Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Javascript Packer: JSidle

From: Miguel Rios <miguelrios35 () yahoo com>
Date: Tue, 13 Jul 2010 03:02:43 -0700 (PDT)
No problem. Glad to help out.
Although after much messing around the framework I got myself into a bit of trouble:

msf exploit(adobe_geticon) > exploit

[-] Exploit failed: uninitialized constant Rex::Exploitation::JSidle
[*] Exploit completed, but no session was created.

Why am I getting the uninitialized constant error? I must have broken something. Anyone else getting this error?

--- On Mon, 7/12/10, Sven Taute <sven.taute () gmail com> wrote:

From: Sven Taute <sven.taute () gmail com>
Subject: Re: [framework] New Javascript Packer: JSidle
To: "Miguel Rios" <miguelrios35 () yahoo com>
Cc: framework () spool metasploit com, "Jonathan R" <agentsmith15 () gmail com>
Date: Monday, July 12, 2010, 5:30 PM

Thanks for testing. I think it is very difficult to permanently 
circumvent the detection of malicious javascript in PDF files. In
contrast to web-based exploits, AV can flag the usage of JS obfuscation
as malicious, though it does not see the real exploit (therefore the
"generic" detection).

In the first development phase I only targeted web-based exploits - the
usage for PDFs was more of a side product.

- Sven


On Sun, 11 Jul 2010 10:59:53 -0700 (PDT)
Miguel Rios <miguelrios35 () yahoo com> wrote:


Well, just thought I'd share my results with NOD after applying the
jsidle patch for new icon adobe exploit. Bottom line, NOD still flags
it as PDF/Exploit.Gen. Tried encrypting it also and it did cut down
on detections but NOD still flags it as PDF/Exploit.Gen. Seems NOD is
doing a pretty good job in flagging malicious PDFs.

--- On Sat, 7/10/10, Jonathan R <agentsmith15 () gmail com> wrote:

From: Jonathan R <agentsmith15 () gmail com>
Subject: Re: [framework] New Javascript Packer: JSidle
To: "Miguel Rios" <miguelrios35 () yahoo com>,
framework () spool metasploit com Date: Saturday, July 10, 2010, 11:15 PM

NOD prides themselves on having one of the best heuristics engines, so
I believe NOD would mark the PDF as suspicious and not a specific
threat. You can do what many malware writers do and split the PDF into
multiple parts and you can narrow the range of where/what in the PDF
is getting flagged. Then change things accordingly.


This idea of delaying code to bypass detection has been brought up
before by well known virus writers like Z0mbie and Second Part To
Hell/[rRlf].
http://vxheavens.com/lib/vzo23.html   <--- Z0mbie's Paper
http://www.hack0wn.com/view.php?xroot=72.0&cat=papers   <--- SPTH/rHlf

This is all based upon the fact that a anti virus like Norton or NOD
can only spend about 3 or 4 seconds on each file. Otherwise a AV scan
would take to long.



       




      
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: