[Pauldotcom] Malware analyzing tools?

Daniel [Virturity.com] daniel at virturity.com
Fri May 15 18:43:58 UTC 2009 

All good suggestions so far. Just adding a few more tools to the list.
The most important one is that freeware between your ear of course. ;)

Rapier - http://code.google.com/p/rapier/
Gmer - www.gmer.net
oSpy - http://code.google.com/p/ospy/
helios - http://helios.miel-labs.com


On Fri, 2009-05-15 at 13:45 -0400, Chris Hague wrote:
> So a few things that I usually do as part of my forensic
> investigations that involve malware.
> 
>  
> 
> I guess if you are analyzing malware as opposed to is my system
> infected with it, then I would suggest using a range of tools and
> resources. 
> 
>  
> 
> For instance, if you have come across an unknown binary you could
> upload it to a “sandbox” like Norman Sandbox
> (http://www.norman.com/microsites/nsic/), or Virus Total
> (http://www.virustotal.com/) – both are automated. If you prefer the
> more manual approach, then I would recommend a VM like environment so
> you don’t tank your machine. Use tools such as SysAnalyzer
> (http://labs.idefense.com/software/malcode.php) [somewhat dated], but
> still work. Another option is to use a debugger to see exactly what
> the file is doing.
> 
>  
> 
> As suggested in earlier threads, use filemon, regmon, process monitor
> and explorer, and Wireshark. However, if you have the time, set up a
> 2nd VM as a gateway basically becoming the man in the middle. 
> 
>  
> 
> For the infected systems several of the incident response companies
> offer free tools to help detect malcode
> (http://www.mandiant.com/software.htm) is one of them.
> 
>  
> 
> I think Shaun’s last point is spot on. When in doubt, reload.
> 
>  
> 
> Hope this helps,
> 
>  
> 
> Chris
> 
>  
> 
>                                    
> ______________________________________________________________________
> From:pauldotcom-bounces at mail.pauldotcom.com
> [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Shaun
> Curry
> Sent: Friday, May 15, 2009 11:08 AM
> To: PaulDotCom Security Weekly Mailing List
> Subject: Re: [Pauldotcom] Malware analyzing tools?
> 
> 
>  
> 
> I'm not a forensics expert, but I work on this stuff on a daily basis
> for our customers.  I follow a pretty basic plan of attack for stuff
> like this:
> 
> 1. Turn off system restore
> 2. Install, Update, and run Malwarebyte's (usually a quickscan in
> normal windows)
> 3. Run TrendMicro's housecall from their website.
> 4. Check IE for BHO's
> 
> If there is still a problem I will move to autoruns to disable
> anything odd starting up with the system and run process explorer to
> research svchost.exe.
> 
> And, when all else fails - Nuke and Pave buddy... nuke and pave :P
> 
> Good Luck!
> 
> 
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

More information about the Pauldotcom mailing list