All good suggestions so far. Just adding a few more tools to the list. The most important one is that freeware between your ear of course. ;)
Rapier - http://code.google.com/p/rapier/ Gmer - www.gmer.net oSpy - http://code.google.com/p/ospy/ helios - http://helios.miel-labs.com On Fri, 2009-05-15 at 13:45 -0400, Chris Hague wrote: > So a few things that I usually do as part of my forensic > investigations that involve malware. > > > > I guess if you are analyzing malware as opposed to is my system > infected with it, then I would suggest using a range of tools and > resources. > > > > For instance, if you have come across an unknown binary you could > upload it to a “sandbox” like Norman Sandbox > (http://www.norman.com/microsites/nsic/), or Virus Total > (http://www.virustotal.com/) – both are automated. If you prefer the > more manual approach, then I would recommend a VM like environment so > you don’t tank your machine. Use tools such as SysAnalyzer > (http://labs.idefense.com/software/malcode.php) [somewhat dated], but > still work. Another option is to use a debugger to see exactly what > the file is doing. > > > > As suggested in earlier threads, use filemon, regmon, process monitor > and explorer, and Wireshark. However, if you have the time, set up a > 2nd VM as a gateway basically becoming the man in the middle. > > > > For the infected systems several of the incident response companies > offer free tools to help detect malcode > (http://www.mandiant.com/software.htm) is one of them. > > > > I think Shaun’s last point is spot on. When in doubt, reload. > > > > Hope this helps, > > > > Chris > > > > > ______________________________________________________________________ > From:[email protected] > [mailto:[email protected]] On Behalf Of Shaun > Curry > Sent: Friday, May 15, 2009 11:08 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Malware analyzing tools? > > > > > I'm not a forensics expert, but I work on this stuff on a daily basis > for our customers. I follow a pretty basic plan of attack for stuff > like this: > > 1. Turn off system restore > 2. Install, Update, and run Malwarebyte's (usually a quickscan in > normal windows) > 3. Run TrendMicro's housecall from their website. > 4. Check IE for BHO's > > If there is still a problem I will move to autoruns to disable > anything odd starting up with the system and run process explorer to > research svchost.exe. > > And, when all else fails - Nuke and Pave buddy... nuke and pave :P > > Good Luck! > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
