Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Malware analyzing tools?
From: chrishague at comcast.net (Chris Hague)
Date: Fri, 15 May 2009 13:45:46 -0400

So a few things that I usually do as part of my forensic investigations that
involve malware.

 

I guess if you are analyzing malware as opposed to is my system infected
with it, then I would suggest using a range of tools and resources. 

 

For instance, if you have come across an unknown binary you could upload it
to a "sandbox" like Norman Sandbox (http://www.norman.com/microsites/nsic/),
or Virus Total (http://www.virustotal.com/) - both are automated. If you
prefer the more manual approach, then I would recommend a VM like
environment so you don't tank your machine. Use tools such as SysAnalyzer
(http://labs.idefense.com/software/malcode.php) [somewhat dated], but still
work. Another option is to use a debugger to see exactly what the file is
doing.

 

As suggested in earlier threads, use filemon, regmon, process monitor and
explorer, and Wireshark. However, if you have the time, set up a 2nd VM as a
gateway basically becoming the man in the middle. 

 

For the infected systems several of the incident response companies offer
free tools to help detect malcode (http://www.mandiant.com/software.htm) is
one of them.

 

I think Shaun's last point is spot on. When in doubt, reload.

 

Hope this helps,

 

Chris

 

  _____  

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Shaun Curry
Sent: Friday, May 15, 2009 11:08 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Malware analyzing tools?

 

I'm not a forensics expert, but I work on this stuff on a daily basis for
our customers.  I follow a pretty basic plan of attack for stuff like this:

1. Turn off system restore
2. Install, Update, and run Malwarebyte's (usually a quickscan in normal
windows)
3. Run TrendMicro's housecall from their website.
4. Check IE for BHO's

If there is still a problem I will move to autoruns to disable anything odd
starting up with the system and run process explorer to research
svchost.exe.

And, when all else fails - Nuke and Pave buddy... nuke and pave :P

Good Luck!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090515/c3836bbb/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault