What non-signature-based malware detection programs and techniques do you use?

Sandboxie can act as a surveillance tool to aid the user, which is why it is valid for this thread. Sandboxie doesn't detect abnormal or malicious behaviour though; it notifies on policy violations when configured appropriately. It's left to the user to analyse the blocked behaviour and make a determination regarding intent. What makes Sandboxie so powerful is that it is able to contain malware without any requirement to be able to detect it. In the following comparison between Sandboxie and FreeSpace on the Invincea website, only FreeSpace is listed as having malware detection features.

http://www.invincea.com/2013/12/invinceas-expanding-global-community/

The point I was originally making is that, unlike an AV, Sandboxie is not in itself a malware detection program and I stand by that. What I was forgetting, and later acknowledged, is that it can be used as a surveillance tool to aid the user in detecting malware, even though detection isn't necessary for protection.

 

Hi,

Were you able to determine how these executable files got into the system?

Thanks,

-----
-rich

 

For the last point, this should always be the case even with signature based detections.

When arguing semantics, one should ask "is the effect the same?". If so, then it's pointless to argue further.

The specific method hadn't been mentioned yet in the thread, which was why I raised it given MrBrian's original question. I've long used Sandboxie as a detection method, since a notification of "xboiuoasfg.exe" attempting to run is a pretty clear indication to me that a trojan has been dropped.

 

Hi Rmus - most likely from a USB flash drive, but I wasn't able to tell for sure or what specific exploit may have been used.

They said it happened after they inserted a USB stick from a third party, but unfortunately their response was to format the drive. Autoruns was enabled on the system. I took the USB stick home with me, but couldn't get it to work on any of my machines - the light wouldn't come on, nor would it show up in disk management.

Nothing in the temp folders seemed suspicious, but I didn't do any real analysis beyond what I mentioned or check for deleted files.

 

As to folder/registry blocking, it doesn't always give warning. e.g. write-only don't give any alert, and when I had a trouble by read-only or access block, I didn't get any alert from either SBIE nor Windows, tho if I try to manually access them I can get one.

Also, tho I too like run/install any exe firstly in sandbox, I never take it as reliable detection method. There're still many sandbox-aware malware and plenty of evasion techniques. Well, if an exe didn't run on sandbox, better not to run it on real system. But terminating itself is not the only one evasion method. Other malware behave legitimately in sandbox.

Rule based is too much broad word, it can include from old signature to pure classic HIPS. In a sense almost every method to detect malware is rule based. But no major AV now rely on classic signature, they use generic signature i.e. 1 sig can block thousands of threats and fuzzy pattern so there's no more clear border btwn static heuristics. Also behavior blocker now is mostly signature based as classic scoring system is no more effective. They mean definition of signature had changed, and now signature also means detection rule e.g. certain file characteristics or certain behavior pattern.

 

A malware detection program classifies a program as bad, either on the basis of signature or by non-signature based means. The only decision the user has to make is whether or not to trust the program to have got it right. This is different from blocked behaviour resulting from a policy violation, which doesn't depend on a classification into good or bad. It isn't just a matter of semantics as the difference between default-allow and default-deny approaches has real-world implications.

I agree it is pointless to discuss (let's not use the word argue) this further.

 

Only when you judge FP by yourself. I never do this unless there's valid evidence that it is not harmful (e.g. I build the program). IMO, many ppl judge FP too easily just because they think the app is safe or Virustotal gave few detection. When Opera was hacked and malicious version were distributed, even Wilders member thought it is FP. I generally wait until I get confirmation from AV vendor.

 

I've been trying to remember so I can give a sensible reply, but I believe you're right on this point - sometimes access attempts are silently blocked. It's been years since I did a comprehensive test of my Sandboxie configuration, and for my own reasons haven't used Sandboxie for months, but I do recall instances where I had to manually attempt such access in order to confirm that settings were working.

Back then my main focus was on exploit kits that dropped files, as there weren't any fileless drive-bys that could affect my machines. With reading about the changes to Angler Exploit Kit and their focus on zero-day Flash vulnerabilities, I've become more interested in checking just how robust those contingency settings I made would be in the case of a successful exploit of this sort - and what kind of notifications I might expect.

FWIW we all seem to generally agree, and "rule based" was deliberately broad for exactly the reason you list. That was exactly the point.

 

I do actually have an e-book of Practical Malware Analysis and below tools are what the author recommended for malware analysis.

ApateDNS (To control DNS response by spoofing DNS responses)
Autoruns (You know it)
BinDiff (plugin for IDA Pro, used for comparing malware variants)
BinNavi (similar to IDA Pro)
Bochs (A debugger to be used with IDA Pro)
Burp Suite
(The Burp Suite is typically used for testing web applications. It can be
configured to trap specific server requests and responses in order to manipulate what is being delivered to a system.
When Burp is set up as a man-in-the-middle, you can modify HTTP or
HTTPS requests by changing the headers, data, and parameters sent by
the malware to a remote server in order to force the server to give you
additional information. You can download the Burp Suite from http://
portswigger.net/burp/.) NOTE: Never use it for malicious purpose!!!
Capture BAT (monitor the malware when it is running, it will capture the changes that the malware does for the system)
CFF Explorer (A tool to make PE editing easy)
Deep Freeze (It provides a VMware snapshotting capability for real hardware.)
Dependency Walker (DLL analysis)
Hex Editors (edit and view files containing binary data)
Hex-Rays Decompiler (IDA Pro plugin)
IDA Pro
Immunity Debugger
Import REConstructor (A repair tool for damaged file when you are manually unpacking a malware)
INetSim (Network Service Simulator for Linux)
LordPE (used for dumping an executable from memory, used for unpacking malware)
Malcode Analyst Pack
Memoryze
Netcat
OfficeMalScanner
OllyDbg
OSR Driver Loader
PDF Dissector
PDF Tools
PE Explorer
PEiD
PEview
Process Explorer
Process Hacker
Process Monitor
Python
Regshot
Resource Hacker
Sandboxes
Sandboxie and Buster Sandbox Analyzer
Snort
Strings
TCPView
The Sleuth Kit
Tor
Truman
WinDbg
Wireshark
UPX
VERA
VMware Workstation
Volatility Framework
YARA
Zero Wine

It is too much for me to list every function of each program. You may need to google it yourself. Thank You.

Below tools are what I use for my own basic static and dynamic analysis.

Basic Static Analysis Tool

1) MD5deep program and WinMD5

2) Strings

3) PEiD (To determine what packing or encryption algorithm that is used to pack or encrypt the malware)

4) UPX packing program (To unpack UPX packed malware)

5) Dependency Walker for DLL analysis

6) PEview (To view PE header, sections and import/export table)

7) Resource Hacker (To view resource section of PE)


Basic Dynamic Analysis Tool

1) Procmon (Process Monitor)

2) Process Explorer

3) Regshot

4) ApateDNS

5) Netcat

6) Windump and Wireshark

7) INetSim (Linux) / Fakenet (Windows)

 

I find BurpSuite and Deep Freeze interesting and I would actually want to try it. I may no need a complete virtual machine for samples analysis for most of the time but Deep Freeze seems to be not a free program

 

Deep Freeze is commercial but there should be free alternatives floating around like Toolwiz Time Freeze or Reboot Restore RX or Returnil. Haven't used any of them for quite a long time though.

 

I realize that my usage of the term "rule based" is a bit broad. The term doesn't take into account who makes the rules. I consider an application to be rule based when it allows the user to make all of the rules and enforces only those rules. The firewall, Kerio 2.1.5 is an example as is SSM. Old habits die hard. The term "signatures" is also subjective. If what appears to be a system executable is in the wrong location or is being started by the wrong parent process, isn't that a type of signature?

If configured to alert to the new and/or unknown, these types of applications can be used as malware detection programs. A good classic HIPS will alert if the hash of a file doesn't match what it's supposed to be or if the path to the executable is wrong. The better firewalls will also do this for internet traffic.

 

That sounds like a good policy.

----
rich

 

I mistook write-only for read-only, corrected.
Basically, I feel that alert based assesment is better to fit on real system with strict HIPS + FW control as HIPS can give more alert about programs activity such as manipulating other process' memory etc., I actually do this after simplified static and dynamic analysis with easy-to-use tool like PEStudio, Anubis, Malwr, etc.. Ofc you shouldn't use productive environment for this.
Also when you test malware, make sure it doesn't attack others by spam sending or DoS packet (it's best constructing virtual network, otherwise at least strictly control all connection attempt). This is what most Youtube amateur tester seems not to much care about, serious problem!