Building your OWN Malware Lab (Part 2)

Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.

ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:

- Submission Summary:

- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).

- Technical Details:

- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).

For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.

What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.

Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.

Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.

Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.

make sure you subscribe to my RSS feed!

You can leave a response, or trackback from your own site.
  • Pingback: Security Tools Watch

  • Pingback: joe white

  • Pingback: SecureArabia

  • Pingback: Andréz Lamouroux

  • Pingback: SecureTechnology

  • Pingback: HackThis

  • Pingback: Bev Robb

  • Pingback: djatlantic

  • data recovery

    it's really very important use malware software to avoid any virus

  • Mourad

    Yes it is very important to have an antivirus with the latest signature.

  • Qwest4knowledge

    **REPEAT AS FOR PAGE 1** Not only is this post vague,simplistic and uninformative- but it so far has no use for ‘building’ anything. All it is, is a jumble of ‘I like this program’ listing, but yet no informative ways to actually use the programs in a description that matches the header of this post. I could get better results just doing a Google keyword search. Lesson- try keeping your post header descriptions and the info in the post the same,otherwise, you’re just a misleading,useless tool who likes to see himself posting and thinks he is a MENSA candidate. Good luck.

  • Mourad

    This comment reflects your own opinion on the other hand many people has found it useful and linked to this post on forums and other blogs to solve problems related to malwares. As we all know that malicious software is a great panic for the most proactive technologies.
    Tools mentioned are commonly used to process a sample of a highly detailed report with technical details match or exceed antivirus Lab.