Author Topic: Anubis Sandbox now analyses malicious URLs  (Read 5632 times)

0 Members and 1 Guest are viewing this topic.

October 21, 2008, 11:52:58 am
Read 5632 times

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
http://anubis.iseclab.org/?action=home

From the Anubis homepage: "Choose the URL that you want to analyze. The URL will be analyzed in Internet Explorer."

http://82.103.138.10/ls/?t=24
http://anubis.iseclab.org/?action=result&task_id=fb15235604d4de54e567328a554ea63e&format=html
http://24aspx.com/cgi-bin/index.cgi?script
http://anubis.iseclab.org/?action=result&task_id=e165f2dbe72bc0343536d28331ac29af&format=html
http://lite.ff-freehosting.com/vip/index.php
http://anubis.iseclab.org/?action=result&task_id=483203831f3ccc444d332fff83ef7202&format=html
http://pluscount.net/strong/190/
http://anubis.iseclab.org/?action=result&task_id=0cf77d3101999b24511f7f96c1beaaed&format=html
http://nudestaff.com/x/
http://anubis.iseclab.org/?action=result&task_id=112c48d1012dac34313c5bacc3e13e7e&format=html


A fully updated Internet Explorer I would be guessing. Those sites get a threat rating of 1/2/3/4 out of 10. They are drive-by-download sites. What would cause a site to have a higher threat rating?

http://www.wrmfwp.cn/one/a26.htm
http://anubis.iseclab.org/?action=result&task_id=2f785cc2f9c0a6d4898aec5170013747&format=html
http://wsxhost.net/count.php?o=2
http://anubis.iseclab.org/?action=result&task_id=69cbdd42040facf4a10f763f5144554d&format=html
http://adwords.google.com.index.main.update.qwertycn.cn/myspace.cn/index.php
http://anubis.iseclab.org/?action=result&task_id=fdd6d7902ba180c42973b4c1319ababe&format=html
http://66.212.19.146/g/index.php
http://anubis.iseclab.org/?action=result&task_id=7d951187accd11e479a9f9fe995f7b02&format=html

It now also has an advanced submission page: http://anubis.iseclab.org/?action=advanced_form

So that if there are any dependencies which would normally stop the file from running as it should, you can upload them aswell.

Before these changes were implemented the site had been down for about a week. So there may have been changes made to the regular file analysis service aswell. I have not checked yet.

October 22, 2008, 06:41:38 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

October 23, 2008, 01:43:28 pm
Reply #2

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
http://anubis.iseclab.org/?action=result&task_id=b3f0c31552e6f084159e3d1f226e75a1

Quote
Error - No Executable File
Unfortunately your file could not be executed.
Either your file is not a valid Windows executable or some of its startup-dependencies have not been met.

According to the Unix file command your file is of the following type:
MS-DOS executable, MZ for MS-DOS

Back to the start

Shouldn't it be able to run it with ntvdm.exe?


October 23, 2008, 02:28:54 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
It's not a MS-DOS executable. It is a PE file, but something is wrong with the file.
It looks like someone has replaced all zeroes by 20h (space).
Ruining the bad guy's day


October 23, 2008, 04:24:25 pm
Reply #5

sowhat-x

  • Guest
First Cutwail.exe uploaded above is not a valid PE file (at first glance,it seems to be download-corrupted).
Cutwail.bin is a valid PE file,and here's what it extracts...password is "infected",as usual...

...and urls in plain text view there?Heh...that's something we're not really used to,he-he...  :D
Quote
hxxp://bestdiabetesdrugs.com/?
hxxp://mexicandrugstor.com/?
hxxp://superdrugsworld.com/?
hxxp://superdrugssite.com/?
hxxp://bestanxietydrugs.com/?
hxxp://georgescheapdrugs.com/?
hxxp://buydrugsonlinehere.com/?
hxxp://ulcerdrugsonline.com/?
hxxp://bestdrugsinternational.com/?
hxxp://besttopicaldrugs.com/?

October 25, 2008, 03:57:16 pm
Reply #6

Kayrac

  • Guest
apparently someone mentioned that the scanner simply checks if the website does any modifications, flash or java, appear to give the website a 'high risk rating' for 'file changes' etc

weird

for comodo.com

http://anubis.iseclab.org/?action=result&task_id=24ee6cf752bd1924058a4e692b9f2e70&format=html

and many many others it does the same thing.......looks like they still got some work to do :)