Como estudar Malware

Um pequeno artigo com 3 links para ferramentas que ajudam a automatizar o estudo de malware como virus ou worms. É interessante notar como o trabalho de análise já não tem de ser todo feito à mão...

Playing With Malware
John H. Sawyer, Evil Bits

Malware, whether it's a bot, Trojan or Web-based JavaScript, is one of my favorite topics. It's sort of a hobby for me -- whenever I come across a new sample, I download it to my collection and do some basic analysis to get an understanding of what's going on. Using a tool like Strings or BinText, I look for ASCII and Unicode text that give me a quick feel for what the sample does. Are there URLs, IP addresses, file names, or registry entries that are recognizable? (Unfortunately, string analysis is futile for most malware that uses packers and crypters to compress and encrypt the code.)

Next, I send my sample to Virus Total to see if any of the current antivirus solutions will detect it. Virus Total scans the sample with over 30 different antivirus engines. Given that I'm part of a university, with students browsing sites of varying legitimacy, you can imagine that I get plenty of samples that aren't detected. The main benefit of using Virus Total is that I don't need to have all of these AV products in my own lab -- and Virus Total submits the samples to antivirus companies so they can build appropriate signatures.

If the malware sample is not an isolated case and affects several hosts, I take a greater interest in finding out more about it. I'll submit it to a few other online resources for behavioral analysis. CWSandbox and Anubis do a great job of providing enough information that I can then pass on to system administrators so that they can be on the lookout for certain behaviors on their hosts that would indicate an infection. Both online tools provide analysis of registry, file, process, Windows service, and network analysis to determine exactly what the malware is doing on a Windows system.

For obvious reasons, all of the online behavioral analysis tools are for Windows malware. (Virus Total is a bit different: It's not behavioral-based and it scans all files, no matter what system they came from.) Maybe as Mac OS X and Linux gain a better foothold in the desktop market, more analysis tools for those types of malware will surface.


Fonte e artigo completo: Evil Bits