metasploit-framework July 2010 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] New Javascript Packer: JSi

Re: [framework] New Javascript Packer: JSidle

From: Spring Systems <korund_at_nospam>
Date: Tue Jul 13 2010 - 11:11:54 GMT
To: <sven.taute@gmail.com>, <miguelrios35@yahoo.com>

Hi,

Just played with custom encoded adobe_flashplayer_newfunction PDF exploit, and find that Kaspersky AV dont allow specific operation with SWF file which included in exploit (seems don't allow write operation), I still can open PDF file, KAV does not delete file and doesn't flag it as virus.
Is it possible to encode SWF itself?

Regards,
spring

> Date: Mon, 12 Jul 2010 19:30:14 +0200
> From: sven.taute@gmail.com
> To: miguelrios35@yahoo.com
> CC: framework@spool.metasploit.com
> Subject: Re: [framework] New Javascript Packer: JSidle
>
> Thanks for testing. I think it is very difficult to permanently
> circumvent the detection of malicious javascript in PDF files. In
> contrast to web-based exploits, AV can flag the usage of JS obfuscation
> as malicious, though it does not see the real exploit (therefore the
> "generic" detection).
>
> In the first development phase I only targeted web-based exploits - the
> usage for PDFs was more of a side product.
>
> - Sven
>
>
> On Sun, 11 Jul 2010 10:59:53 -0700 (PDT)
> Miguel Rios <miguelrios35@yahoo.com> wrote:
>
>> Well, just thought I'd share my results with NOD after applying the
>> jsidle patch for new icon adobe exploit. Bottom line, NOD still flags
>> it as PDF/Exploit.Gen. Tried encrypting it also and it did cut down
>> on detections but NOD still flags it as PDF/Exploit.Gen. Seems NOD is
>> doing a pretty good job in flagging malicious PDFs.
>>
>> --- On Sat, 7/10/10, Jonathan R <agentsmith15@gmail.com> wrote:
>>
>> From: Jonathan R <agentsmith15@gmail.com>
>> Subject: Re: [framework] New Javascript Packer: JSidle
>> To: "Miguel Rios" <miguelrios35@yahoo.com>,
>> framework@spool.metasploit.com Date: Saturday, July 10, 2010, 11:15 PM
>>
>> NOD prides themselves on having one of the best heuristics engines, so
>> I believe NOD would mark the PDF as suspicious and not a specific
>> threat. You can do what many malware writers do and split the PDF into
>> multiple parts and you can narrow the range of where/what in the PDF
>> is getting flagged. Then change things accordingly.
>>
>>
>> This idea of delaying code to bypass detection has been brought up
>> before by well known virus writers like Z0mbie and Second Part To
>> Hell/[rRlf].
>> http://vxheavens.com/lib/vzo23.html<--- Z0mbie's Paper
>> http://www.hack0wn.com/view.php?xroot=72.0&cat=papers<--- SPTH/rHlf
>>
>> This is all based upon the fact that a anti virus like Norton or NOD
>> can only spend about 3 or 4 seconds on each file. Otherwise a AV scan
>> would take to long.
>>
>>
>>
>>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
                                               
_________________________________________________________________
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework