Malware Analysis Tools - SANS Computer Forensics

computer.forensics.sans.org

Malware Analysis Tools - SANS Computer Forensics

07.10.2012

Christian Wojner, CERT.at

1


License

ISC License

Copyright (c) Year(s), Company or Person's Name

Permission to use, copy, modify, and/or distribute this software for any purpose with or

without fee is hereby granted, provided that the above copyright notice and this permission

notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH

REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,

INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING

FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,

NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE

USE OR PERFORMANCE OF THIS SOFTWARE.

07.10.2012 2


Crossplatform

Our tools are available for ...

Windows 32 Bit

Windows 64 Bit

Linux 32 Bit

Linux 64 Bit

(Mac OS, not yet ‐ when it's done)

07.10.2012 3


Bytehist

Generates byte‐usage‐histograms (distribution)

For all types of files

With a special focus on binary executables in PE‐

format (Windows).

07.10.2012 4


Bytehist

PE‐Sections!

07.10.2012 5


Densityscout

Mathematically

based on Bytehist

Computing (all)

files of a filesystem

location

Result is a

descending

ordered list

Reveals potentially

unwanted

software

(0.03763) | c:\Windows\System32\bootres.dll

(0.05214) | c:\Windows\System32\WdfCoinstaller01009.dll

(0.05963) | c:\Windows\System32\VAIO S Series ‐ Summer 2011.scr

(0.11521) | c:\Windows\System32\LkmdfCoInst.dll

(0.12726) | c:\Windows\System32\mcupdate_GenuineIntel.dll

(0.20664) | c:\Windows\System32\iglhsip64.dll

(0.27113) | c:\Windows\System32\pegibbfc.rs

(0.27516) | c:\Windows\System32\usk.rs

(0.27633) | c:\Windows\System32\cero.rs

(0.28895) | c:\Windows\System32\pegi.rs

(0.30524) | c:\Windows\System32\AuthFWGP.dll

(0.30681) | c:\Windows\System32\iscsicpl.exe

(0.32147) | c:\Windows\System32\msshavmsg.dll

(0.32388) | c:\Windows\System32\SrpUxNativeSnapIn.dll

(0.32859) | c:\Windows\System32\qedwipes.dll

(0.34056) | c:\Windows\System32\imagesp1.dll

(0.34697) | c:\Windows\System32\oflc.rs

(0.36592) | c:\Windows\System32\auditpolmsg.dll

(0.36870) | c:\Windows\System32\onexui.dll

(0.38369) | c:\Windows\System32\resmon.exe

07.10.2012 6


Minibis

Automation framework based on virtual

machines (since 2009!!)

Highly flexible and configurable

Easy automation of behavioral analysis

tasks

It does what YOU want

Can be used in any kind of scenario

Used in CERT.at's productive processes

Too complex to summarize

Update is about to come soon

07.10.2012 7


ProcDOT

NEW! (Early alpha, but already stable)

Visualizes Procmon and PCAP (Windump, Tcpdump) logfiles in one graph

using Graphviz

Even highly complicated situations are easy to understand

Standalone tool based on a Minibis sub‐module

Interactive

07.10.2012 8


ProcDOT

07.10.2012 9


ProcDOT

Searching for strings (here: "explorer.exe") ...

07.10.2012 10


ProcDOT

Searching for strings (here: "inject") ...

07.10.2012 11


ProcDOT

07.10.2012 12


07.10.2012 13


07.10.2012 14

More magazines by this user
Similar magazines