Update: There is an updated version of this list of tools posted to my blog here.
If you're a company that's big enough to have a security team, then you already know that client-side vulnerabilities are your biggest external attack surface. And the most common form of exploit is a drive-by download attack that drops a bot or other malware on your client. While we wait for the necessary paradigm shift in malware prevention to come along and replace ineffective AV scanners, we're stuck investigating suspicious web sites and binaries to determine their intent and impact. Part of being able to do these investigations is putting together an environment in which to analyze these web sites and binaries safely. Here's what I have done.
The first step is to build a virtual machine with VMware, VirtualPC, or whatever you prefer. It should be as similar to your corporate image as you can make it, but it should not be on your domain. Also, if you select VMware Server, do not install VMware Tools into the VM. Sure it makes things easier, but it can also make it easy for malware to determine that it's in a VM and prevent it from running. I would also recommend installing your company's AV scanner, but disable real-time scanning by default.
Once you've created your VM, you need add some tools to make analysis possible. Here's the list of stuff in my VM.
- Didier Stevens' SpiderMonkey
- Jim Clausing's packerid.py
- My ieget.sh
- Mozilla rhino debugger
Mandiant Red Curtain
OSAM Autorun Manager
Mike Lin's Startup Control Panel
HiJackThis / StartupList / ADSSpy
HHD Free Hex Editor
OllyDBG (also: Immunity Debugger)
- Hide Debugger
- OllyDbg PE Dumper
Also, having links to VirusTotal and CWSandbox in your VM is a good idea.