Wepawet-Online Malware analyzer

Discussion in 'other software & services' started by ha14, Sep 26, 2009.

Thread Status:
Not open for further replies.
  1. ha14

    ha14 Registered Member

    Sep 6, 2009


    Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files.

    To use Wepawet:

    1.Upload a sample or specify a URL
    2.Wait for the resource to be analyzed
    3.Review the generated report


    Things you can do with Wepawet:
    - Determine if a page or file is malicious
    - wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or benign and provides you with information that helps you understand why it was classified in a way or the other.
    - wepawet displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples. For example, it gives access to the unobfuscated malicious code used in an attack. It also collects the URLs accessed by a sample.
    - wepawet does not just tell you that a resource is malicious, it also shows you the exact vulnerability (or, more likely, the vulnerabilities) that are exploited during an attack.
  2. Franklin

    Franklin Registered Member

    May 12, 2005
    West Aussie
    Yep, use it all the time here for pdf exploits where Wepawet will give any links to the payload exe.
  3. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    Unfortunately, it's not always reliable (but what is!)

    Recently, a drive-by attack served up the Zbot trojan. The page was a package, or kit, of 4 exploits, which Wepawet analyzed:


    It showed the URLs for the first two. The PDF and SWF files cached and I hoped to see the same URLs in the code, since that is how most of these "kits" work.

    Wepawet isn't giving dynamic analyis of some SWF files, so I couln't get the URL for the malware:


    It was identified by some AV as Trojan.SWF.Dropper!IK

    Strangely, Wepawet showed the PDF file as benign, but it was the old Exploit/Win32.Pidief.

    Most of the time, though, Wepawet provides a great service.

Thread Status:
Not open for further replies.