Re: New Javascript Packer: JSidle

[Miguel Rios <miguelrios35 () yahoo com>]

Yes, thanks for your contribution. I just took a quick look at your code and it looks pretty innovative. Of course 
there will inevitably be a delay which could have an effect on the different exploits, but I like the idea.

Regarding metasploit's ability to create PDFs I wonder if it's possible to use an existing pdf rather than the blank 
one. That way if the client is not vulnerable he'll see a nice pdf and not become suspicious. Also it maybe easier to 
hide from AV if you have a bigger legit pdf to play with. Finally I have noticed that NOD32 detects the metasploit 
produced PDFs when they're encrypted (an easy simple way that cuts down on detections) which seems counterintuitive. 
Trying to get the newer libtiff and adobe_flashplayer_newfunction exploits past AVs is getting harder and harder, so 
your java packer is a welcome addition. If anyone knows what NOD is keying on in the libtiff and flashplayer PDFs do 
let me know please.

--- On Sat, 7/10/10, Spring Systems <korund () hotmail com> wrote:

From: Spring Systems <korund () hotmail com>
Subject: Re: [framework] New Javascript Packer: JSidle
To: framework () spool metasploit com
Date: Saturday, July 10, 2010, 1:26 PM




Thanks for good addon. 
The JSidle packer conception based on delivering script with time delay? Will this affect on the execution speed of 
exploit? 

The other good thing would be to implement the polymorphic encryption algorithm, to make the Javascript codes that can 
transmute and protect themselves. 
This will provide very good protection.

Regards,
spring



> Date: Sat, 10 Jul 2010 00:34:49 +0200
> From: sven.taute () gmail com
> To: framework () spool metasploit com
> Subject: [framework] New Javascript Packer: JSidle
>
> Hi all,
>
> I developed a new javascript packer that should solve the current
> problems with AV detection and perform better than the existing
> obfuscators.
> It uses some new concepts explained in a blog post and in more detail
> in the latest Issue of the HITB magazine:
> http://relentless-coding.blogspot.com/2010/07/new-javascript-packer-jsidle.html
> http://magazine.hitb.org
>
> The code is available here: http://github.com/svent/jsidle
> Patches for Metasploit: http://github.com/svent/jsidle/tree/master/metasploit/
>
> I patched two existing exploit modules to show the usage, the aurora
> exploit for web-based ones and the adobe_geticon exploit to show the
> usage for PDF files.
> The javascript part of web-based exploits should not be detected by AV
> (using static analysis). Virustotal detection for the PDF dropped from
> 17/41 to 9/41 - as obfuscation is not that common in PDF files, some
> scanners still flag the file as suspicious using a generic detection.
>
> - Sven
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
                                          
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. Get busy. 

-----Inline Attachment Follows-----

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework