1. 02:17 24th Feb 2012

    notes: 14

    tags: updates

    Wepawet 2.3.2

    We have released a new version of Wepawet: 2.3.2.

    A summary of the user-visible changes in this release:

    • A ton of update to the analyzer (yes, that’s a precise metrics: it’s the weight of the printout of the changelog). In particular, you should see some nice improvement in the PDF analysis: for example, Wepawet now correctly analyze this encrypted PDF file, which used to be problematic (hi @eternaltodo!)
    • We now have enabled comments on each report page. Yes, very social: that’s malware analysis 2.0. This also retires the Feedback tab we had for a while. People still like the Feedback button, so we keep it!
    • We are playing around with CSP: let us know how it works for you.

    In addition, we have done quite a bit of work on other areas that hopefully will become visible features soon. Stay tuned.

    We love getting feedback: let us know if things break or they just work as you expect.

     

  2. 22:23 28th Nov 2011

    notes: 65

    tags: updates

    Wepawet 2.3.1

    We have released a new version of Wepawet: 2.3.1.

    The main change with this version is the integration of shellzer, a new dynamic shellcode analyzer. Shellzer analyzes the shellcode identified by Wepawet: in particular, it generates a complete list of the API functions called by the shellcode, and it identifies the URLs fetched at run-time by the shellcode (locating additional malware samples).

    Here is an example of the output produced by shellzer:

    Notice that the standard shellcode section of the report is extended with a detailed “Shellcode Analysis” report, which contains:

    • the trace of the API functions (and their parameters) invoked by the shellcode, 
    • the list of the DLLs loaded by the shellcode, and
    • the list of the URLs contacted by the shellcode.

    From the report, it is clear that the shellcode in the example above performs the classic download-and-execute steps: it loads the urlmon library, uses its URLDownloadToFileA function to download a file to the temporary directory (as determined using the GetTempPathA function), and then executes this file via WinExec.

    If you are interested in the all the details of shellzer, check out the RAID 2011 paper.

    Big kudos to Yanick for developing shellzer, and Alex, for lending a helping hand with the integration and testing!

     

  3. 12:36 14th Nov 2011

    notes: 18

    tags: updates

    New feature: feedback

    We are always interested in receiving feedback from users, both about things that work and those that do not work. It’s a great way for us to know where to improve our tool.

    We have recently introduced a new feature to simplify sending us comments/suggestions, and, specifically, to let us know of misclassifications (false positives or false negatives) of the resources that we analyze.

    In particular, report pages now include a “Feedback” badge along the left edge of the page:

    By clicking on the badge, you can send us a form with more information and comments about the report:

    The report is received by the whole team, so that issues can be addressed quickly and misdetections get fixed!

     

  4. 01:22 8th Nov 2011

    notes: 22

    tags: updates

    Wepawet 2.3.0

    We have rolled out a new version of Wepawet: 2.3.0.

    The new release brings in a number of improvements. Two changes are particularly visible:

    • Wepawet now provides more detailed information about the location of malicious content. For example, the report now lists the location (URLs) where exploits and shellcode were found:
       

       
    • Wepawet now provides information about how requests are chained together, i.e., how page A leads to page B through a simple tree visualization in the requests table: 

    (See the complete report for these examples: http://wepawet.cs.ucsb.edu/view.php?hash=50a450cb6ea0248d7327831aa53881bc&t=1320475825&type=js).

    Let us know how this works!

     
     

  5. 02:26 4th Aug 2011

    notes: 47

    tags: maintenance

    Maintenance

    Wepawet will be down for maintenance. It’s a big upgrade (both hardware and software), so this may take up to a couple of days. We plan to be back during the weekend.

    Update: the upgrade is finished successfully. We are now running the last tests and should be back online soon.

    Update: … and we are up again.

     

  6. 19:48 9th Oct 2010

    notes: 8

    Update: 1.3.2

    New version out: 1.3.2.

    Here is a list of the main changes:

    • Refactored the report generation code (should make it easy to add new features to the report)
    • Added support for XFA forms in PDF
     

  7. 16:51 18th Sep 2010

    notes: 7

    tags: updates

    Update: 1.3.1

    We have rolled out a new release of Wepawet: version 1.3.1.

    Here is the list of changes:

    • Support for detection of the HCP vulnerability (CVE-2010-1885)
    • Improved parsing of malformed PDF files
    • Support for Util.byteToChar in PDF files
     

  8. 16:13 13th Sep 2010

    notes: 7

    tags: updates

    Update

    We have rolled out a new release of Wepawet: version 1.3.0.

    Here is the list of changes:

    • Switched to a saner versioning scheme
    • Added submission script
    • Added changelog page
    • Lots of internal improvements (especially for deployment, monitoring)
     

  9. 07:47 4th Sep 2010

    notes: 8

    tags: maintenance

    Maintenance

    Wepawet will be down for maintenance between Thu 9th, 9AM and Fri 10th, 9AM (PDT). We are getting a new storage back-end!

    We’ll update the status here as things progress.

    Update (Fri 10th, 6:00AM): Wepawet is up again.

     

  10. 09:20 13th Aug 2010

    notes: 8

    tags: maintenance

    Maintenance

    This weekend we are doing some infrastructure updates.

    The site will be back online in the evening of Sunday 15.