PaulDotCom mailing list archives
Malware analyzing tools?
From: daniel at virturity.com (Daniel [Virturity.com])
Date: Fri, 15 May 2009 19:43:58 +0100
All good suggestions so far. Just adding a few more tools to the list. The most important one is that freeware between your ear of course. ;) Rapier - http://code.google.com/p/rapier/ Gmer - www.gmer.net oSpy - http://code.google.com/p/ospy/ helios - http://helios.miel-labs.com On Fri, 2009-05-15 at 13:45 -0400, Chris Hague wrote:
So a few things that I usually do as part of my forensic investigations that involve malware. I guess if you are analyzing malware as opposed to is my system infected with it, then I would suggest using a range of tools and resources. For instance, if you have come across an unknown binary you could upload it to a ?sandbox? like Norman Sandbox (http://www.norman.com/microsites/nsic/), or Virus Total (http://www.virustotal.com/) ? both are automated. If you prefer the more manual approach, then I would recommend a VM like environment so you don?t tank your machine. Use tools such as SysAnalyzer (http://labs.idefense.com/software/malcode.php) [somewhat dated], but still work. Another option is to use a debugger to see exactly what the file is doing. As suggested in earlier threads, use filemon, regmon, process monitor and explorer, and Wireshark. However, if you have the time, set up a 2nd VM as a gateway basically becoming the man in the middle. For the infected systems several of the incident response companies offer free tools to help detect malcode (http://www.mandiant.com/software.htm) is one of them. I think Shaun?s last point is spot on. When in doubt, reload. Hope this helps, Chris ______________________________________________________________________ From:pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Shaun Curry Sent: Friday, May 15, 2009 11:08 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Malware analyzing tools? I'm not a forensics expert, but I work on this stuff on a daily basis for our customers. I follow a pretty basic plan of attack for stuff like this: 1. Turn off system restore 2. Install, Update, and run Malwarebyte's (usually a quickscan in normal windows) 3. Run TrendMicro's housecall from their website. 4. Check IE for BHO's If there is still a problem I will move to autoruns to disable anything odd starting up with the system and run process explorer to research svchost.exe. And, when all else fails - Nuke and Pave buddy... nuke and pave :P Good Luck! _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Malware analyzing tools? Subba Rao (May 14)
- <Possible follow-ups>
- Malware analyzing tools? infolookup at gmail.com (May 14)
- Malware analyzing tools? Xander Solis (May 14)
- Malware analyzing tools? Ali Emirlioglu (May 14)
- Malware analyzing tools? Pat (May 15)
- Malware analyzing tools? Raffi Jamgotchian (May 15)
- Malware analyzing tools? Tim Mugherini (May 15)
- Malware analyzing tools? Shaun Curry (May 15)
- Malware analyzing tools? Chris Hague (May 15)
- Malware analyzing tools? Daniel [Virturity.com] (May 15)
- Malware analyzing tools? Xander Solis (May 14)