Hi malware fighters,
For those that are on the hunt for analyzing malcious websites: http://www.h-online.com/security/features/Tracking-down-malware-949079.html
Malzilla is a tool that should be used in a virtual environment and by users that know what they are doing,
polonus
Hi malware fighters and those evangelists among us that are into analyzing suspicious websites,
A simple way is to encode a URL via base64 or via the Universal Character Set (UCS): https://secure.wikimedia.org/wikipedia/en/wiki/Universal_Character_Set
About URL analysis and URL obfuscation I have put up here various postings:
http://forum.avast.com/index.php?topic=58761.0
http://forum.avast.com/index.php?topic=51854.0
http://forum.avast.com/index.php?topic=58761.msg496175#msg496175
http://forum.avast.com/index.php?topic=60310.0
http://forum.avast.com/index.php?topic=57964.0
A lot of info on a particular URL can be obtained via a robtex search,
to analyze specific combination of header + URL there is now a new service tool with URLVoid:
http://www.urlvoid.com/extract-url/
http://www.urlvoid.com/url-dump/
For further analysis there are various ways open to you. Always remember use this only when you know excactly what your doing and in the right precautionairy settings (normal user account, noscript installed and active, or a virtual surroundings preferably), because when the code spills over you might infect yourself or users on your Internet connection…then there is jsunpack, there is JsLint, wepawet and anubis, various malware analysis sites for background information, Prevx etc. etc. Also start to check out at URLVoid, unmasked parasites, Norton Safe Web,
make searches like: http://www.malwaredomainlist.com/mdl.php?search=fake+av&colsearch=All&quantity=50
,and combine all these resources because no single service finds them all. Additional scanning of all the iFrames and
using ICF extension from a particular website address gives you more information.
Have this nice add-on inside the Mozilla browser: Malware search 0.9.1.
https://addons.mozilla.org/en-US/firefox/addon/6718/
Always make links non-click-trough to protect the curious from getting infected or the uneducated from clicking an active malcode link by putting addresses in your posting written like hxtp or htxp or wxw or wXw and dots like * for .
Never put code as
v*r & docum*nt wr*te
for instance, if the code is really suspicious and found by the avast shield the alarm will go off and even if the code is not harmless and without payload it could give the unaware and non-educated almost a live panic attack…if they do not know what is actually happening and why…
Also know that searching with jsunpack (ONLY FOR EXPERTS) may set off the avast shield if code is being recognized or parts of suspicious or malciious code is found by it…
When finding flags or scripts that are suspicious make cropped screenshots of those and give them for instance as attached image, more to follow…good hunt, my dear friends,
polonus