This is meant to be a complimentary post to the URL Scanner roundup post back in January.
Let me be the first to say I am not a malware reverse-engineering analyst.
On the other hand, when I am responding to an incident involving a system compromise, and/or am trying to both clean the system as well as understand the potential impact of what happened, being able to analyze a suspect file is critical.
It can not only give me a better understanding of how to clean it, but possibly how it got there in the first place. This lessoned-learned may help strengthen our security perimeter.
So having a collection of resources that can help analyze a malware (or potential malware) file is important to me.
The following resources are a collection of on-line file scanners, analysis-report-generating, and local sandbox creating tools to aid in that process.
There are a number of similar “list-of-lists” like this one. I’ve just tried to collect them for my own personal reference. Major hat-tip and credit goes to the following sources which have already paved the way before me. You may find some more more resources here that I haven’t linked to as well as additional descriptions and feedback.
- Malware Sandbox Services and Software - Andre’ M. DiMino - SemperSecurus blog
- Information Security Blog » Online Malware Analysis Scanners - Coresec.org
- Mantra's (Anti)-Malware Link Gallery - OWASP Mantra
- Malware Analysis - SecurityXploit
- Malware online scanners | Security on steroids - CleanBytes.net
- When You Only Have 10 Minutes... - Sketchymoose’s Blog
And as Sketchymoose points out in the close of that post, before you start uploading files to any of these resources:
So now, keep in mind-- your submitted file is now out on the internet and is now on some database. Some of these may be owned by AV companies which look for new juicy malware to add to their signatures. So, if you are really worried about that:
(A) read documentation on their website to see what happens with collected data
(B) do your own analysis
(C) Ask customer/boss what their position is about submitting files to these sites -- make sure you know the answer for choice 'A' too for this one
Remember collaboration is one of the biggest deciding factors in incident response, but use common sense and discretion.
On-Line Scanners and Virus/Malware Analysis Tools
- GFI Public Sandbox - Formerly known as CWSandbox
- :: mwanalysis :: CWSandbox :: - Separate CWSSandbox service maintained by Chair for Pratical Informatics 1 at the University of Mannheim
- SandBox Information Center - Norman
- VirusTotal - Free Online Virus, Malware and URL Scanner
- Jotti's malware scan
- Metascan Online - Free online file scanning with multiple antivirus engines
- ASafaWeb - Automated Security Analyser for ASP.NET Websites
- Virus Lab - F-Prot Antivirus Virus Information
- Anubis: Analyzing Unknown Binaries - Really neat and detailed reports.
- Metascan Online - Free online file scanning with multiple antivirus engines
- ThreatExpert - Online File Scanner or try their ThreatExpert - Submission Applet
- ThreatExpert - Submit Your Sample Online - same folks, different submission interface.
- Submit a sample - Microsoft Malware Protection Center
- Eureka Malware Analysis Page - Automated malware binary analysis service
- Comodo Instant Malware Analysis
- File Verdict Service - Automated analysis system also from Comodo.
- F-Secure - Sample Analysis System
- Xandora - Your Online Binary Analyser - Analysis of malware PE files
- VirusChief - Online Virus Scan - scans file using a number of scan engines.
- VirSCAN.org - Free Multi-Engine Online Virus Scanner - supported by 36 AntiVirus Engines
- NoVirusThanks.org - Multi-Engine Antivirus Scanner - Service
- avast! Online Scanner
- malwr.com - free malware analysis service built on Cuckoo Sandbox
- Online Malware Tool for Malware Analysis
- Autovin » Malware Submission - Panda Security’s Automated Tool for Virus Incidents
- Ether: Malware Analysis via Hardware Virtualization Extensions - testing/beta mode still.
- SuspectFile - upload analysis service.
- SARVAM: Search and Retrieval of Malware - Added 4-16-12 per tip from Laks
PDF File Analysis Tools
- pdf examiner - Malware Tracker - upload and scan PDF files for a slew of exploits.
- PDF X-RAY - upload and scan a suspicious PDF file to detect malicious behavior.
- PDF Stream Dumper - SuperAwesome locally-installed (freeware) tool for analysis of malicious PDF documents. Really amazing and a must-have in any incident-responder and analyst's toolkit.
- PDF Tools « Didier Stevens - Didier has a great collection of local tools to keep handy when parsing out PDF files.
- 6 Free Local Tools for Analyzing Malicious PDF Files - great list of PDF tools from Lenny Zeltser
- Analyzing Suspicious PDF Files With Peepdf -How To post from Lenny Zeltser on using peepdf tool
- peepdf - PDF Analysis Tool - eternal-todo.com - free Python tool from Jose Miguel Esparza to pick apart PDF files.
- malware tracker blog - Blog home page for Malware Tracker team which contains great analysis write ups and reports. Cool.
Not a PDF but Malware Tracker’s +Cryptam service can scan "Office” documents for malicious content as well.
Sandbox Tools for Malware Analysis
- Minibis - CERT.at - “Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper "Mass Malware Analysis: A Do-It-Yourself Kit". “ from Christian Wojner.
- Zero Wine: Malware Behavior Analysis - QEMU virtual machine image with Debian OS installed, loaded with tools to upload and analyze malware and generate reports.
- Buster Sandbox Analyzer - project based on Sandboxie
- Cuckoo Sandbox - a malware analysis system addressing Windows PE files, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URL’s, etc.
- Cuckoo for Cuckoo Box - SpiderLabs Anterior post on getting to run on Mac OS X.
- Analyzing Malware with Cuckoo Sandbox V3.0 - securitybananas.com post on using it.
- Cuckoo Sandbox 101- Infosanity's Blog’s Andrew Waite addresses some gotchas he encountered.
- Capture-BAT Page - The Honeynet Project - behavioral analysis tool of apps for the Win32 systems providing insights into the software operation (impact) of malware rather than picking the malware executable itself apart; change-analysis rather than binary analysis.
- Malware analysis tool, Capture-Bat - Great tutorial written by Travis Altman on installing and analyzing results of Capture-Bat.
- Sometimes Trouble Finds You.... - interesting recent post from Sketchymoose at his blog on using Capture-Bat on a URL direction malware vector.
Adobe Shockwave/Flash Analysis Tools
- Introducing Adobe SWF Investigator - Adobe Labs tool to totally pick apart SWF files. Uses Adobe AIR platform.
- Adobe SWF Investigator | Flash security - Adobe Labs - download link
- HP Communities - SWFScan - FREE Flash decompiler - Enterprise Business Community - Decompiles Adobe Flash files and does some basic security scanning.
- Decompile Flash files with HP SwfScan - program review by Mike Williams at BetaNews
Mandiant - When One Word will do…
- MANDIANT - Red Curtain - From their product description: “MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat "score." This score can be used to identify whether a set of files is worthy of further investigation.”
- MANDIANT Find Evil - tool that uses disassembly to detect packed executables.
- Be sure to check out all Mandiant’s Free Software offerings as many other tools here may aid in a malware response investigation.
Lessons Learned and Wisdom Shared by the Malware Analysis Pros
Thanks to the hard work and community-spirit of malware analysts, we can “sharpen-our-saw” against their efforts. These are some of the best places to start.
- Malware Analysis Blog | quis custodiet ipsos custodes - This blog is just getting started but the posts so far have been very insightful. The post Malware Analysis as a function of intelligence and counterintelligence operations is a quite well thought out review of the issues a malware analyst must be familiar with.
- Hexacorn | Blog has a lot of great detailed posts and a few challenges as well to test your brain-cells. Check out this Malware Analysis post-tag list as well as this Extracting Strings from PE sections post for some great material. On my RSS feed list.
- Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser - Lenny Zeltser shares an amazing collection of tools, resources, and techniques in a “cheat-sheet” format. Check the sidebar for PDF/DOCX versions of this page. The bottom of the page is heavy with PDF tool linkage as well as white-papers and security presentations.
- Introduction to Malware Analysis - (PDF Link) - This presentation by Lenny Zeltser outlines a lot of the important foundations the investigator should be aware of. One of many good Presentations, Webcasts, and Speaking Engagements by Lenny Zeltser on that page.
- Also related, Lenny Zeltser’s posts: Reverse-Engineering Malware Cheat Sheet and REMnux Usage Tips for Malware Analysis on Linux. Mr Zeltser offers a SANS Institute trainings as well so if you think you are ready to take things to the next professional level, SANS Institute classes would be a fantastic place to start. See this Reverse-Engineering Malware: Malware Analysis Tools and Techniques Course - Malware Analysis Training by Lenny Zeltser link for more info.
- System Forensics - New to Me blog well written by Patrick Olsen. Love the Blogger theme! Great and detailed analysis posts. On my RSS feed list. For some sample posts check out: Zeus v2 Malware Analysis - Part I and Zeus v2 Malware Analysis - Part II .
- Advanced Malware Cleaning - on line video (~13 min) presented by Sysinternal’s Mark Russinovich showing tools and techniques to manually clean a system of malware. Still good after all these years.
- Zero Day Malware Cleaning with the Sysinternals Tools - (PDF link) - “Slides from Mark’s highly-rated Blackhat US 2011 presentation on how to use the Sysinternals tools to hunt down and eliminate malware.” Excellent slide set IMHO.
- Windows Incident Response: Malware Analysis - Harlan Carvey shares some thoughts and perspectives on the malware response and analysis field from a digital forensics perspective.
- Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results - SANS Computer Forensics and Incident Response blog post by robtlee that shows the value of malware incident response and protection in an enterprise environment.
- WEBCAST: Manually Removing Viruses & Malware - Kurt Shintaku's Blog - Mike Halsey, Microsoft MVP presentation on pulling malware off a Windows system. Registration is required and accessible until July 5th, 2012.
I sincerely hope you find several good take-aways from this post. It’s been simmering a while and I think it will greatly aid me in my own efforts and responses.