I'm dealing with what appears to be a new Zeus variant and on a whim I tried to run zeusscan2 under a copy of Volatility 2.0 I still hang onto. Perhaps not surprisingly, it ends unhappily

Volatile Systems Volatility Framework 2.0
Traceback (most recent call last):
  File "vol.py", line 135, in <module>
    main()
  File "vol.py", line 126, in main
    command.execute()
  File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py", line 330, in render_text
    for p, start, url, config_key, creds_key, decoded_config, decoded_magic in data:
  File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py", line 221, in calculate
    data  = malware.get_vad_data(ps_ad, start, end)
  File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/malware.py", line 856, in get_vad_data
    return ''.join(pages_one)
OverflowError: join() result is too long for a Python string

 Now I strongly suspect that the new variant is just enough different that it messes with the parsing and results in a runaway, but I just wanted to make sure I'm not leaving something on the table here...

 Should this work?


                        -=[ Steve ]=-