Scout -- New Tool Released
Here's another tool that you might find useful when analyzing potentially infected websites. Scout is Pinpoint on steroids. Scout uses the Pinpoint engine and includes a feature from Revelo that makes this more functional and...risky. Let me explain.
I did think about just adding the new features to Pinpoint and calling it v2.0 but that could potentially cause confusion since Pinpoint is a safe tool to use so I decided to leave Pinpoint alone and create a new tool called Scout (I'll still maintain both code bases). As its name implies, Scout seeks information and does so rather progressively.
One other feature I thought would be useful was to give Scout the ability to take a screenshot of the webpage. The best and safest method I could come up with is using PhantomJS. It uses the WebKit browser engine so it's way more safer than IE but there is added risk since the infected/malicious page has to be completely rendered. That's the other reason why I wanted to separate this from Pinpoint.
So let's see this in action...
Here's Scout with its two new features:
To activate the screenshot capability, download PhantomJS from here and copy the Windows executable to the same folder that Scout resides in. Now the "Take Screenshot" option lights up and you can enable and disable it as you choose. Scout will automatically create "rasterize.js" which is used to produce the screenshot. You can modify it (e.g. change its useragent string) and Scout will use it going forward.
Here's what the workflow might look like. Enter a URL then click on start.
The screenshot of the site gets saved as a PNG file:
Click on Tools > HTTP Request Simulator, choose the file, then click on Start.
Here's another example...
First, let's paste in the URL and click on Start:
Here's the screenshot of the site:
Reviewing Scout's capture file, we see exploit code from Infinity EK:
Extract the script from the page and save it to an HTML file:
Since this has a lot of scripts, the internal WebBrowser Control may not be able to handle it so you can optionally use your Internet Explorer browser. When you run Scout and click on Tools > HTTP Request Simulator, Scout will automatically set IE's proxy setting to "localhost:8080" (which is changed back after you close HTTP Request Simulator). All you need to do is leave the "File" field empty, click on Start, then open the HTML page in IE (note: you can do this with Firefox or Chrome too as long as you set the proxy settings yourself).
Here we see IE executing the js.html file with the exploit code. Scout's HTTP Request Simulator is catching the requests, dropping the responses, and displaying the results. The VM did not get infected but I'll never run this on my host computer, just in case. And neither should you.
If you don't see anything in the "results" box then maybe the script doesn't have any redirect code or doesn't reference any external content. Or maybe it relies on jQuery in which case you can paste in the jQuery script into your file.
By the way, I do appreciate all of your emails in support of Pinpoint! I'm glad it is helping you with your analysis and I hope Scout can further your research.