Tag Archive: VirusTotal


Content In Brief

An exploit kit, namely The KaiXin Exploit Kit, was discovered roughly 4 months ago by the malware analyst community. I also posted a decent report of this malware back in August. Since then, KaiXin has made another go for it, introducing Version 1.1, which was blogged today by Eric Romang.

I immediately set out to compare file sizes and detection number on VirusTotal. What I found out was rather shocking. Check out the results of 2 different variants, both shellcode exploits [Note: names are randomly generated, but the size of the files are so similar as to assume they are different variants]:

KaiXin Version 1.0 (cLpl7.html)
[NEW] KaiXin Version 1.1 (JSZlR.html)

KaiXin Version 1.0 (gADSr.html)
[NEW] KaiXin Version 1.1 (WysBRr.html)

The detection rate is lower than before. Why is that?

Keep searching,
~!Donovan

List of Tools and Their Use

WEBSITE ANALYSIS

 

Automated Analysis:

Evuln Web Security – XSS & SQL injection tests, iframes, javascript, and search redirects

urlQuery – Domain map, deobfuscated results, site preview, even IDS alerts

Quttera – Friendly UI with detailed reports

Wepawet – Deobfuscated results, network activity, activeX controls, even shellcode

Comodo SiteInspector – Blacklisting, phishing, malicious, suspicious, and download activity

Unmask iFrame – Find all iframes in a given URL

Sucuri SiteCheck – Blacklisting, malware, redirects, outdated software

Zulu zScanner – Host, url, and content checks

Unmask Parasites – Searches for long lines and hidden iframes

 

Website Returns & Responses:

JSunpack – All webpage returns including deobfuscated content

HTML Sniffer – Check the content of a webpage with various requests

Redleg File Viewer – Search URLs for suspicious elements

vURL – Dissect URLs for external links, scripts, and iframes

 

Deobfuscators & Beautifiers:

jsBeautify – Make javascript readable

Unescape Decoder – Decode unescape()

Dean Edwards Unpacker – Decode Dean Edwards’ algorithm

Encode Decode – Deobfuscate Shifted unescape()

Base64 Decoder – Decode Base64

PHP Deobfuscator – Decode common PHP obfuscation functions

 

Blacklists:

CleanMX – Various different queries available with quick-updates

Malware Domain List – A complete list of malicious domains

urlVoid – Check with over 25 different engines

ScanURL – Check with 3 different url scanners

BadMalWeb – Find malicious websites in a virtually unlimited database

Google SafeBrowsing – Check for malicious activity

Webutation – Reputation check

RBL Blacklist – Check with over 25 private blacklists

RBLS Blacklist – Check with over 15 private blacklists

VirusTotal – Check with over 30 different url scanners

 

Latest Exploits:

Emerging Threats – The latest malicous exploits and trends

Malware Analysis Search – A custom google search just for analyst

1337day – database of exploits for security researchers

Intelligent Exploit – joomla, wordpress, and other common software exploits

CXSecurity – latest CVE exploits

Exploit Database – Various exploits, including remote, local, and web categories

CVE Details – Details of CVE exploits

Exploit Search – Search various CVE exploits

OWASP – Exploit algorithms explained and prevention

FILE ANALYSIS

 

Comodo Analysis –  events, mutexes, threads, and more

VirusTotal – Check against 40 different antivirus engines

CWSandbox – Arguably the most specific file analysis

Anubis -Network, file, and registry activities

Bleeping Computer Statups – List of good/bad statup entries

Malwr – Screenshots, process tree, behavioral analysis

Minotaur Analysis – Screenshots, domain information, video analysis

Shellcode 2 Exe – Convert shell to exe

Avast! Online Scan – Scan using avast’s engine

Is This File Safe? – Check if file is blacklisted as malicious

Dr.Web Online Check – Scan using Dr.Web’s engine

VX Vault – Search the file’s MD5 in a top-notch database

Note that the above lists are in order based on how much I find the site useful. Maybe I’ll have enough time to make an application featuring many of these sites’ features. Many of these sites were found by Polonus.

Put these tools to good use,
~!Donovan