Saturday, May 17, 2008

List of Malware Analysis Tools

Update: There is an updated version of this list of tools posted to my blog here.

If you're a company that's big enough to have a security team, then you already know that client-side vulnerabilities are your biggest external attack surface. And the most common form of exploit is a drive-by download attack that drops a bot or other malware on your client. While we wait for the necessary paradigm shift in malware prevention to come along and replace ineffective AV scanners, we're stuck investigating suspicious web sites and binaries to determine their intent and impact. Part of being able to do these investigations is putting together an environment in which to analyze these web sites and binaries safely. Here's what I have done.

The first step is to build a virtual machine with VMware, VirtualPC, or whatever you prefer. It should be as similar to your corporate image as you can make it, but it should not be on your domain. Also, if you select VMware Server, do not install VMware Tools into the VM. Sure it makes things easier, but it can also make it easy for malware to determine that it's in a VM and prevent it from running. I would also recommend installing your company's AV scanner, but disable real-time scanning by default.

Once you've created your VM, you need add some tools to make analysis possible. Here's the list of stuff in my VM.

- Didier Stevens' SpiderMonkey
- pefile
- Jim Clausing's
- My
- Mozilla rhino debugger


Mandiant Red Curtain

OSAM Autorun Manager
Mike Lin's Startup Control Panel
HiJackThis / StartupList / ADSSpy


HHD Free Hex Editor

OllyDBG (also: Immunity Debugger)
- AnalyzeThis
- FindCrypt
- Hide Debugger
- OllyDump
- OllyFlow
- OllyDbg PE Dumper


- SysAnalyzer
- HookExplorer
- SniffHit
- PEiD


- AccessEnum
- autoruns
- Filemon
- procexp
- psexec
- psfile
- psgetsid
- Psinfo
- pskill
- pslist
- psloggedon
- psloglist
- pspasswd
- psservice
- psshutdown
- pssuspend
- Regmon
- RootkitRevealer
- tcpvcon
- Tcpview

Firefox (JavaScript Console mod)

Also, having links to VirusTotal and CWSandbox in your VM is a good idea.


Anonymous said...

It isn't a tool but it could be useful :

.:: MaliciousBrains ::. said...

You can take a look at this one:


AMIR or Advance Malware Identification & Removal is an application that will help you to quickly identify any unwanted process running in your system. Also it will also give you the option to remove them easily. Once AMIR runs in the system, it will highlight the possible suspect programs and also give you a lot of other relevant information about the process. It also give you an opportunity to analyze them and their activities at the click of a button. It shows you PE Details, actual Memory Dumps of the running process and also the various Resources used by the binary. It even has a Heuristic Scanner that can sniff out Malicious code from .vbs, .inf, .bat files. AMIR can also enable Regedit, Task Manager & Folder Option that has been locked by Malware activity. Armed with numerous state of art options, it becomes very easy to detect any kind of Malware running in the system.

Anonymous said...
This comment has been removed by a blog administrator.
Rick said...

Hi Paul
Does the software you mentioned in your blog operate separately or as a form complete system?


PaulM said...

Each of these tools can operate independently, though some are bundled as part of a suite of tools, and some require others in order to function (i.e. requires pefile, which requires Python, which on Win32 requires Cygwin).

That said, I have all of these tools in a VM for performing analysis, so they are part of a single toolbox environment. I've updated and added to the tools I use several times since this original post and could probably post an updated list.