Posts Tagged sysinternal
Building your OWN Malware Lab (Part 1)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on February 27, 2010
Malicious software pieces like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Antivirus Labs have invested great Money for analyzing and reversing viruses, but for our case we can perform the analysis using some useful tools on our PC.
Let’s start with www.virustotal.com , if I feel that I have a suspicious file. First what I will do is to upload it to VirusTotal. VirusTotal gives the user the ability to analyze any file with more than 40 Antivirus products. With the latest signature definition, this brings a clear idea not only if your file is safe but also to know which AV is effective. The file can be uploaded directly from the site using SSL or sent over the email. You can also download the uploader to your PC and install it which enables you to directly send files from your system using the context menu.
Today it is very important for reversing malware to know virus behavior. User should run the program and detect the changes in the system but this can harm the main system. for this we need Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. After installing Sandboxie you will have a big choice of tools for detecting and monitoring the changes on the system. you can use Process Monitor from sysinternal, API Monitor or free analyzing tools from iDEFENSE LABS.
CWSandbox is another very nice tool for performing malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 family of operating systems. CWSandbox allows tracing and monitoring all relevant system calls and generating an automated report that describes:
• which files the malware sample has created or modified,
• which changes the malware sample performed on the Windows registry,
• which dynamic link libraries (DLLs) were loaded before executing,
• which virtual memory areas were accessed,
• which processes were created, or which network connections were opened and what information was sent over such connections.
Malware can be so hard to remove, and sometimes the best approach to clean an infected machine is by restoring a clean copy of the operating system. Here we arrived to the end of this new series of Building your own malware Lab.
make sure you subscribe to my RSS feed!
New major updates for Sysinternal
Posted by Mourad Ben Lakhoua in News, Tools on July 28, 2009
Sysinternal announced some major updates for their tools package. The most interesting in these updates is the end life of Filemon and Regmon and adding a number of enhancements for Procmon, including new by-extension and by-directory views in the File Summary dialog, a new Network Summary view, quick filtering in all the summary views, additional IOCTL and error result decoding, and a number of bug fixes.
Process Monitor is the replacement for Filemon and Regmon and is much more advanced and scalable than its predecessors. We only aim to make Sysinternals tools work on Windows XP and higher, we’ve decided that it’s time to retire these venerable utilities that were born in the early days of Sysinternals (then NTinternals) back in 1996. So that you have a chance to say goodbye, we’re announcing now that they will be removed from the site on September 1.
It is always good when we have a new functionality and updates in Sysinternal.
make sure you subscribe to my RSS feed!
Three new updates in Sysinternal
Posted by Mourad Ben Lakhoua in News on May 12, 2009
Sysinternals have announced lately three applications updates on there blog:
Autoruns v9.5: This update to Autoruns, a powerful autostart manager, adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution.
PsLoglist v2.7: This version of PsLoglist, a command-line event log display utility, now properly displays event log entries for default event log sources on Windows Vista and higher and accepts wildcard matching for event sources.
PsExec v1.95: This version of PsExec, a utility for executing applications remotely, fixes an issue that prevented the -i (interactive) switch from working on Windows XP systems with a recent hotfix and includes a number of minor bug fixes.
make sure you subscribe to my RSS feed!
SUBSCRIBE
Latest Comments