Re: Analize Virus

From: Jason Ross (algorythm@gmail.com)
Date: Wed Aug 01 2007 - 00:03:42 EDT


On 7/31/07, Rafa Richart <Rafa@ontinet.com> wrote:
>
> we're looking for some tools to analize the Malware behaivor, we've
> a Lab under contruccion but we need some advices of what tools we've
> to use. tools to see what have benn changin the registry, stat
> conexions etc...

I've found VmWare Server (the free version) to be especially useful
for this purpose.

I use "What Changed" (which is available from [among other places]
http://majorgeeks.com/What_Changed_d5018.html to compare files and
registry hives which have changed, and have had decent results with it.

I have heard good things about the "Reg Shot" app
( http://majorgeeks.com/RegShot_d965.html ) but haven't used it myself.

Of course, wirehark is essential (in my opinion), as are the various
utilities previously offered from sysinternals (now microsoft) ...
in particular i find pstools and tcpview to be very handy.
The collection of these is at the technet site:
http://www.microsoft.com/technet/sysinternals/default.mspx

You also may find it useful to have some form of disassembler/debugger.
I am fond of ollydbg for this purpose, which is available at
http://www.ollydbg.de

It's probably worth noting that the craftier malware authors are
beginning to check to see if they are running in a vmware environment.
Accordingly it may be useful to take some countermeasures to that if
possible. See http://isc.sans.org/diary.html?storyid=1871 for some
information on this.

Regards,

--
Jason Ross
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:59 EDT