Free programs to help decide if an app is suspicious without running it

Discussion in 'other security issues & news' started by MrBrian, Nov 29, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Task: you want to decide if a given program is suspicious without running it. I assume that you already know about antivirus and anti-malware scanners, so those won't be covered here.

    These free programs report various characteristics of an executable. Some report about entropy (helpful to decide if a program is likely packed or not). Some report about structural anomalies. Some report about digital signatures.
    1. pescanner - console program; requires Python and dependencies to be installed; can process all files in a given folder
    2. PeSweep - console program
    3. Mandiant Red Curtain - GUI program; doesn't process 64-bit programs
    4. ExeScan - console program; requires Python and dependencies to be installed
    5. Malware Analyzer - console program
    6. Portable Executable Scanner - console program
    7. Sigcheck - console program; reports about digital signatures

    I've tried all of the above programs. I plan to use pescanner and Sigcheck in a batch file that processes all files in my Downloads folder and logs the results to text files.

    Also see thread Malware and entropy.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You can also use programs such as PEiD that use signatures to identify packers. Some of the programs mentioned in the first post, such as pescanner, can use a PEiD signature database (userdb.txt) if available. A large PEiD signature database is located at hxxp://abysssec.com/AbyssDB/Database.TXT; rename it to userdb.txt. Other packer identifiers and signatures can be found here.

    There are a number of programs - such as PE-Probe - that are described in academic papers but apparently are not publicly available.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Thanks.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    It's too bad PE-Probe (hxxp://nexginrc.org/nexginrcAdmin/PublicationsFiles/vb09-zubair.pdf) isn't publicly available, because the results are IMHO great. They first use an algorithm to classify a given executable as packed or not packed, and then use algorithms to classify the executable as malicious or benign. For those executables classified as packed, the malware detection rate is 99.6%, with a false positive rate for non-malware of 0.3%. For those programs classified as not packed, the malware detection rate is 99.4%, with a false positive rate for non-malware of 0.8%. The population used in this study is ~500,000 malware and several thousand benign programs.
     
    Last edited: Nov 29, 2011
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    PEiD also can perform entropy analysis, and can tell you if a file is likely packed. A PEiD plugin called PackingStone also tells you if a file is likely packed.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Who needs sophisticated malware?:
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  9. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Looks like another update for the list, maybe tomorrow unless ako wants to do it.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://www.winitor.com/:
    The Evidence tab lists anomalies found within an executable. The same tab also shows what types of functionality, such as Hooking, Registry, and Wininet, might be used by an executable. See the image in the review at http://download.cnet.com/PeStudio/3000-2094_4-75248467.html for a list of anomalies that are checked.
     
Loading...
Thread Status:
Not open for further replies.