Quick Malware Analysis

Not fully understanding a malware threat before eradicating it can sometimes be a grave mistake. Formatting or re-imaging a computer without fully understanding the threat will only lead back to that computer being infected again and a continued threat to other computers on your network may still be present. Even a small amount of effort can dramatically help protect your organization from further infection or targeting.

If you use a corporate AV product, send samples to your vendor for malware that is not being detected. They will often come back with a custom update for your organization which can be pushed out to all installs on your network. Analyze firewall and system logs to see where the malware came from and what it is connecting to. This data can be fed into your firewall to block future connections and also can turn up other computers that may be infected.

A number of tools are now available to quickly analyze malware samples and give you the most information for little effort. Below are a few tools which I have found useful in analyzing different malware samples,

  • Basic AV Data – VirusTotal
    • Super fast way to scan a file or URL against 40+ different AV engines, can help indicate if your AV vendor has detection for a file and to assist in finding further details based on what an AV detects a file as. Also provides lots of extended details and metadata that can be useful in determining the source of a file without having to setup a test environment to get this information.
    • Sample report of a EICAR test file http://bit.ly/h4zl0f
    • Can forward samples from email to [email protected] with subject SCAN.
  • In-depth Analysis – Xandora & Anubis
    • More advanced tools, Panda offers Xandora as a free service to upload binaries for analysis. It generates a lot of useful data by running the malware in a VM. Outputs file/registry changes and network connections which can be extremely valuable in blocking emerging malware threats.
    • Sample report from Xandora of Palevo http://bit.ly/h1WRdy
    • Anubis is another free tool similar to Xandora, this tool not only shows network connections but provides you a pcap file.
    • Example report from Anubis http://bit.ly/g6aOsz
  • Network Data Analysis – Cloudshark
    • Now you may have some network captures collected while analyzing your samples, Cloudshark offers a quick service to view these captures without having to fire up wireshark (not a replacement but is quick.)
    • Sample report from Cloudshark, http://bit.ly/ksLsaU
  • Javascript/PDF/Flash – Wepawet
    • A lot of malware makes use of one of these vectors, Wepawet allows you to upload or provide a URL where all these vectors can be analyzed.
    • Really valuable in picking code out of PDFs and making sense of obfuscated Javascript code
    • Sample Report http://bit.ly/lsrn2N
  • Malware Trackers - Zeus Tracker, SANS, MalwareGroup, Clean MX
    • Lots of great blacklists run by security professionals that can tell you if a computer is connecting out a known malware server, Zeus Tracker provides multiple malware lists and the creator actively works with service providers to blackhole or disconnect C&C networks. SANS also provides a list with multiple levels of sensitivity combining multiple sources such as Zeus Tracker.
    • MalwareGroup and CleanMX are correlation sites that analyze servers with automation and using a number of services listed in this post to analyze a servers contents and decide its reputation. Can be really useful in determining if a site is the source of a malware infection, both offer reports on downloadable files and run them through services such as VirusTotal.

This is not an exhaustive list by any means, however these are tools I found useful and have saved me a lot of time and pain.