Home page logo

pauldotcom logo PaulDotCom mailing list archives

Malware analyzing tools?
From: daniel at virturity.com (Daniel [Virturity.com])
Date: Fri, 15 May 2009 19:43:58 +0100

All good suggestions so far. Just adding a few more tools to the list.
The most important one is that freeware between your ear of course. ;)

Rapier - http://code.google.com/p/rapier/
Gmer - www.gmer.net
oSpy - http://code.google.com/p/ospy/
helios - http://helios.miel-labs.com

On Fri, 2009-05-15 at 13:45 -0400, Chris Hague wrote:
So a few things that I usually do as part of my forensic
investigations that involve malware.


I guess if you are analyzing malware as opposed to is my system
infected with it, then I would suggest using a range of tools and


For instance, if you have come across an unknown binary you could
upload it to a ?sandbox? like Norman Sandbox
(http://www.norman.com/microsites/nsic/), or Virus Total
(http://www.virustotal.com/) ? both are automated. If you prefer the
more manual approach, then I would recommend a VM like environment so
you don?t tank your machine. Use tools such as SysAnalyzer
(http://labs.idefense.com/software/malcode.php) [somewhat dated], but
still work. Another option is to use a debugger to see exactly what
the file is doing.


As suggested in earlier threads, use filemon, regmon, process monitor
and explorer, and Wireshark. However, if you have the time, set up a
2nd VM as a gateway basically becoming the man in the middle. 


For the infected systems several of the incident response companies
offer free tools to help detect malcode
(http://www.mandiant.com/software.htm) is one of them.


I think Shaun?s last point is spot on. When in doubt, reload.


Hope this helps,




From:pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Shaun
Sent: Friday, May 15, 2009 11:08 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Malware analyzing tools?


I'm not a forensics expert, but I work on this stuff on a daily basis
for our customers.  I follow a pretty basic plan of attack for stuff
like this:

1. Turn off system restore
2. Install, Update, and run Malwarebyte's (usually a quickscan in
normal windows)
3. Run TrendMicro's housecall from their website.
4. Check IE for BHO's

If there is still a problem I will move to autoruns to disable
anything odd starting up with the system and run process explorer to
research svchost.exe.

And, when all else fails - Nuke and Pave buddy... nuke and pave :P

Good Luck!

Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]