Posted on Wednesday, 30th March 2011 by Michael

Detecting malicious code in webpages iScanner and iScan Script

iScanner is developed by the folks over at iSecur1ty.org. The latest update of code was in September of 2010. The iScanner application is ruby based application that has many features:

Current Features:

  • Ability to scan one file, directory or remote web page / website.
  • Detect and remove website malwares and malicious code in web pages. This include hidden iframe tags, javascript, vbscript, activex objects, suspicious PHP codes and some known malwares.
  • Extensive log shows the infected files and the malicious code.
  • Support for sending email reports.
  • Ability to clean the infected web pages automatically.
  • Easy backup and restore system for the infected files.
  • Simple and editable signature based database.
  • You can easily send malicious file to iScanner developers for analyzes.
  • Ability to update the database and the program easily from iScanner's server.
  • Very flexible options and easy to use.
  • Fast scanner with great performance.
  • Yes, it's FREE!!

I found this tool extremely interesting and started playing with it. Overall it is a great tool though I found it was missing some functionality that I wanted.

1.       It does not have a flag to index and scan the whole site for malicious code.

2.       The database is extremely small and does not detect some common variations of C99 shell.

To resolve the first issue I used the ruby module Hawler and a modified version of htmap created by John Hart of Spoofed.org. This allowed me to get an index of all links that are linked to on the URL you want to scan. Once I had that information I was able to create a simple shell script to loop through the list scanning each page. I even went as far as to only output the infected pages into a report for easy reference.

To resolve the second issue I created my own database based on information I found on the internet and from personal research. I found using a web tool like Rubular, http://www.rubular.com/ great for testing my regex strings.  We also are experimenting with downloading known malicious URL lists and auto creating signatures to use in the scans. We will be releasing this code in our next article.

For testing purposes we created the following signature and added it to the database:

a)      -- 9.3

b)       - (eval)

c)       - PHP 'eval' functions detected, possible encoded malicious code.

d)      - MU:RE

 

  • Bullet (a) is he signature number; this should be unique for your reporting.
  • Bullet (b) is the regex string. The regex string is encapsulated in ()
  • Bullet (c) is a comment about the malicious code.
  • Bullet (d) tells the app to scan multiple lines to match the regex and to also check when remotely scanning

For more information of the creation of custom signature files check out the README file that comes with iScanner it is extremely easy to follow.

So let’s take a look how to install all of this and how to use iScan script:

1.       Make sure you are running linux and have ruby installed or the ability to install ruby.

2.       Install the Hawler ruby gem: gem install --source http://spoofed.org/files/hawler/ if any dependencies are needed make sure you install them as well.

3.       Download the modified version of htmp and iscan.sh (found in the zip file with the rest of the scripts from this article).http://www.digitaloffensive.com/files/iscan.zip

4. Download iScanner from: http://iscanner.isecur1ty.org

5. Uncompress iScanner and run the installer.

6.       Copy iscan.sh to the directory you want to run it from and edit the variables to suit your need.

7.       chmod 777 iscan.sh and run it by typing ./iscan.sh and follow the onscreen directions.

a.       Using the Hawler gem and the modified htmap you will be able to scan all links on the url you enter as well as set how deep you want to crawl. Remember the deeper the longer it will take.

Now that we have all the tools we need let’s create a test environment:

1.       You will need a website for this to work. If you do not have one you can install and run apache on the Linux box that you are working on to use this script.

2.       Create a index page in the root of the web directory with a single href code to test.html

3.       Create another file called test.html and put the word eval in it and anything else you want.

4.       Put my test signature in the signature database and save.

5.       Run the iScan script and follow prompts.

a.       You will be first prompted for the URL. Use the full domain or the IP here. IE www.domain.com, domain.com, or 127.0.0.1 avoid using /.

b.      Enter the depth you want to scan. Since this is a test set it to 1

c.       Sit back and watch

This script is pretty basic we are working on making reporting better as well as adding the ability to grab known malicious url black lists and hopefully know malicious code samples and increasing the signature database. The only current down side we see in the iScanner app after using our script is the lack to scan for malicious code in a database.

If you have comments or questions let me know.

Posted in Code | Comments (4)

4 Responses to “Detecting malicious code in webpages iScanner and iScan Script”

  1. Andy Says:

    Hi Michael,

    I found this article very interesting. I came across iscanner as well and was looking for other database entries to add, like you mentioned the c99shell. I was wondering if you can provide your database to the public, as you mentioned it in this article?

    thanks in advance
    andy

  2. Michael Says:

    Andy the url to my download was broken. I have corrected it. I do not think I included my test database and I have not worked on this much since due to work.

  3. Karin Says:

    I am preparing a demonstration of iScanner for a grad class I am taking and would like to also demonstrate iScan. However, I am having some technical difficulties (all me) getting it to work. I am not well-versed with Ruby; however, the aptitude is there. I have all the required files installed. These are the errors I am receiving:

    cat: 192.168.1.120-map.dot: No such file or directory
    sed: couldn’t open file /root/iclean: No such file or directory

    If possible, any assistance would be appreciated. Thanks.

  4. Michael Says:

    Karin,

    Look at line 28 of the iscan.sh it calls that file. if it cant find that file it will give that message. Make sure your variables are correct at top and that you are running it within the same directory. if you still have issues please send more details on what you are doing with sample files so I can help you further. Please email me at mike @ this domain to help you further.

Leave a Reply

*