way to do this.
One can always copy/paste these lists to any text editor and search/replace the hxxt with http, and then use such list in download manager or where he needs it.
<<

bobby

Newbie
Newbie

Posts: 8

Joined: Tue Feb 26, 2008 12:40 pm

Post Wed Feb 27, 2008 12:20 pm

Re: Malzilla

I'm re-doing the proxy thing this evening.
As for now, the proxy user name and pass are saved in settings.ini file.
Is that also a problem?

Should I do it this way:
- extra option "Hide user name and pass"
- if the option is checked than do not save this data into setting.ini
- if the option is not checked than show data while typed, and do save to settings.ini
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Feb 27, 2008 7:07 pm

Re: Malzilla

Bobby, I'll definitely appreciate the extra option and not save this data into setting.ini.
Security+, OSCP, CEH
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Feb 27, 2008 7:10 pm

Re: Malzilla

Oh yeah forgot, you have my vote to leave the Clipboard Monitor feature. If you don't want to use it, you can always disable it.
Security+, OSCP, CEH
<<

bobby

Newbie
Newbie

Posts: 8

Joined: Tue Feb 26, 2008 12:40 pm

Post Thu Feb 28, 2008 4:31 pm

Re: Malzilla

Uploaded new snapshot:
http://sourceforge.net/project/showfile ... _id=242804

Please test and report suggestions/bugs

regards
bobby
Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software