Posts Tagged Desktop Applications
Building your OWN Malware Lab (Part 2)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on March 7, 2010
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:
- Submission Summary:
- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).
- Technical Details:
- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).
For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.
What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.
Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.
Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.
Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 1)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on February 27, 2010
Malicious software pieces like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Antivirus Labs have invested great Money for analyzing and reversing viruses, but for our case we can perform the analysis using some useful tools on our PC.
Let’s start with www.virustotal.com , if I feel that I have a suspicious file. First what I will do is to upload it to VirusTotal. VirusTotal gives the user the ability to analyze any file with more than 40 Antivirus products. With the latest signature definition, this brings a clear idea not only if your file is safe but also to know which AV is effective. The file can be uploaded directly from the site using SSL or sent over the email. You can also download the uploader to your PC and install it which enables you to directly send files from your system using the context menu.
Today it is very important for reversing malware to know virus behavior. User should run the program and detect the changes in the system but this can harm the main system. for this we need Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. After installing Sandboxie you will have a big choice of tools for detecting and monitoring the changes on the system. you can use Process Monitor from sysinternal, API Monitor or free analyzing tools from iDEFENSE LABS.
CWSandbox is another very nice tool for performing malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 family of operating systems. CWSandbox allows tracing and monitoring all relevant system calls and generating an automated report that describes:
• which files the malware sample has created or modified,
• which changes the malware sample performed on the Windows registry,
• which dynamic link libraries (DLLs) were loaded before executing,
• which virtual memory areas were accessed,
• which processes were created, or which network connections were opened and what information was sent over such connections.
Malware can be so hard to remove, and sometimes the best approach to clean an infected machine is by restoring a clean copy of the operating system. Here we arrived to the end of this new series of Building your own malware Lab.
make sure you subscribe to my RSS feed!
SUBSCRIBE
Latest Comments