[Vol-users] zeusscan2

shorejsi2 at mmm.com shorejsi2 at mmm.com
Mon Jan 27 13:35:03 CST 2014


 I'm dealing with what appears to be a new Zeus variant and on a whim I 
tried to run zeusscan2 under a copy of Volatility 2.0 I still hang onto. 
Perhaps not surprisingly, it ends unhappily

Volatile Systems Volatility Framework 2.0
Traceback (most recent call last):
  File "vol.py", line 135, in <module>
    main()
  File "vol.py", line 126, in main
    command.execute()
  File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/commands.py", 
line 101, in execute
    func(outfd, data)
  File 
"/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py", 
line 330, in render_text
    for p, start, url, config_key, creds_key, decoded_config, 
decoded_magic in data:
  File 
"/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py", 
line 221, in calculate
    data  = malware.get_vad_data(ps_ad, start, end)
  File 
"/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/malware.py", 
line 856, in get_vad_data
    return ''.join(pages_one)
OverflowError: join() result is too long for a Python string

 Now I strongly suspect that the new variant is just enough different that 
it messes with the parsing and results in a runaway, but I just wanted to 
make sure I'm not leaving something on the table here...

 Should this work?


                        -=[ Steve ]=-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140127/fe1acb0d/attachment.html


More information about the Vol-users mailing list