Metasploit mailing list archives
Re: New Javascript Packer: JSidle
From: Spring Systems <korund () hotmail com>
Date: Tue, 13 Jul 2010 11:11:54 +0000
Hi, Just played with custom encoded adobe_flashplayer_newfunction PDF exploit, and find that Kaspersky AV dont allow specific operation with SWF file which included in exploit (seems don't allow write operation), I still can open PDF file, KAV does not delete file and doesn't flag it as virus. Is it possible to encode SWF itself? Regards, spring
Date: Mon, 12 Jul 2010 19:30:14 +0200 From: sven.taute () gmail com To: miguelrios35 () yahoo com CC: framework () spool metasploit com Subject: Re: [framework] New Javascript Packer: JSidle Thanks for testing. I think it is very difficult to permanently circumvent the detection of malicious javascript in PDF files. In contrast to web-based exploits, AV can flag the usage of JS obfuscation as malicious, though it does not see the real exploit (therefore the "generic" detection). In the first development phase I only targeted web-based exploits - the usage for PDFs was more of a side product. - Sven On Sun, 11 Jul 2010 10:59:53 -0700 (PDT) Miguel Rios <miguelrios35 () yahoo com> wrote:Well, just thought I'd share my results with NOD after applying the jsidle patch for new icon adobe exploit. Bottom line, NOD still flags it as PDF/Exploit.Gen. Tried encrypting it also and it did cut down on detections but NOD still flags it as PDF/Exploit.Gen. Seems NOD is doing a pretty good job in flagging malicious PDFs. --- On Sat, 7/10/10, Jonathan R <agentsmith15 () gmail com> wrote: From: Jonathan R <agentsmith15 () gmail com> Subject: Re: [framework] New Javascript Packer: JSidle To: "Miguel Rios" <miguelrios35 () yahoo com>, framework () spool metasploit com Date: Saturday, July 10, 2010, 11:15 PM NOD prides themselves on having one of the best heuristics engines, so I believe NOD would mark the PDF as suspicious and not a specific threat. You can do what many malware writers do and split the PDF into multiple parts and you can narrow the range of where/what in the PDF is getting flagged. Then change things accordingly. This idea of delaying code to bypass detection has been brought up before by well known virus writers like Z0mbie and Second Part To Hell/[rRlf]. http://vxheavens.com/lib/vzo23.html <--- Z0mbie's Paper http://www.hack0wn.com/view.php?xroot=72.0&cat=papers <--- SPTH/rHlf This is all based upon the fact that a anti virus like Norton or NOD can only spend about 3 or 4 seconds on each file. Otherwise a AV scan would take to long._______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_________________________________________________________________ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1 _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: New Javascript Packer: JSidle, (continued)
- Re: New Javascript Packer: JSidle Thorgul (Jul 13)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Re: New Javascript Packer: JSidle Thorgul (Jul 13)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Convert browser type exploit into fileformat type Spring Systems (Jul 15)
- Re: Convert browser type exploit into fileformat type Atul Agarwal (Jul 15)
- Re: Convert browser type exploit into fileformat type Spring Systems (Jul 15)
- Re: Convert browser type exploit into fileformat type Spring Systems (Jul 15)
- Re: Convert browser type exploit into fileformat type Spring Systems (Jul 16)