Bios Password

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Saturday, April 14, 2012

Malware Analysis Resources

Posted on 6:25 PM by Unknown

This is meant to be a complimentary post to the URL Scanner roundup post back in January.

Let me be the first to say I am not a malware reverse-engineering analyst.

On the other hand, when I am responding to an incident involving a system compromise, and/or am trying to both clean the system as well as understand the potential impact of what happened, being able to analyze a suspect file is critical.

It can not only give me a better understanding of how to clean it, but possibly how it got there in the first place. This lessoned-learned may help strengthen our security perimeter.

So having a collection of resources that can help analyze a malware (or potential malware) file is important to me.

The following resources are a collection of on-line file scanners, analysis-report-generating, and local sandbox creating tools to aid in that process.

There are a number of similar “list-of-lists” like this one. I’ve just tried to collect them for my own personal reference.  Major hat-tip and credit goes to the following sources which have already paved the way before me. You may find some more more resources here that I haven’t linked to as well as additional descriptions and feedback.

  • Malware Sandbox Services and Software - Andre’ M. DiMino - SemperSecurus blog
  • Information Security Blog » Online Malware Analysis Scanners - Coresec.org
  • Mantra's (Anti)-Malware Link Gallery - OWASP Mantra
  • Malware Analysis - SecurityXploit
  • Malware online scanners | Security on steroids - CleanBytes.net
  • When You Only Have 10 Minutes... - Sketchymoose’s Blog

And as Sketchymoose points out in the close of that post, before you start uploading files to any of these resources:

So now, keep in mind-- your submitted file is now out on the internet and is now on some database. Some of these may be owned by AV companies which look for new juicy malware to add to their signatures. So, if you are really worried about that:
(A) read documentation on their website to see what happens with collected data
(B) do your own analysis
(C) Ask customer/boss what their position is about submitting files to these sites -- make sure you know the answer for choice 'A' too for this one
Remember collaboration is one of the biggest deciding factors in incident response, but use common sense and discretion.

On-Line Scanners and Virus/Malware Analysis Tools

  • GFI Public Sandbox - Formerly known as CWSandbox
  • :: mwanalysis :: CWSandbox :: - Separate CWSSandbox service maintained by Chair for Pratical Informatics 1 at the University of Mannheim
  • SandBox Information Center - Norman
  • VirusTotal - Free Online Virus, Malware and URL Scanner
  • Jotti's malware scan
  • Metascan Online - Free online file scanning with multiple antivirus engines
  • ASafaWeb - Automated Security Analyser for ASP.NET Websites
  • Virus Lab - F-Prot Antivirus Virus Information
  • Anubis: Analyzing Unknown Binaries - Really neat and detailed reports.
  • Metascan Online - Free online file scanning with multiple antivirus engines
  • ThreatExpert - Online File Scanner or try their ThreatExpert - Submission Applet
  • ThreatExpert - Submit Your Sample Online - same folks, different submission interface.
  • Submit a sample - Microsoft Malware Protection Center
  • Eureka Malware Analysis Page - Automated malware binary analysis service
  • Comodo Instant Malware Analysis
  • File Verdict Service - Automated analysis system also from Comodo.
  • Wepawet - focusing on JavaScript, PDF, and Flash files in particular
  • F-Secure - Sample Analysis System
  • Xandora - Your Online Binary Analyser - Analysis of malware PE files
  • VirusChief - Online Virus Scan - scans file using a number of scan engines.
  • VirSCAN.org - Free Multi-Engine Online Virus Scanner - supported by 36 AntiVirus Engines
  • NoVirusThanks.org - Multi-Engine Antivirus Scanner - Service
  • avast! Online Scanner
  • malwr.com - free malware analysis service built on Cuckoo Sandbox
  • Online Malware Tool for Malware Analysis
  • Autovin » Malware Submission - Panda Security’s Automated Tool for Virus Incidents
  • Ether: Malware Analysis via Hardware Virtualization Extensions - testing/beta mode still.
  • SuspectFile - upload analysis service.
  • SARVAM: Search and Retrieval of Malware - Added 4-16-12 per tip from Laks

PDF File Analysis Tools

  • pdf examiner - Malware Tracker - upload and scan PDF files for a slew of exploits.
  • PDF X-RAY - upload and scan a suspicious PDF file to detect malicious behavior.
  • PDF Stream Dumper - SuperAwesome locally-installed (freeware) tool for analysis of malicious PDF documents. Really amazing and a must-have in any incident-responder and analyst's toolkit.
  • PDF Tools « Didier Stevens - Didier has a great collection of local tools to keep handy when parsing out PDF files.
  • 6 Free Local Tools for Analyzing Malicious PDF Files - great list of PDF tools from Lenny Zeltser
  • Analyzing Suspicious PDF Files With Peepdf -How To post from Lenny Zeltser on using peepdf tool
  • peepdf - PDF Analysis Tool - eternal-todo.com - free Python tool from Jose Miguel Esparza to pick apart PDF files.
  • jsunpack - a generic JavaScript unpacker - online tool to unpack JavaScript from PDF, pcap, HTML or JavaScript files. For more information about this resource check out jsunpack-n - A generic JavaScript unpacker - Google Project Hosting page.
  • malware tracker blog - Blog home page for Malware Tracker team which contains great analysis write ups and reports. Cool.

Not a PDF but Malware Tracker’s +Cryptam service can scan "Office” documents for malicious content as well.

Sandbox Tools for Malware Analysis 

  • Minibis - CERT.at - “Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper "Mass Malware Analysis: A Do-It-Yourself Kit". “ from Christian Wojner.
  • Zero Wine: Malware Behavior Analysis - QEMU virtual machine image with Debian OS installed, loaded with tools to upload and analyze malware and generate reports.
  • Buster Sandbox Analyzer - project based on Sandboxie
  • Cuckoo Sandbox - a malware analysis system addressing Windows PE files, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URL’s, etc.
  • Cuckoo for Cuckoo Box - SpiderLabs Anterior post on getting to run on Mac OS X.
  • Analyzing Malware with Cuckoo Sandbox V3.0 - securitybananas.com post on using it.
  • Cuckoo Sandbox 101- Infosanity's Blog’s Andrew Waite addresses some gotchas he encountered.
  • Capture-BAT Page - The Honeynet Project - behavioral analysis tool of apps for the Win32 systems providing insights into the software operation (impact) of malware rather than picking the malware executable itself apart; change-analysis rather than binary analysis.
  • Malware analysis tool, Capture-Bat - Great tutorial written by Travis Altman on installing and analyzing results of Capture-Bat.
  • Sometimes Trouble Finds You.... - interesting recent post from Sketchymoose at his blog on using Capture-Bat on a URL direction malware vector.

Adobe Shockwave/Flash Analysis Tools

  • Introducing Adobe SWF Investigator - Adobe Labs tool to totally pick apart SWF files. Uses Adobe AIR platform.
  • Adobe SWF Investigator | Flash security - Adobe Labs - download link
  • HP Communities - SWFScan - FREE Flash decompiler - Enterprise Business Community - Decompiles Adobe Flash files and does some basic security scanning.
  • Decompile Flash files with HP SwfScan - program review by Mike Williams at BetaNews

Mandiant - When One Word will do…

  • MANDIANT - Red Curtain - From their product description: “MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat "score." This score can be used to identify whether a set of files is worthy of further investigation.”
  • MANDIANT Find Evil - tool that uses disassembly to detect packed executables.
  • Be sure to check out all Mandiant’s Free Software offerings as many other tools here may aid in a malware response investigation.

Lessons Learned and Wisdom Shared by the Malware Analysis Pros

Thanks to the hard work and community-spirit of malware analysts, we can “sharpen-our-saw” against their efforts. These are some of the best places to start.

  • Malware Analysis Blog | quis custodiet ipsos custodes - This blog is just getting started but the posts so far have been very insightful. The post Malware Analysis as a function of intelligence and counterintelligence operations is a quite well thought out review of the issues a malware analyst must be familiar with.
  • Hexacorn | Blog has a lot of great detailed posts and a few challenges as well to test your brain-cells. Check out this Malware Analysis post-tag list as well as this Extracting Strings from PE sections post for some great material. On my RSS feed list.
  • Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser - Lenny Zeltser shares an amazing collection of tools, resources, and techniques in a “cheat-sheet” format. Check the sidebar for PDF/DOCX versions of this page. The bottom of the page is heavy with PDF tool linkage as well as white-papers and security presentations.
  • Introduction to Malware Analysis - (PDF Link) - This presentation by Lenny Zeltser outlines a lot of the important foundations the investigator should be aware of. One of many good Presentations, Webcasts, and Speaking Engagements by Lenny Zeltser on that page.
  • Also related, Lenny Zeltser’s posts: Reverse-Engineering Malware Cheat Sheet and REMnux Usage Tips for Malware Analysis on Linux. Mr Zeltser offers a SANS Institute trainings as well so if you think you are ready to take things to the next professional level, SANS Institute classes would be a fantastic place to start. See this Reverse-Engineering Malware: Malware Analysis Tools and Techniques Course - Malware Analysis Training by Lenny Zeltser link for more info.
  • System Forensics - New to Me blog well written by Patrick Olsen. Love the Blogger theme! Great and detailed analysis posts. On my RSS feed list. For some sample posts check out: Zeus v2 Malware Analysis - Part I and Zeus v2 Malware Analysis - Part II .
  • Advanced Malware Cleaning - on line video (~13 min) presented by Sysinternal’s Mark Russinovich showing tools and techniques to manually clean a system of malware. Still good after all these years.
  • Zero Day Malware Cleaning with the Sysinternals Tools - (PDF link) - “Slides from Mark’s highly-rated Blackhat US 2011 presentation on how to use the Sysinternals tools to hunt down and eliminate malware.” Excellent slide set IMHO.
  • Windows Incident Response: Malware Analysis - Harlan Carvey shares some thoughts and perspectives on the malware response and analysis field from a digital forensics perspective.
  • Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results - SANS Computer Forensics and Incident Response blog post by robtlee that shows the value of malware incident response and protection in an enterprise environment.
  • WEBCAST: Manually Removing Viruses & Malware - Kurt Shintaku's Blog - Mike Halsey, Microsoft MVP presentation on pulling malware off a Windows system. Registration is required and accessible until July 5th, 2012.

I sincerely hope you find several good take-aways from this post. It’s been simmering a while and I think it will greatly aid me in my own efforts and responses.

Cheers.

--Claus V.

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in forensics, Link Fest, malware tools, PDF's, security, tutorials, utilities, virtualization, viruses | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Finally! Time to Post! New material list
    After a recent text from my bro reminding me it has been since March since I’ve done a blog post, I was finally able to clear the schedule a...
  • Oscar watch Linkpost
    Alvis and Lavie are watching the Oscars tonight and I’m along for the ride. I wasn’t able to come even close to getting out some of the pos...
  • New Year’s Day - First Post 2011
    Same day I came out with my first post after a long drought, I fell upon this article Blogging Seems To Have Peaked, Says Pew Report over a...
  • Utility Gumbo
    There’s a lot in this pot.  Probably something everyone can find to enjoy. I’m serving it up tonight out of the back of the truck on the s...
  • iodd : Multi-boot madness!
    Like many computer technicians and responders, I seem to always have at hand a collection of bootable media; CD’s, DVD’s, USB-HDD’s, flash m...
  • Ubuntu 13.10 Upgrade - Lessons Learned & VIDMA utility found
    A few weeks ago a new release of Ubuntu came out. Naturally that meant it was update time! I have been getting pretty good at this now so ...
  • Interesting Malware in Email Attempt - URL Scanner Links
    Last weekend I spent some time with extended family helping confirm for them that their on-line email account got hacked and had been used t...
  • Windows 8 Linkage: A Bit Behind the Ball
    CC attribution: behind the eight ball by Ed Schipul on flickr . OK. Confession time. I’m more than a bit exhausted this weekend. Besides a...
  • This Week in Security and Forensics: Beware the cake!
    Cube Party! image used with permission from John Walker at "rockpapershotgun.com" Yeah, the cake is a Portal thing.  Let’s d...
  • ForSec Linkfest - 2013 DST Fallback Edition
    FYI…tomorrow morning at 2 AM here in the United States of America it will be time to “fall back” from DST . One more hour of sleep and then ...

Categories

  • Active Directory
  • anti-virus software
  • Apple
  • architecture
  • art
  • AVG
  • Blogger
  • blogging
  • books
  • boot-cd's
  • browsers
  • cars
  • cell-phones
  • cheat sheets
  • Chrome/Chromium
  • command-line interface
  • cooking
  • crafts
  • crazy
  • curmudgeon
  • DHC
  • Dr. Who
  • E-P1
  • Education
  • family
  • Firefox
  • firewalls
  • For the Gentleman
  • forensics
  • Gmail
  • Google
  • graphics
  • hacks
  • hardware
  • humor
  • hurricanes
  • imagex
  • Internet Explorer
  • iOS
  • iPhone
  • iPod
  • iTunes
  • Kindle
  • Learning
  • Link Fest
  • Linux
  • malware tools
  • Microsoft
  • movies
  • music
  • networking
  • NewsFox
  • NFAT
  • Nook
  • Opera
  • organization
  • PDF's
  • photography
  • politics
  • PowerShell
  • recipes
  • Remote Support
  • RSS
  • science
  • Scripting
  • search engines
  • security
  • Shuttle SFF
  • software
  • Texana
  • Thunderbird
  • troubleshooting
  • TrueCrypt
  • tutorials
  • utilities
  • VBscript
  • video
  • Virtual PC
  • virtualization
  • viruses
  • Vista
  • Vista mods
  • wallpapers
  • Win FE
  • Win PE
  • Win RE
  • Windows 7
  • Windows 8
  • Windows Home Server
  • Windows Live Writer
  • Windows Phone
  • writing
  • XP
  • XP mods
  • Xplico

Blog Archive

  • ►  2013 (83)
    • ►  November (8)
    • ►  October (8)
    • ►  September (14)
    • ►  August (6)
    • ►  July (10)
    • ►  June (10)
    • ►  April (11)
    • ►  March (6)
    • ►  February (7)
    • ►  January (3)
  • ▼  2012 (96)
    • ►  December (8)
    • ►  November (4)
    • ►  October (9)
    • ►  September (8)
    • ►  August (12)
    • ►  July (4)
    • ►  June (3)
    • ►  May (7)
    • ▼  April (13)
      • Forensically Sound: Quick Post #3
      • Bits and Pieces for the Admins - Quick Post #2
      • WinPE 4.0 - Quick Post #1
      • Case of the Unexplained Donut of Death
      • Bits and Pieces: Mini Link Rundown
      • Malware Analysis Resources
      • Zalman ZM-VE series Enclosures: Next-Gen Virtual ODD
      • Windows 8 Linkage: “Passage Public Metro” version
      • For-Sec LiveCD Updates
      • Tools, Tips, and Reverse-Image Searches
      • Forensic Linkfest - microwave-ready meals
      • Neat Portable File Encryption Program via the USAF!
      • No Foolin! Free Download Gold.
    • ►  March (3)
    • ►  February (5)
    • ►  January (20)
  • ►  2011 (41)
    • ►  December (8)
    • ►  November (7)
    • ►  September (4)
    • ►  August (4)
    • ►  July (2)
    • ►  June (6)
    • ►  March (5)
    • ►  February (1)
    • ►  January (4)
  • ►  2010 (69)
    • ►  December (1)
    • ►  October (3)
    • ►  September (2)
    • ►  August (13)
    • ►  July (17)
    • ►  June (3)
    • ►  May (3)
    • ►  April (3)
    • ►  March (11)
    • ►  February (1)
    • ►  January (12)
  • ►  2009 (177)
    • ►  December (20)
    • ►  November (11)
    • ►  October (7)
    • ►  September (7)
    • ►  August (21)
    • ►  July (17)
    • ►  June (7)
    • ►  May (18)
    • ►  April (9)
    • ►  March (17)
    • ►  February (23)
    • ►  January (20)
  • ►  2008 (35)
    • ►  December (23)
    • ►  November (12)
Powered by Blogger.

About Me

Unknown
View my complete profile