Malware Analysis Resources

This is meant to be a complimentary post to the URL Scanner roundup post back in January.

Let me be the first to say I am not a malware reverse-engineering analyst.

On the other hand, when I am responding to an incident involving a system compromise, and/or am trying to both clean the system as well as understand the potential impact of what happened, being able to analyze a suspect file is critical.

It can not only give me a better understanding of how to clean it, but possibly how it got there in the first place. This lessoned-learned may help strengthen our security perimeter.

So having a collection of resources that can help analyze a malware (or potential malware) file is important to me.

The following resources are a collection of on-line file scanners, analysis-report-generating, and local sandbox creating tools to aid in that process.

There are a number of similar “list-of-lists” like this one. I’ve just tried to collect them for my own personal reference.  Major hat-tip and credit goes to the following sources which have already paved the way before me. You may find some more more resources here that I haven’t linked to as well as additional descriptions and feedback.

And as Sketchymoose points out in the close of that post, before you start uploading files to any of these resources:

So now, keep in mind– your submitted file is now out on the internet and is now on some database. Some of these may be owned by AV companies which look for new juicy malware to add to their signatures. So, if you are really worried about that:
(A) read documentation on their website to see what happens with collected data
(B) do your own analysis
(C) Ask customer/boss what their position is about submitting files to these sites — make sure you know the answer for choice ‘A’ too for this one 
Remember collaboration is one of the biggest deciding factors in incident response, but use common sense and discretion.

On-Line Scanners and Virus/Malware Analysis Tools

PDF File Analysis Tools

Not a PDF but Malware Tracker’s +Cryptam service can scan “Office” documents for malicious content as well.

Sandbox Tools for Malware Analysis 

Adobe Shockwave/Flash Analysis Tools

Mandiant – When One Word will do…

  • MANDIANT – Red Curtain – From their product description: “MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.”
  • MANDIANT Find Evil – tool that uses disassembly to detect packed executables.
  • Be sure to check out all Mandiant’s Free Software offerings as many other tools here may aid in a malware response investigation.

Lessons Learned and Wisdom Shared by the Malware Analysis Pros

Thanks to the hard work and community-spirit of malware analysts, we can “sharpen-our-saw” against their efforts. These are some of the best places to start.

I sincerely hope you find several good take-aways from this post. It’s been simmering a while and I think it will greatly aid me in my own efforts and responses.

Cheers.

–Claus V.

This is meant to be a complimentary post to the URL Scanner roundup post back in January.

Let me be the first to say I am not a malware reverse-engineering analyst.

On the other hand, when I am responding to an incident involving a system compromise, and/or am trying to both clean the system as well as understand the potential impact of what happened, being able to analyze a suspect file is critical.

It can not only give me a better understanding of how to clean it, but possibly how it got there in the first place. This lessoned-learned may help strengthen our security perimeter.

So having a collection of resources that can help analyze a malware (or potential malware) file is important to me.

The following resources are a collection of on-line file scanners, analysis-report-generating, and local sandbox creating tools to aid in that process.

There are a number of similar “list-of-lists” like this one. I’ve just tried to collect them for my own personal reference.  Major hat-tip and credit goes to the following sources which have already paved the way before me. You may find some more more resources here that I haven’t linked to as well as additional descriptions and feedback.

And as Sketchymoose points out in the close of that post, before you start uploading files to any of these resources:

So now, keep in mind– your submitted file is now out on the internet and is now on some database. Some of these may be owned by AV companies which look for new juicy malware to add to their signatures. So, if you are really worried about that:
(A) read documentation on their website to see what happens with collected data
(B) do your own analysis
(C) Ask customer/boss what their position is about submitting files to these sites — make sure you know the answer for choice ‘A’ too for this one 
Remember collaboration is one of the biggest deciding factors in incident response, but use common sense and discretion.

On-Line Scanners and Virus/Malware Analysis Tools

PDF File Analysis Tools

Not a PDF but Malware Tracker’s +Cryptam service can scan “Office” documents for malicious content as well.

Sandbox Tools for Malware Analysis 

Adobe Shockwave/Flash Analysis Tools

Mandiant – When One Word will do…

  • MANDIANT – Red Curtain – From their product description: “MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.”
  • MANDIANT Find Evil – tool that uses disassembly to detect packed executables.
  • Be sure to check out all Mandiant’s Free Software offerings as many other tools here may aid in a malware response investigation.

Lessons Learned and Wisdom Shared by the Malware Analysis Pros

Thanks to the hard work and community-spirit of malware analysts, we can “sharpen-our-saw” against their efforts. These are some of the best places to start.

I sincerely hope you find several good take-aways from this post. It’s been simmering a while and I think it will greatly aid me in my own efforts and responses.

Cheers.

–Claus V.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s