Are there sites or services which analyze software for malicious content?

Discussion in 'privacy problems' started by Close_Hauled, Aug 10, 2006.

Thread Status:
Not open for further replies.
  1. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    The brother of a friend of mine went to a web site and downloaded an application that stole his account information for the game. The idiot thought that he was downloading a game hack.

    My friend gave me the web site and I did some research. The site is very new and based in the US. They are using a free web hosting service (freewebs.com) and Domains by Proxy as their registrant.

    What I would like to do now is download their software and analyze it, or have it analyzed. I would like to see what it is doing.

    I already submitted the web site to SiteAdvisor. Are their any other sites or applications that can analyze software for malicious content?
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
  3. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California

    Thanks for the response. I am looking for something that uses heuristic detection instead of scanning for known signatures. Antivirus applications can only find known viruses. I want something that can look for unknown viruses.
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    if the software is small, u can try using jotti's online malware scan. some of the AV do use heuristics.

    u can use filemon and regmon to see what the software does, but u have to risk installing it for the two programs to track it.
     
  5. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    Ahh, I remember this site. Thanks. I will give it a try tonight.

    Oh, not on my machine! One of these days I should build a test mule at home.
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    The Dr. Web plugin for Firefox is actually quite good. All it takes is a right click on the app you want to download.
     
  7. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
  8. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Didn't know such an extension was around.
    That thing is now bookmarked :)
     
  9. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    Thanks for all the great replies. I also sent the files in question to DiamondCS for analysis. They confirmed that the files from the site are actually all the same, just the name is different. They said that the program is a remote trojan, keylogger and password stealer.

    Now that we know this, how do we get this file listed in databases as a known trojan? I submitted the file to http://virusscan.jotti.org/ and only four or five scanners recognized it through heuristics as dangerous. The rest saw the file as safe. Is there a way to get this information out there to the ant-virus, anti-spyware community?

    My other question is how can a person seek legal action. Obviously this is a criminal activity. If you have evidence like this, how do you go about shutting a site like this down?
     
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    If you have not done so already....I would suggest hopping on over to dslreports and follow the instructions on how to Submit Suspected Malware:

    Bubba
     
  11. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    Thanks Bubba. That is a great page.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Jotti also auto"magically" submits all new files that get identified as malware, if I'm not mistaking.

    Regards,

    Pieter
     
  13. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    A good way to check a suspected malicious files behaviour is done through a sandbox analysis , the report will be sent to your email address:

    Sunbelt/CWS Sandbox:
    http://research.sunbelt-software.com/Submit.aspx
    http://www.cwsandbox.org/

    Norman Sandbox:
    http://sandbox.norman.no/live_4.html

    Example :


     
  14. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
  15. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    -----------------------
     
    Last edited: Aug 13, 2006
  16. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    Obviously... but the question was " Are there sites or services which analyze software for malicious content? "

    Yes a sandbox will analyze the files for you ..

    No it wont teach you how to interpret the results ..

    There's nothing stopping you from showing those results to someone who does know a little more about these things though.

    If you have files that go off to download even more files from unknown sites in the sandbox results or start adding things to the registry and system files folders , then it's highly likely the file is up to no good.

    If you have absolutley no idea what you are doing then the at least the Norman Sandbox is able to identify malicious files to some extent but it's not 100%. But then neither are any of the antivirus/trojan/spyware scanners.

     
  17. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    I got a response from CW Sandbox, but it was in XML format. The site does not explain how to use it. Does anyone know?
     
  18. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    Try the sunbelt or norman sanbox instead of the cws site , both of their reports output is easier to read/use.

    Maybe post the report as an attatchment here if you need to , I'm sure someone will be able to look at it. Or PM it to me if it's not allowed.
     
Loading...
Thread Status:
Not open for further replies.