Scout -- New Tool Released

Here's another tool that you might find useful when analyzing potentially infected websites. Scout is Pinpoint on steroids. Scout uses the Pinpoint engine and includes a feature from Revelo that makes this more functional and...risky. Let me explain.

Pinpoint downloads webpage components akin to using wget or curl. Pinpoint does not render the content making this safe to use even without a VM. Scout, on the other hand, gives you the ability to render content in select files so it can collect the URLs it's trying to access (Revelo already includes this feature). This is great for those who don't know how or have the time to deobfuscate Javascript. You just render it and catch the results. However, if the file contains exploit code, your computer could get infected.

I did think about just adding the new features to Pinpoint and calling it v2.0 but that could potentially cause confusion since Pinpoint is a safe tool to use so I decided to leave Pinpoint alone and create a new tool called Scout (I'll still maintain both code bases). As its name implies, Scout seeks information and does so rather progressively.

One other feature I thought would be useful was to give Scout the ability to take a screenshot of the webpage. The best and safest method I could come up with is using PhantomJS. It uses the WebKit browser engine so it's way more safer than IE but there is added risk since the infected/malicious page has to be completely rendered. That's the other reason why I wanted to separate this from Pinpoint.

So let's see this in action...

Here's Scout with its two new features:

To activate the screenshot capability, download PhantomJS from here and copy the Windows executable to the same folder that Scout resides in. Now the "Take Screenshot" option lights up and you can enable and disable it as you choose. Scout will automatically create "rasterize.js" which is used to produce the screenshot. You can modify it (e.g. change its useragent string) and Scout will use it going forward.

Here's what the workflow might look like. Enter a URL then click on start.

The screenshot of the site gets saved as a PNG file:

Viewing Scout's capture file, we see some obfuscated Javascript in the source code. Since the Pinpoint engine won't render it, we don't know what this does.

Copy/paste the Javascript and save it to an HTML file. Be sure it has the <script></script> tags (or <html></html> tags as necessary).

Click on Tools > HTTP Request Simulator, choose the file, then click on Start.

What I've done is include some of Revelo's functionality into Scout. There is a built-in WebBrowser Control that renders the URL. As the WebBrowser Control makes requests to external content (e.g. Javascript, CSS, images, etc) or redirects the browser depending on the webpage contents, Scout will collect the links then drop the HTTP responses before it reaches the browser. This should, in theory, prevent your computer from getting compromised but I can't guarantee it so you ought to run this in a VM.

Here's another example...

First, let's paste in the URL and click on Start:

Here's the screenshot of the site:

Reviewing Scout's capture file, we see exploit code from Infinity EK:

Extract the script from the page and save it to an HTML file:

Since this has a lot of scripts, the internal WebBrowser Control may not be able to handle it so you can optionally use your Internet Explorer browser. When you run Scout and click on Tools > HTTP Request Simulator, Scout will automatically set IE's proxy setting to "localhost:8080" (which is changed back after you close HTTP Request Simulator). All you need to do is leave the "File" field empty, click on Start, then open the HTML page in IE (note: you can do this with Firefox or Chrome too as long as you set the proxy settings yourself).

Here we see IE executing the js.html file with the exploit code. Scout's HTTP Request Simulator is catching the requests, dropping the responses, and displaying the results. The VM did not get infected but I'll never run this on my host computer, just in case. And neither should you.

If you don't see anything in the "results" box then maybe the script doesn't have any redirect code or doesn't reference any external content. Or maybe it relies on jQuery in which case you can paste in the jQuery script into your file.

By the way, I do appreciate all of your emails in support of Pinpoint! I'm glad it is helping you with your analysis and I hope Scout can further your research.

Posted on: 03/25/2014