Pinpoint Tool Released

There are many times where I come across a drive-by download, especially malvertisements, and it takes me awhile to figure out which file on the compromised website is infected. I wrote Pinpoint to help me find the malicious objects faster so I can provide that info to webmasters for clean-up purposes. My hope is that this tool will be helpful to you as well.

2014-01-02_01

Pinpoint works like wget/curl in that it just fetches a webpage without rendering any script. Pinpoint will then try to determine which links are used to make up the webpage such as Javascript, CSS, frames, and iframes and downloads those files too (some Javascript content will produce incorrect links). The list of links it finds shows up in the document tree on the main window.

At the same time, a log file is created which shows the links and in which file the link resided in. It will also download the file and calculate the “entropy”; the higher the value, the more rubbish characters it found which may help identify obfuscated Javascript.

You can of course spoof the user-agent string and referer values to ilicit a malicious response from the website. There’s also a function to clear your cookies (see Options menu item) since many exploit packs check for the presence of cookies on repeated visits. Use Tor to get another IP address since it’ll get banned usually after the first visit.

Here are a few examples to help you better understand what this program does.

Example #1
Visiting the website in the screenshot below with the appropriate user-agent and referer values reveals a suspicious-looking iframe.

2014-01-02_02

Opening log.txt shows the files that make up the webpage. The second URL from the top looks suspicious and has a 51% entropy value which is not really high but may indicate the presense of some obfuscated Javascript.

2014-01-02_03

By default, there are two other files that are created. The capture.txt contains the HTML source code of all of the pages it fetched. You can see the main webpage and somewhere in there is the malicious iframe. Under that is the HTML source code of the iframed page.

While your computer is safe since none of the scripts are executed, your anti-virus may still detect malicious scripts and trigger an alert (and blacklist my Pinpoint program in the process). Ideally you should be doing all of this in a virtual machine without AV anyway.

2014-01-02_04

The second file that gets created is clean.txt which is a cleaned up version of the HTML source code that just contains Javascript, frame, iframe, calls to external scripts, etc. This should help you locate the malicious content faster. Unfortunately, you may still have to figure out where in the source code the malicious content is.

2014-01-02_05

Example #2
Another infected website is visited and it shows two suspicious links — one in the external Javascript section and the second in the iframe section.

2014-01-02_06

Here’s the log file that shows several things. First the presence of the external Javascript file about half-way down. The second is the last file with a weird URL. The entropy value is very high for this one which means this is likely heavily obfuscated (or packed/compressed).

The request chain reveals that the main page called up the external Javascript file and that file called up the iframe.

2014-01-02_07

Here’s the capture file which shows that iframe page with the entropy value of 86.48%.

2014-01-02_08

And here’s the clean file showing the external Javascript file. By the way, I made everything left-justified in this file to make it quickly readable.

2014-01-02_09

Example #3
Here’s the last example. This one doesn’t show anything in the document tree because there’s no links on the page.

2014-01-02_10

The log file shows content with a relatively high amount of entropy.

2014-01-02_11

The capture file shows obfuscated Javascript appended to legitimate webpage contents.

2014-01-02_12

Finally, the clean file shows the important bits.

2014-01-02_13

Most of the options don’t need any explanation but here’s a brief description of those that do:

Disable Compression – sends the HTTP request without the encoding option
Enable Entropy – performs the entropy check
Ignore Safe Sites – ignores common sites that host frameworks, ads, and other legitimate content so it doesn’t get downloaded
Ignore CSS – ignores external CSS files so that it doesn’t get downloaded

When visiting a large website full of links, AJAX calls, and embedded content, Pinpoint may choke on it. I’ll explore other methods but for now this seems to work fine most of the time. You can find the tool here.

This entry was posted in Tools and tagged , , . Bookmark the permalink.