Home page logo

pauldotcom logo PaulDotCom mailing list archives

Malware analyzing tools?
From: chrishague at comcast.net (Chris Hague)
Date: Fri, 15 May 2009 13:45:46 -0400

So a few things that I usually do as part of my forensic investigations that
involve malware.


I guess if you are analyzing malware as opposed to is my system infected
with it, then I would suggest using a range of tools and resources. 


For instance, if you have come across an unknown binary you could upload it
to a "sandbox" like Norman Sandbox (http://www.norman.com/microsites/nsic/),
or Virus Total (http://www.virustotal.com/) - both are automated. If you
prefer the more manual approach, then I would recommend a VM like
environment so you don't tank your machine. Use tools such as SysAnalyzer
(http://labs.idefense.com/software/malcode.php) [somewhat dated], but still
work. Another option is to use a debugger to see exactly what the file is


As suggested in earlier threads, use filemon, regmon, process monitor and
explorer, and Wireshark. However, if you have the time, set up a 2nd VM as a
gateway basically becoming the man in the middle. 


For the infected systems several of the incident response companies offer
free tools to help detect malcode (http://www.mandiant.com/software.htm) is
one of them.


I think Shaun's last point is spot on. When in doubt, reload.


Hope this helps,





From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Shaun Curry
Sent: Friday, May 15, 2009 11:08 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Malware analyzing tools?


I'm not a forensics expert, but I work on this stuff on a daily basis for
our customers.  I follow a pretty basic plan of attack for stuff like this:

1. Turn off system restore
2. Install, Update, and run Malwarebyte's (usually a quickscan in normal
3. Run TrendMicro's housecall from their website.
4. Check IE for BHO's

If there is still a problem I will move to autoruns to disable anything odd
starting up with the system and run process explorer to research

And, when all else fails - Nuke and Pave buddy... nuke and pave :P

Good Luck!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090515/c3836bbb/attachment.htm 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]