Pinpoint Tool Released
There are many times where I come across a drive-by download, especially malvertisements, and it takes me awhile to figure out which file on the compromised website is infected. I wrote Pinpoint to help me find the malicious objects faster so I can provide that info to webmasters for clean-up purposes. My hope is that this tool will be helpful to you as well.
You can of course spoof the user-agent string and referer values to ilicit a malicious response from the website. There's also a function to clear your cookies (see Options menu item) since many exploit packs check for the presence of cookies on repeated visits. Use Tor to get another IP address since it'll get banned usually after the first visit.
Here are a few examples to help you better understand what this program does.
Visiting the website in the screenshot below with the appropriate user-agent and referer values reveals a suspicious-looking iframe.
By default, there are two other files that are created. The capture.txt contains the HTML source code of all of the pages it fetched. You can see the main webpage and somewhere in there is the malicious iframe. Under that is the HTML source code of the iframed page.
While your computer is safe since none of the scripts are executed, your anti-virus may still detect malicious scripts and trigger an alert (and blacklist my Pinpoint program in the process). Ideally you should be doing all of this in a virtual machine without AV anyway.
Here's the capture file which shows that iframe page with the entropy value of 86.48%.
Here's the last example. This one doesn't show anything in the document tree because there's no links on the page.
The log file shows content with a relatively high amount of entropy.
Finally, the clean file shows the important bits.
Most of the options don't need any explanation but here's a brief description of those that do:
Disable Compression - sends the HTTP request without the encoding option
Enable Entropy - performs the entropy check
Ignore Safe Sites - ignores common sites that host frameworks, ads, and other legitimate content so it doesn't get downloaded
Ignore CSS - ignores external CSS files so that it doesn't get downloaded
When visiting a large website full of links, AJAX calls, and embedded content, Pinpoint may choke on it. I'll explore other methods but for now this seems to work fine most of the time. You can find the tool here.