The brother of a friend of mine went to a web site and downloaded an application that stole his account information for the game. The idiot thought that he was downloading a game hack.

My friend gave me the web site and I did some research. The site is very new and based in the US. They are using a free web hosting service (freewebs.com) and Domains by Proxy as their registrant.

What I would like to do now is download their software and analyze it, or have it analyzed. I would like to see what it is doing.

I already submitted the web site to SiteAdvisor. Are their any other sites or applications that can analyze software for malicious content?

Dr.Web Plug-in (http://download.drweb.com/drweb+antivirus+free+services/#01) can scan a link or file for malware & LinkScanner (http://www.explabs.com/linkscanner) can scan webpage for exploits.

{QUOTE-> Dr.Web Plug-in (http://download.drweb.com/drweb+antivirus+free+services/#01) can scan a link or file for malware & LinkScanner (http://www.explabs.com/linkscanner) can scan webpage for exploits. <-QUOTE}
Thanks for the response. I am looking for something that uses heuristic detection instead of scanning for known signatures. Antivirus applications can only find known viruses. I want something that can look for unknown viruses.

if the software is small, u can try using jotti's online malware scan (http://virusscan.jotti.org/). some of the AV do use heuristics.

u can use filemon (http://www.sysinternals.com/Utilities/Filemon.html) and regmon (http://www.sysinternals.com/Utilities/Regmon.html) to see what the software does, but u have to risk installing it for the two programs to track it.

{QUOTE-> if the software is small, u can try using jotti's online malware scan (http://virusscan.jotti.org/). some of the AV do use heuristics. <-QUOTE}

Ahh, I remember this site. Thanks. I will give it a try tonight.

{QUOTE-> u can use filemon (http://www.sysinternals.com/Utilities/Filemon.html) and regmon (http://www.sysinternals.com/Utilities/Regmon.html) to see what the software does, but u have to risk installing it for the two programs to track it. <-QUOTE}

Oh, not on my machine! One of these days I should build a test mule at home.

The Dr. Web plugin for Firefox is actually quite good. All it takes is a right click on the app you want to download.

It works also for Opera fans but need a little work:

http://download.drweb.com/opera+browser+plugin/

Gerard

Didn't know such an extension was around.
That thing is now bookmarked :)

Thanks for all the great replies. I also sent the files in question to DiamondCS for analysis. They confirmed that the files from the site are actually all the same, just the name is different. They said that the program is a remote trojan, keylogger and password stealer.

Now that we know this, how do we get this file listed in databases as a known trojan? I submitted the file to http://virusscan.jotti.org/ and only four or five scanners recognized it through heuristics as dangerous. The rest saw the file as safe. Is there a way to get this information out there to the ant-virus, anti-spyware community?

My other question is how can a person seek legal action. Obviously this is a criminal activity. If you have evidence like this, how do you go about shutting a site like this down?

{QUOTE-> Is there a way to get this information out there to the ant-virus, anti-spyware community? <-QUOTE}If you have not done so already....I would suggest hopping on over to dslreports and follow the instructions on how to Submit Suspected Malware: (http://www.dslreports.com/faq/8428#submit)

Bubba

{QUOTE-> If you have not done so already....I would suggest hopping on over to dslreports and follow the instructions on how to Submit Suspected Malware: (http://www.dslreports.com/faq/8428#submit)

Bubba <-QUOTE}
Thanks Bubba. That is a great page.

Jotti also auto"magically" submits all new files that get identified as malware, if I'm not mistaking.

Regards,

Pieter

A good way to check a suspected malicious files behaviour is done through a sandbox analysis , the report will be sent to your email address:

Sunbelt/CWS Sandbox:
http://research.sunbelt-software.com/Submit.aspx
http://www.cwsandbox.org/

Norman Sandbox:
http://sandbox.norman.no/live_4.html

Example :


{QUOTE-> CWSandbox Analysis report for file: 0e6eb631f6d0db70790b1b1246eab1ea.exe


Processes 1 (c:\temp\0e6eb631f6d0db70790b1b1246eab1ea.exe
MD5: [0e6eb631f6d0db70790b1b1246eab1ea], PID 120, User: Administrator)



==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (c:\temp\0e6eb631f6d0db70790b1b1246eab1ea.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (advapi32.dll)
Loaded DLL - DLL: (ntdll.dll)
Loaded DLL - DLL: (USER32.dll)

==============================================================================
Filesystem Changes
==============================================================================
Open File: \\.\PIPE\svcctl (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)

==============================================================================
Process Management
==============================================================================
Enum Processes

Open Process - Filename (C:\WINDOWS\Explorer.EXE) CommandLine: () Target PID: (1712) As User: () Creation Flags: ()

==============================================================================
Service Management
==============================================================================
Open Service Manager - Name: (SCM) Start Type: ()
Create Service - Name: (pe386) Display Name: (Win23 lzx files loader ) File Name: (C:\WINDOWS\System32:lzx32.sys) Control: () Start Type: (SERVICE_SYSTEM_START)
Start Service - Name: (pe386) Display Name: () File Name: () Control: () Start Type: ()

==============================================================================
System Info
==============================================================================
Get System Directory

==============================================================================
Threads
==============================================================================
Create Remote Thread - Target PID (1712) Thread ID ($0510) Thread ID ($00BA0100) Parameter Address ($00123456) Creation Flags (CREATE_SUSPENDED)

==============================================================================
Virtual Memory
==============================================================================
VM Allocate - Target: (1712) Address: ($00BA0000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT,MEM_RESERVE)
VM Allocate - Target: (1712) Address: ($00BD0000) Size: (65536) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1712) Address: ($00BDE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Protect - Target: (1712) Address: ($00BA0000) Size: (4096) Protect: (PAGE_READWRITE) Allocation Type: ()
VM Protect - Target: (1712) Address: ($00BA0000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (1712) Address: ($00BA0000) Size: (4096) Protect: (PAGE_READWRITE) Allocation Type: ()
VM Protect - Target: (1712) Address: ($00BDE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD) Allocation Type: ()
VM Write - Target: (1712) Address: ($00BA0000) Size: (256) Protect: () Allocation Type: ()
VM Write - Target: (1712) Address: ($00BA0100) Size: (2306) Protect: () Allocation Type: ()

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 2 (services.exe MD5: [], PID 536, User: SYSTEM)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
Service Management
==============================================================================
Load Driver - Name: (\Registry\Machine\System\CurrentControlSet\Services\pe386) File Name: ()

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 3 (C:\WINDOWS\Explorer.EXE
MD5: [a82b28bfc2e4455fe43022a498c0ef0a], PID 1712, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\Explorer.EXE)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHLWAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHELL32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLEAUT32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\BROWSEUI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\SHDOCVW.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\UxTheme.dll)
Loaded DLL - DLL: (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\appHelp.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\CLBCATQ.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\COMRes.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\VERSION.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\cscui.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\CSCDLL.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\themeui.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\MSIMG32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USERENV.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\NETAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\SAMLIB.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\LINKINFO.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntshrui.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\SETUPAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\urlmon.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\NETSHELL.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\credui.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WINSTA.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\webcheck.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\stobject.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\BatMeter.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\POWRPROF.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WTSAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\msi.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WININET.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\CRYPT32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSASN1.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\printui.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WINSPOOL.DRV)
Loaded DLL - DLL: (C:\WINDOWS\System32\ACTIVEDS.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\adsldpc.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\CFGMGR32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MPR.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WINMM.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\browselc.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\drprov.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntlanman.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\NETUI0.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\NETUI1.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\NETRAP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\davclnt.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\hgfs1.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DUSER.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\MSGINA.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ODBC32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\comdlg32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\odbcint.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\shdoclc.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\SXS.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (comctl32.dll)
Loaded DLL - DLL: (RASAPI32.DLL)
Loaded DLL - DLL: (RTUTILS.DLL)
Loaded DLL - DLL: (SHELL32.dll)
Loaded DLL - DLL: (netapi32.dll)
Loaded DLL - DLL: (WININET.dll)

==============================================================================
Filesystem Changes
==============================================================================
Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\System32\Ras\*.pbk
Find File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Open File: \\.\PIPE\svcctl (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Get File Attributes: C:\analysis\cwsandbox.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)

==============================================================================
Mutex Changes
==============================================================================
Creates Mutex: RasPbFile

==============================================================================
Service Management
==============================================================================
Open Service Manager - Name: (SCM) Start Type: ()
Open Service - Name: (RASMAN) Start Type: ()

==============================================================================
System Info
==============================================================================
Get System Directory
Get Computer Name
Get System Time

==============================================================================
User Management
==============================================================================
Impersonate User - Domain: () User: (Administrator) Host: () Handle: (2380)

==============================================================================
Window
==============================================================================
Enum Windows

==============================================================================
Winsock
==============================================================================


Report generated at 8/8/2006 3:10:40 PM with CWSandbox Version Beta 1.80
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved. <-QUOTE}

{QUOTE-> A good way to check a suspected malicious files behaviour is done through a sandbox analysis , the report will be sent to your email address:

Sunbelt/CWS Sandbox:
http://research.sunbelt-software.com/Submit.aspx
http://www.cwsandbox.org/

Norman Sandbox:
http://sandbox.norman.no/live_4.html

Example : <-QUOTE}

That is awesome. I will give this a try tonight.

-----------------------

Obviously... but the question was " Are there sites or services which analyze software for malicious content? "

Yes a sandbox will analyze the files for you ..

No it wont teach you how to interpret the results ..

There's nothing stopping you from showing those results to someone who does know a little more about these things though.

If you have files that go off to download even more files from unknown sites in the sandbox results or start adding things to the registry and system files folders , then it's highly likely the file is up to no good.

If you have absolutley no idea what you are doing then the at least the Norman Sandbox is able to identify malicious files to some extent but it's not 100%. But then neither are any of the antivirus/trojan/spyware scanners.

{QUOTE->
emsyio.exe

: [NORMAN SANDBOX] contains a security risk - W32/Downloader (Signature:W32/Agent.AGKM)
[ General information ]
* File might be compressed.
* Decompressing FSG.
* File length: 14720 bytes.
* MD5 hash: 0f216f13d2a8a73f2bdde8120fb20c18.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\vdrv]EW[.exe.

[ Network services ]
* Opens URL: hxxp://*.biz/traff/ppiigg.exe.

[ Security issues ]
* Starting downloaded file - potential security problem.

[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\vdrv]EW[.exe (4096 bytes) : no signature detection.

File downloaded from hxxp://*.biz/traff/ppiigg.exe. -
recognized as type HTML
<-QUOTE}

I got a response from CW Sandbox, but it was in XML format. The site does not explain how to use it. Does anyone know?

Try the sunbelt or norman sanbox instead of the cws site , both of their reports output is easier to read/use.

Maybe post the report as an attatchment here if you need to , I'm sure someone will be able to look at it. Or PM it to me if it's not allowed.