To investigate what certain malware samples exactly do,
you need a malware analyser.
For me this is a collections of tools i have collected over the years.
And i am always tuning and changing these.
But sometimes i have the idea that i am 'reinventing the wheel'.
Are there any recommended malware analysers that i can use?
Or tools you guys can recommend?
Because i am old, but never to old to learn ;D

For the record, i don't mean web services where you can upload samples to.

I think i might still have a pretty good malware decompiler named IceBreaker i picked up some time back, but it's no doubt buried in a stack of CD's but i'll look for them later today and forward for you if i can find it again.

EP_X0FF generously once detailed a comprehensive list of the vital tools in answer to a question posed him that he uses himself but i long forgot where that post is, but it included PEID, and various other tools to check drivers etc.

If i can find that post i'll link it for you.

Hi, here is a list I use (mainly virtual machine, assembler level analysing debuggers, dissassemblers...)

VMWare Workstation 6 or test machine
WinDbg or OllyDbg + plugins
PEiD
Syser 1.96, SoftIce and Borland Delphi5 debugger
WDasm and IDA tools
NEOx
SysAnalyser
HookExplorer
SocketTool

Some new ones, thanks guys !

:thumb:

Here is another one :http://www.norman.com/microsites/malwareanalyzer/Products/analyzer

Hi,

The best tool I know is PE Explorer http://www.heaventools.com/ You can use these for reverse engineering the bad programs.

Norman SandBox Analyzer (explode the malware inside the sandbox and study it's functions as they expand)
http://www.norman.com/microsites/malwareanalyzer/Products/analyzer

OSAM" (Online Solutions Autorun Manager)
This is an online mechanism that scans for malware functions within auto run loaders. http://www.online-solutions.ru/en/osam_autorun_manager.php

Note that everything I mentioned above is rather complex to play with without appropriate understanding of the needful. Here are a few courses available on the subject:

Self teaching aid Part 1-5 (from Windows Security)
http://www.windowsecurity.com/articles/Reverse-Engineering-Malware-Part1.html

SANS Institute offers training programs on reverse engineering of malware:
http://www.sans.org/training/description.php?mid=54

Infosec Also offers training on reverse engineering malware http://www.infosecinstitute.com/courses/reverse_engineering_training.html

Lenny Seltzer
http://www.zeltser.com/reverse-malware/

Have fun causing trouble to hackers! :D

AVZ
www.z-oleg.com

-{ Quote: "The best tool I know is PE Explorer http://www.heaventools.com/ You can use these for reverse engineering the bad prgrams." }-
Forgot I had PE Explorer, I have Resource Tuner from them also, great tools.

-{ Quote: "AVZ
www.z-oleg.com" }-

I hold a very special favor for this program Ilya, it's a really full profiler and shows good info and i yet to see one this well charted.

PEiD
OllyDBG (Modified engines w/ plugins and scripts)
IDA
VMWare
DeDe
VB Decompiler
.NET Reflector

-{ Quote: "AVZ
www.z-oleg.com" }-

Holla Ilya,

Do they have a site in Anglese.... Me Greek? Rusky? or is it something else... is a little rusty...

Hello Hermescomputers,

Here is a translated link to the AVZ Antivirus Utility.

http://209.85.135.104/translate_c?hl=en&langpair=ru%7Cen&u=http://z-oleg.com/secur/avz/download.php

Hope this helps.


Peace & Gratitude,

CogitoErgoSum

Hello tuatara,

RegRun Gold or Platinum is another one to consider.

http://greatis.com/security/


Peace & Gratitude,

CogitoErgoSum

-{ Quote: "Rusky? or is it something else..." }-
Yes, it is in Russian.

A very useful thread, thanks a lot guys ! :thumb:

CogitoErgoSum

Yes... Thanks! I didn't spend enough time on the site to figure out it's useful bits... I will soon though.

Cheers! :D

Try RAPIER, found at http://code.google.com/p/rapier/downloads/list. RAPIER is a branch of Intel's RPIER project. RAPIER automates the collection of various types of system information. Some of the tools RAPIER uses come from 3rd parties, and some of these need to be downloaded separately. The information collected can be used to look for signs of malware. The user chooses which of many modules to run. The server part of RAPIER doesn't need to be installed in order for RAPIER to run. Screenshots of RAPIER's modules are found at http://www.wilderssecurity.com/showthread.php?t=201634&page=3. The items marked with 'MISSING REQUIRED FILES' are those for which you need to obtain the needed tools separately.

SysAnalyzer has already been mentioned. One of the interesting things SysAnalyzer can do is look at the memory of a process for code that detects a virtual machine. If a program has virtual machine detection code, then in most cases it should be regarded as suspicious. If anybody knows of another program that does the same thing (detects virtual machine detection code), please share your knowledge.

Other things mentioned in http://www.wilderssecurity.com/showthread.php?t=201634 may be of interest to this discussion also.

-{ Quote: "Hi, here is a list I use (mainly virtual machine, assembler level analysing debuggers, dissassemblers...)

VMWare Workstation 6 or test machine
WinDbg or OllyDbg + plugins
PEiD
Syser 1.96, SoftIce and Borland Delphi5 debugger
WDasm and IDA tools
NEOx
SysAnalyser
HookExplorer
SocketTool" }-

Just a quick note that SocketTool can be found at http://labs.idefense.com/software/malcode.php in Malcode Analysis Pack. Some may find the other tools in Malcode Analysis Pack useful also.

Process Monitor, TCPView, and other Sysinternals tools

Another approach is to use an extensive HIPS such as Comodo Firewall 3 or a behavioral pattern recognition program such as ThreatFire. Testing for malware inside a virtual machine is less ideal than using a physical machine because some malware changes its behavior in the presence of a virtual machine. However, if you do wish to use a virtual machine to test malware, and you're using VMware, then perhaps use the information on page 23 of the article 'On the Cutting Edge: Thwarting Virtual Machine Detection', found at http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf, to reduce the ability of a program to detect that it's running in a VMware virtual machine.

Another tool I use to see installed and hidden devices, drivers - DeviceTree (http://www.osronline.com/article.cfm?article=97) freeware.