Saturday, April 14, 2012

Malware Analysis Resources

This is meant to be a complimentary post to the URL Scanner roundup post back in January.

Let me be the first to say I am not a malware reverse-engineering analyst.

On the other hand, when I am responding to an incident involving a system compromise, and/or am trying to both clean the system as well as understand the potential impact of what happened, being able to analyze a suspect file is critical.

It can not only give me a better understanding of how to clean it, but possibly how it got there in the first place. This lessoned-learned may help strengthen our security perimeter.

So having a collection of resources that can help analyze a malware (or potential malware) file is important to me.

The following resources are a collection of on-line file scanners, analysis-report-generating, and local sandbox creating tools to aid in that process.

There are a number of similar “list-of-lists” like this one. I’ve just tried to collect them for my own personal reference.  Major hat-tip and credit goes to the following sources which have already paved the way before me. You may find some more more resources here that I haven’t linked to as well as additional descriptions and feedback.

And as Sketchymoose points out in the close of that post, before you start uploading files to any of these resources:

So now, keep in mind-- your submitted file is now out on the internet and is now on some database. Some of these may be owned by AV companies which look for new juicy malware to add to their signatures. So, if you are really worried about that:
(A) read documentation on their website to see what happens with collected data
(B) do your own analysis
(C) Ask customer/boss what their position is about submitting files to these sites -- make sure you know the answer for choice 'A' too for this one
Remember collaboration is one of the biggest deciding factors in incident response, but use common sense and discretion.

On-Line Scanners and Virus/Malware Analysis Tools

PDF File Analysis Tools

Not a PDF but Malware Tracker’s +Cryptam service can scan "Office” documents for malicious content as well.

Sandbox Tools for Malware Analysis 

Adobe Shockwave/Flash Analysis Tools

Mandiant - When One Word will do…

  • MANDIANT - Red Curtain - From their product description: “MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat "score." This score can be used to identify whether a set of files is worthy of further investigation.”
  • MANDIANT Find Evil - tool that uses disassembly to detect packed executables.
  • Be sure to check out all Mandiant’s Free Software offerings as many other tools here may aid in a malware response investigation.

Lessons Learned and Wisdom Shared by the Malware Analysis Pros

Thanks to the hard work and community-spirit of malware analysts, we can “sharpen-our-saw” against their efforts. These are some of the best places to start.

I sincerely hope you find several good take-aways from this post. It’s been simmering a while and I think it will greatly aid me in my own efforts and responses.


--Claus V.


Anonymous said...

Very informative and comprehensive.
But I would add to "On-Line Scanners and Virus/Malware Analysis Tools".

Keep doing a good job!

Claus said...

@ Anonymous - Thanks for the suggestion.

Quttera provides online URL/website-scanning services.

I included it previously under this URL Scanner roundup GSD blog post that focused on web/URL scanning tools.

This post was more focused on scanning malware binaries that have already been detected and are local to the system so I didn't include URL-scan services in this list.

I'll also probably do a final follow-up post that deals with system-wide "cloud-based" scanners which can scan your system looking for malware...rather than an installed (local) AV/AM application.


--Claus V.

Laks said...

Very Nice Collection! Here is a new tool for Malware Similarity, Search and Retrieval:

SARVAM: Search and Retrieval of Malware

ange said...

good stuff!

my 2c: such list become unreachable pretty easily (people tend not to visit older blog posts, or at least not be convinced that they are the most up-to-date so I suggest creating an empty google code project and paste that in a wiki page (you can edit them directly from the web interface)

Anonymous said...

Nice post. I'd like at add

great source for learning

Claus said...

@ Anonymous. Too Right!

I've got it listed on my watch list blog-roll but inclusion here is a great suggestion.

I follow it on my RSS feed reader daily, both on-line and on my smartphone daily.

SANS Computer Forensic Investigations and Incident Response

We probably could mention ISC Diary as well, even though it isn't quite as for/sec focused as the SANS CFI-IR blog.

It might be a good idea for me to do a RSS feed list dump as well since I follow more than a few security blogs that post in greater detail about specific malware trends and analysis.

In related linkage, Matt Simmons of the "Standalone Sysadmin" blog has an amazing collection of shared links and an even more updated OPML file to pull: Subscribed Feeds

Lots of goodies there.


--Claus V.