Comments on: Sampling a Malicious Site http://blog.didierstevens.com/2008/08/10/sampling-a-malicious-site/ (blog \'DidierStevens) Mon, 10 Jun 2013 08:49:54 +0000 hourly 1 http://wordpress.com/ By: suggested reading | VistaSpyware.com http://blog.didierstevens.com/2008/08/10/sampling-a-malicious-site/#comment-33488 Sat, 20 Sep 2008 01:44:07 +0000 http://didierstevens.wordpress.com/?p=544#comment-33488 [...] Sa­mpli­n­g a­ Ma­li­ci­o­u­s Si­te « Di­di&…a nice l­it­t­l­e video­­ sh­o­­wing t­h­e ex­t­r­act­io­­n o­­f­ mal­war­e f­r­o­­m a mal­icio­­us sit­e… [...]

]]> By: Pocket Virus Lab « Didier Stevens http://blog.didierstevens.com/2008/08/10/sampling-a-malicious-site/#comment-33423 Thu, 04 Sep 2008 18:57:57 +0000 http://didierstevens.wordpress.com/?p=544#comment-33423 [...] Pocket Virus Lab Filed under: Hardware, Malware, nslu2 — Didier Stevens @ 18:57 Slugs are versatile little machines. I installed Slugos on my NSLU2, followed by the tools I used in my sampling video. [...]

]]> By: randy http://blog.didierstevens.com/2008/08/10/sampling-a-malicious-site/#comment-33320 Tue, 12 Aug 2008 13:38:44 +0000 http://didierstevens.wordpress.com/?p=544#comment-33320 Thanks for the video! It’s always nice to see how other professionals conduct their work for a self check.

I’ve been conducting analysis with basically the same methodology as you show here and it works great. What I wasn’t doing was automating stuff with the use of extractscripts and your modified spidermonkey. You can bet that I will be now though! Much nicer than writing a Perl or ruby script to deobfuscate the JavaScript. ;)

One added step I like to do is use the sandbox at Sunbelt Software to see what file/registry/network activity an executable causes. Helps when manually verifying if a system is truly infected or not. [http://research.sunbelt-software.com/Submit.aspx]

Keep up the great posts!

]]> By: Dave http://blog.didierstevens.com/2008/08/10/sampling-a-malicious-site/#comment-33311 Mon, 11 Aug 2008 16:42:29 +0000 http://didierstevens.wordpress.com/?p=544#comment-33311 Thank you for such a fascinating tour of what you do, and how to do it safely. I must admit that I don’t use Linux much but you’ve certainly stimulated me into investigating.

I have used wget.exe to download .html files then I’ve opened them into Notepad (or Notepad++). I’ve resorted to putting in the line breaks etc. manually and eventually come across the file name of the malicious executable(s) within the JavaScript. Your way is much more elegant!

I’ll be on the lookout for malicious sites and investigate further. I get a number of spam e-mails from banking sites (which I see via my webmail) so I think that one of these will be the topic for my investigation.

]]>