A good malware analyser ?

Discussion in 'other anti-malware software' started by tuatara, Apr 13, 2008.

Thread Status:
Not open for further replies.
  1. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    To investigate what certain malware samples exactly do,
    you need a malware analyser.
    For me this is a collections of tools i have collected over the years.
    And i am always tuning and changing these.
    But sometimes i have the idea that i am 'reinventing the wheel'.
    Are there any recommended malware analysers that i can use?
    Or tools you guys can recommend?
    Because i am old, but never to old to learn :D

    For the record, i don't mean web services where you can upload samples to.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I think i might still have a pretty good malware decompiler named IceBreaker i picked up some time back, but it's no doubt buried in a stack of CD's but i'll look for them later today and forward for you if i can find it again.

    EP_X0FF generously once detailed a comprehensive list of the vital tools in answer to a question posed him that he uses himself but i long forgot where that post is, but it included PEID, and various other tools to check drivers etc.

    If i can find that post i'll link it for you.
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi, here is a list I use (mainly virtual machine, assembler level analysing debuggers, dissassemblers...)

    VMWare Workstation 6 or test machine
    WinDbg or OllyDbg + plugins
    PEiD
    Syser 1.96, SoftIce and Borland Delphi5 debugger
    WDasm and IDA tools
    NEOx
    SysAnalyser
    HookExplorer
    SocketTool
     
    Last edited: Apr 13, 2008
  4. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Some new ones, thanks guys !

    :thumb:
     
  5. Matern

    Matern Registered Member

    Joined:
    Nov 20, 2007
    Posts:
    102
  6. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hi,

    The best tool I know is PE Explorer http://www.heaventools.com/ You can use these for reverse engineering the bad programs.

    Norman SandBox Analyzer
    (explode the malware inside the sandbox and study it's functions as they expand)
    http://www.norman.com/microsites/malwareanalyzer/Products/analyzer

    OSAM" (Online Solutions Autorun Manager)
    This is an online mechanism that scans for malware functions within auto run loaders. http://www.online-solutions.ru/en/osam_autorun_manager.php

    Note that everything I mentioned above is rather complex to play with without appropriate understanding of the needful. Here are a few courses available on the subject:

    Self teaching aid Part 1-5 (from Windows Security)
    http://www.windowsecurity.com/articles/Reverse-Engineering-Malware-Part1.html

    SANS Institute offers training programs on reverse engineering of malware:
    http://www.sans.org/training/description.php?mid=54

    Infosec Also offers training on reverse engineering malware http://www.infosecinstitute.com/courses/reverse_engineering_training.html

    Lenny Seltzer
    http://www.zeltser.com/reverse-malware/

    Have fun causing trouble to hackers! :D
     
    Last edited: Apr 15, 2008
  7. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Forgot I had PE Explorer, I have Resource Tuner from them also, great tools.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I hold a very special favor for this program Ilya, it's a really full profiler and shows good info and i yet to see one this well charted.
     
  10. Xenophobe

    Xenophobe Registered Member

    Joined:
    May 26, 2007
    Posts:
    174
    PEiD
    OllyDBG (Modified engines w/ plugins and scripts)
    IDA
    VMWare
    DeDe
    VB Decompiler
    .NET Reflector
     
  11. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Holla Ilya,

    Do they have a site in Anglese.... Me Greek? Rusky? or is it something else... is a little rusty...
     
  12. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  13. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  14. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, it is in Russian.
     
  15. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    A very useful thread, thanks a lot guys ! :thumb:
     
  16. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    CogitoErgoSum

    Yes... Thanks! I didn't spend enough time on the site to figure out it's useful bits... I will soon though.

    Cheers! :D
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Try RAPIER, found at http://code.google.com/p/rapier/downloads/list. RAPIER is a branch of Intel's RPIER project. RAPIER automates the collection of various types of system information. Some of the tools RAPIER uses come from 3rd parties, and some of these need to be downloaded separately. The information collected can be used to look for signs of malware. The user chooses which of many modules to run. The server part of RAPIER doesn't need to be installed in order for RAPIER to run. Screenshots of RAPIER's modules are found at https://www.wilderssecurity.com/showthread.php?t=201634&page=3. The items marked with 'MISSING REQUIRED FILES' are those for which you need to obtain the needed tools separately.

    SysAnalyzer has already been mentioned. One of the interesting things SysAnalyzer can do is look at the memory of a process for code that detects a virtual machine. If a program has virtual machine detection code, then in most cases it should be regarded as suspicious. If anybody knows of another program that does the same thing (detects virtual machine detection code), please share your knowledge.

    Other things mentioned in https://www.wilderssecurity.com/showthread.php?t=201634 may be of interest to this discussion also.
     
    Last edited: Apr 16, 2008
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Just a quick note that SocketTool can be found at http://labs.idefense.com/software/malcode.php in Malcode Analysis Pack. Some may find the other tools in Malcode Analysis Pack useful also.
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Process Monitor, TCPView, and other Sysinternals tools
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Another approach is to use an extensive HIPS such as Comodo Firewall 3 or a behavioral pattern recognition program such as ThreatFire. Testing for malware inside a virtual machine is less ideal than using a physical machine because some malware changes its behavior in the presence of a virtual machine. However, if you do wish to use a virtual machine to test malware, and you're using VMware, then perhaps use the information on page 23 of the article 'On the Cutting Edge: Thwarting Virtual Machine Detection', found at http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf, to reduce the ability of a program to detect that it's running in a VMware virtual machine.
     
  21. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Another tool I use to see installed and hidden devices, drivers - DeviceTree freeware.
     

    Attached Files:

    Last edited: Apr 16, 2008
Loading...
Thread Status:
Not open for further replies.