Mahesh's Blog

" It's hard to beat a person who believes in his or her own strength. And I believe in mine."

Thursday, June 08, 2017

Malware Analysis Resources


Malware Analysis Resources

quyendoattt
This is meant to be a complimentary post to the URL Scanner roundup post back in January.
Let me be the first to say I am not a malware reverse-engineering analyst.
On the other hand, when I am responding to an incident involving a system compromise, and/or am trying to both clean the system as well as understand the potential impact of what happened, being able to analyze a suspect file is critical.
It can not only give me a better understanding of how to clean it, but possibly how it got there in the first place. This lessoned-learned may help strengthen our security perimeter.
So having a collection of resources that can help analyze a malware (or potential malware) file is important to me.
The following resources are a collection of on-line file scanners, analysis-report-generating, and local sandbox creating tools to aid in that process.
There are a number of similar “list-of-lists” like this one. I’ve just tried to collect them for my own personal reference.  Major hat-tip and credit goes to the following sources which have already paved the way before me. You may find some more more resources here that I haven’t linked to as well as additional descriptions and feedback.
And as Sketchymoose points out in the close of that post, before you start uploading files to any of these resources:
So now, keep in mind– your submitted file is now out on the internet and is now on some database. Some of these may be owned by AV companies which look for new juicy malware to add to their signatures. So, if you are really worried about that:
(A) read documentation on their website to see what happens with collected data
(B) do your own analysis
(C) Ask customer/boss what their position is about submitting files to these sites — make sure you know the answer for choice ‘A’ too for this one
Remember collaboration is one of the biggest deciding factors in incident response, but use common sense and discretion.
On-Line Scanners and Virus/Malware Analysis Tools
PDF File Analysis Tools
Not a PDF but Malware Tracker’s +Cryptam service can scan “Office” documents for malicious content as well.
Sandbox Tools for Malware Analysis
Adobe Shockwave/Flash Analysis Tools
Mandiant – When One Word will do…
  • MANDIANT – Red Curtain – From their product description: “MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.”
  • MANDIANT Find Evil – tool that uses disassembly to detect packed executables.
  • Be sure to check out all Mandiant’s Free Software offerings as many other tools here may aid in a malware response investigation.
Lessons Learned and Wisdom Shared by the Malware Analysis Pros
Thanks to the hard work and community-spirit of malware analysts, we can “sharpen-our-saw” against their efforts. These are some of the best places to start.
I sincerely hope you find several good take-aways from this post. It’s been simmering a while and I think it will greatly aid me in my own efforts and responses.
Cheers.
–Claus V.
This is meant to be a complimentary post to the URL Scanner roundup post back in January.
Let me be the first to say I am not a malware reverse-engineering analyst.
On the other hand, when I am responding to an incident involving a system compromise, and/or am trying to both clean the system as well as understand the potential impact of what happened, being able to analyze a suspect file is critical.
It can not only give me a better understanding of how to clean it, but possibly how it got there in the first place. This lessoned-learned may help strengthen our security perimeter.
So having a collection of resources that can help analyze a malware (or potential malware) file is important to me.
The following resources are a collection of on-line file scanners, analysis-report-generating, and local sandbox creating tools to aid in that process.
There are a number of similar “list-of-lists” like this one. I’ve just tried to collect them for my own personal reference.  Major hat-tip and credit goes to the following sources which have already paved the way before me. You may find some more more resources here that I haven’t linked to as well as additional descriptions and feedback.
And as Sketchymoose points out in the close of that post, before you start uploading files to any of these resources:
So now, keep in mind– your submitted file is now out on the internet and is now on some database. Some of these may be owned by AV companies which look for new juicy malware to add to their signatures. So, if you are really worried about that:
(A) read documentation on their website to see what happens with collected data
(B) do your own analysis
(C) Ask customer/boss what their position is about submitting files to these sites — make sure you know the answer for choice ‘A’ too for this one
Remember collaboration is one of the biggest deciding factors in incident response, but use common sense and discretion.
On-Line Scanners and Virus/Malware Analysis Tools
PDF File Analysis Tools
Not a PDF but Malware Tracker’s +Cryptam service can scan “Office” documents for malicious content as well.
Sandbox Tools for Malware Analysis
Adobe Shockwave/Flash Analysis Tools
Mandiant – When One Word will do…
  • MANDIANT – Red Curtain – From their product description: “MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.”
  • MANDIANT Find Evil – tool that uses disassembly to detect packed executables.
  • Be sure to check out all Mandiant’s Free Software offerings as many other tools here may aid in a malware response investigation.
Lessons Learned and Wisdom Shared by the Malware Analysis Pros
Thanks to the hard work and community-spirit of malware analysts, we can “sharpen-our-saw” against their efforts. These are some of the best places to start.

from : ananlysismalware.wordpress.com/2014/04/09/malware-analysis-resources/

Online scanners for Malware

Here is a list with online malware analysis services, updated as needed. Every time you feel a file is suspicious or you receive a file from an untrusted source, it’s recommended to scan it with one of these online services before to open it. Please bear in mind that even a friend’s computer can be considered an untrusted source, since it can be malware infected and files sharing is a good chance for malware to spread.
The main advantage of these online scanners is that the submitted files will be scanned with many antivirus engines, reducing the chances for a virus to be unrecognized and therefore labeled as inoffensive — sometimes this is called multi-engine scanning. If an antivirus fail to detect an infected file, there are others that may recognize the infected code inside the file.
Here are also online services which provide detailed informations about the actions taken of a malware on the infected operating systems and services able to scan a given URL for possible threats.
Here you go :
Maximum file size: 32MB
Can be submitted suspicious files or URLs.
Jotti’s malware scan http://virusscan.jotti.org/en
Maximum file size: 20MB
Maximum file size: 8MB
This service provide a detailed report about the actions that an executable does on an operating system. In the case an URL is submitted, the report is about Internet Explorer process details when is visiting the submitted URL.
Maximum file size: 5MB
Files scanner
Maximum file size: 20MB
This scanning service supports Rar/Zip compressed files.
Advanced analysis system providing detailed reports about submitted executables, PDF or DOC(Microsoft Word) files.
Maximum file size: 12288 KB
The results of the file analysis are sent to provided email adress.
Maximum file size: 10MB
The files can be submitted RAR or ZIP compressed.
Eureka Malware Analysis http://eureka.cyber-ta.org/
It’s an automated malware binary analysis service. For each uploaded binary, the Eureka service will attempt to unpack and disassemble the binary, and will produce an annotated callgraph, subroutine/data index page, strings summary, and list of embedded DNS entries.
Comodo Instant Malware Analysis http://camas.comodo.com/cgi-bin/submit
Very simple to use file scanner
It’s a service for analyzing web-based malware therefore the file formats supported are Flash, JavaScript, and PDF files. Can be submitted both files or URLs.
F-SECURE SAMPLE ANALYSIS SYSTEM https://analysis.f-secure.com/portal/login.html
Can be submitted files or URLs for analysis. In order to obtain the scanning results, the registration is required.
Maximum file size: 20MB
Online binary analyzer, can be submitted either MD5 hash of a file, an IP or a Domain for analysis. Can be used Drag & Drop for files upload max size: 10MB and after analysis(15 to 30 minutes) the file MD5 hash will be used to search and see the report.
novirusthanks Multi-Engine Antivirus Scanner http://vscan.novirusthanks.org/
Maximum file size: 20MB
Can be scanned a suspicious file or a Web adress .
Votiro – Cloud Sanitization Service analyzes suspicious files and facilitates the quick neutralization of trojans, viruses, worms and zero-day attacks.
Maximum file size: 64MB (Supported File Types:pdf,jpg,jpeg,png,bmp,tif,tiff,gif,wmf,emf)
avast! Online scanner http://onlinescan.avast.com/
Maximum file size: 16MB
Kaspersky file online scanner http://www.kaspersky.com/virusscanner
Maximum file size: 1MB
Anti-virus scan service IrishCreamService   http://icreamservice.com/
Maximum file size: 20MB
It test files, URLs, domaims or IPs with 14 antivirus engines.
Joe DD – Joe Document Dissector   http://joedd.joesecurity.org/
Joe DD  is an automated malware analysis platform for detecting malicious documents. Very good to analyze suspicious email attachments.
*
System scanning services working via your browser(Active X plugin based). The majority of these services are provided by security vendors
TrojanScan is licensed from Emsi Software GmbH . Old now.
Internet vulnerability scanner- Firewall test https://www.grc.com/x/ne.dll?bh0bkyd2
Bitdefender—60-Second QuickScan http://quickscan.bitdefender.com/
It works with Internet Explorer, Mozilla Firefox and Chrome browser, using a plugin. The system scan is performed very quickly, in under 60 seconds.
Accessible from your browser, it will scan and automatically clean the system memory, in addition to all files and drives’ boot sectors.
Emsisoft Web Malware Scan http://www.emsisoft.com/en/software/ax/
HouseCall – Free Online Virus Scan http://housecall.trendmicro.com/us/
Support for 64-bit, Windows 7, and Windows 7 SP1
ActiveScan 2.0 is an advanced online scanner based on Collective Intelligence (scanning in-the-cloud)
*
Websites scanning services:
desenmascara.me  http://desenmascara.me/
A scanning service for websites able to detect malicious code included in hacked websites such as malicious iframes, redirections, scripts etc. It also detect if software used for a website is up to date. Because it’s new it was tested by me on a few websites vulnerable to SQL injection and has performed very well, being able to detect the weaknesses.
It’s a service for scanning domains(websites) in order to identify possible exploits, malware and malicious threats.
It’s a generic JavaScript unpacker, can be submitted URLs, PDF, HTML or JavaScript files for analysis and malware detection.
urlQuery.net  http://urlquery.net/
It is a service for detecting and analyzing web-based malware. It provides detailed information about the activities a browser does while visiting a site and presents the information for further analysis.

Programa: Network Protocol Analyzer
Eset Online Scanner
Panda Online Scanner
HouseCall Online Scanner
Sunbelt Online Scanner
Symantec Online Scanner
BitDefende Online Scanner
Mcafee Online Scanner
F-Secure Online Scanner
CA Threat Online Scanner
Webroot Online Scanner

Firmas
VirusChief online Scanner.
Dr. Web online Scanner.
Jotti online Scanner.
VirusTotal online Scanner.
Virscan online Scanner.
Avast online Scanner.
No Virus Thanks.

Sandbox
Anubis online Scanner.
FortiGuard online Scanner.
Norman online Scanner.
ThreatExpert online Scanner.
CW Sandbox online Scanner.
GFI Threat Track.
JS Unpack.
Comodo I.M.A.
Wepawet.
MalBox.
ViCheck.
Xandora.
Panda autovin.
Eureka.
Malwr.
XecScan

from: cleanbytes.net/malware-online-scanners