Online Malware Analysis Scanners

Anubis is a service for analyzing malware.
http://anubis.iseclab.org

Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic.  For each uploaded binary, the Eureka service will attempt to unpack and (for Eureka I, disassemble; for Eureka II (not yet available), decompile) the binary, and will produce an annotated callgraph, subroutine/data index page, strings summary, and a list of embedded DNS entries.
http://eureka.cyber-ta.org

Comodo’s online file analysis tool.
http://camas.comodo.com

McAfee SiteAdvisor test websites for spyware, spam and scams so you can search, surf and shop more safely.
http://www.siteadvisor.com

Ether provides Malware Analysis via Hardware Virtualization Extensions.
http://ether.gtisc.gatech.edu/web_unpack/

ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.
http://www.threatexpert.com/submit.aspx

IPVoid allows users to scan an IP Address with multiple scanning services to facilitate the detection of IP Addresses that have committed malicious activity and to check if a website is hosted in a compromised server, used for spam, phishing or to host malicious content.
http://www.ipvoid.com

Netscty’s malware analysis sandbox tool performs cutting edge analysis of the potentially malicious file in our controlled environment. Our free online malicious software (malware) analysis tool provides a fast comprehensive evaluation of a variety of malware such as botnet software, viruses, spyware, trojans, and keyloggers.
http://netscty.com/malware-tool

JSUnpack Online – Online version of the stand-alone tool jsunpack.
http://jsunpack.jeek.org/dec/go

CWSandbox is online service that runs file you submit through automated sandbox analysis.
http://www.rarst.net/web/cwsandbox/

Upload files that you suspect are malicious or infected by malicious components for instant analysis by Norman SandBox.
http://www.norman.com/security_center/security_tools/submit_file

PDF Analyzer allows you to view PDF objects as hex/text, also provides PDF dissector and inspector engines and scanning for known exploits.
http://www.malwaretracker.com/pdf.php

Sunbelt Sandbox is an approach to automatically analyze malware which is based on behavior analysis. Malware samples are executed for a finite time in a simulated environment, where all system calls are closely monitored.
http://mwanalysis.org

GFI’s sunbelt online sandbox engine.
http://www.sunbeltsecurity.com/sandbox/

URLVoid allows users to scan a website address with multiple scanning engines such as Google Diagnostic, McAfee SiteAdvisor, Norton SafeWeb, MyWOT to facilitate the detection of possible dangerous websites.
http://www.urlvoid.com

Symantec’s reputation service Norton Safe Web.
http://safeweb.norton.com

The AVG LinkScanner Drop Zone lets you check the safety of individual web pages you are about to visit, also will examine the web page in real time to see whether it’s hiding any suspicious downloads.
http://www.avg.com.au/resources/web-page-scanner/

Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files.
http://wepawet.iseclab.org

Joebox Sandbox.
http://www.joebox.org/samples.php

With VirusTotal, send a file and see the detection according the AV vendors.
http://www.virustotal.com

Novirusthanks is a ree service that allows users to upload and scan a file with multiple Antivirus engines. Users can also analyze a website url or a remote file with the option Scan Web Address.
http://www.novirusthanks.org/service/multi-engine-antivirus-scanner/

Jotti’s malware scan is a free online service that enables you to scan suspicious files with several anti-virus programs. Scanners used are Linux versions; detection differences with Windows versions of the same scanners may occur due to implementation differences. There is a 20MB limit per file. Keep in mind that no security solution offers 100% protection, not even when it uses several anti-virus engines (for example, this scan service).
http://virusscan.jotti.org/en

Feel free to propose other engines…

©2012, copyright BLACK BURN

Usefull malware analysis tools

Tools:

Regshot: This tool, as it names says, takes a snapshot of the regisrty. It basically gives you a baseline of what the registry looks like at that point in time. Given that baseline, you can then execute the suspicious executable, then take another registry snapshot. You are then able to compare both snapshots using regshot’s compare feature to find out what keys have been added, modified or deleted. It has the option of outputing its results in a text file or a nicely formated HTML file.

Regmon: Like regshot, regmon is registry utility that operates in a slightly different manner. It has the ability to give real time analysis of what keys (and their location) currently running processes are accessing. It lets you know whether the process is querying information, creating new keys, setting values, etc. Just before you execute the malware, you can have regmon running in the background capturing its information. When the program has been executed, you can stop regmon’s capture and perform your analysis. You would notice that while regmon was capturing data, it not only captured information for the malware process you are investigation, but also other processes as well that were recently accessing the registry. Thankfully, there is a nice filter feature that allows you to filter the captured data based on the process name. Although the filter is very limited, it is still beneficial to have. You can also look into another tool called procmon, who is the current successor of the tools regmon and filemon. It has the same capabilities of regmon and many more options. However, regmon still has its place and is simple to use and learn.

Filemon: This tool works in a similar fascion to regmon, but with files. It monitors processes that access files on the disk and log their actions(read, write, query, delete,etc) and whether they were successful or not. Like regmon, just before you execute the malware, you can have filemon running in the background capturing its information. When the target program has been executed, you can stop filemon’s capture and perform your analysis.

Wireshark and Netcat: It is known that some malware tend to want to replicate themselves over the network. Some may try to covertly download software or try to log onto some IRC channel to query its commands (google: botnet). These tools are coded to work covertly, so while you’re sitting at your desktop, you would not see any indication that anything is going on. Wireshark can help us understand the why, where, what, when and who questions. Why is the malware connecting out to port 4444; where is the malware trying to connect to; when or at what intervals does the malware initiate any type of network traffic; what is the malware trying to do or accomplish; who is involved (source IPs, mac addresses, domains etc.). Netcat can be set up to intercept this traffic in a proxy mode and also be used to interact/respond to services and requests.

Netstat and tasklist: Before analyzing any piece of malware, having a baseline is very vital. You are gonna need to have an idea of what the system looked like before and after the malware was run. Running netstat and tasklist before running the executable can give us a baseline of what network sessions are open and ports that are listening etc. while the tasklist command utility can give us a list of currently running processes. Tools that you can be use as well are sysinternal’s process explorer and tcpview.

Debugger, Ollydbg: To really get in depth with exactly what the executable is doing, you will have to use a debbuger to step through the system opcodes and system calls. Using a debugger is not easy for most and can take a little bit of getting use to. However, to be good at malware analysis, you cannont escape not learning how to use a debugger like IDA pro or in my case, Ollydbg.

Virtual environment: To avoid potentially infecting your main system and possibly breaking your Windows OS, you will definitly want to perform most, if not all, your analysis in a virtual environment. Virtual machines also provides us with a mechanism to roll back a host to a snapshot of a system at an earlier time. This allows us to restore the state of a system to a point just before an event occured (say the malware caused the OS to no longer start up) withing minutes. There are quite a few options avaialble for virtualization but i myself use the Virtualbox technology. Remeber to check out the system requirements of these technologies before installing to your old pentium three laptop with 256 ram.

PE tools: Sometimes malware may be packed by common packer tools, like UPX. The benifit of using a packer on an EXE file is that it can allow for the compression of the executable. However, by doing so, the original exe’s form is thus changed. Eventually, what you get is an exe within an exe. The outer layer exe will be the packers decompression code that decompresses the internal exe in memory and then executes it. The additional benifit of this is that it can make debugging of this packed executable a pain in the but. In order to properly debug the functionality of the packed executable, it must first be decompressed in order to be analyzed. Tools like PeID can help us identify a packed executable’s packer. By knowing this, we can potentially in some cases use the same packer to unpack the executable back to its original form. Another PE tool that i use is Lordpe, which allows for the modifying of the PE headers of binary executables.

These are just some tools that can be utilized in malware analysis process. I encourage you to do your own research and look up the malware analysis articles in the hakin9.org website. The articles are available in PDF format and is a little bit difficult to directly link to 

Resources/Good Reading:
hakin9

©2012, copyright BLACK BURN

[Medre]AutoCAD worm(malware) samples

After Flamer,medre,another worm which is aim to steal industrial blue-paper,especially to the nuclear industy is discovered.
Below are the samples:

Code:

File: 2dda8e76f8488e8cd44dd25167e91642a0b27e245848be96ef0bea2797feb40eMD5:  ea04c29bc814af6d96157c1113b3806dSize: 22105

File: 7c489147ce4238ba0f9f992a7dbe7afc9e1b2ef9afd4d25e3b182d69e90e18c9MD5:  916744d1e7064a5522092f310a7c4ab0Size: 22052
File: 79baf616d2701cc26ef328cd9c13682db317932aa47efb8eb079d8af4a49e0a3
MD5:  7b563740f41e495a68b70cbb22980b20
Size: 12334
File: b886a58c6be03d75bf0a84ea3dc18c46aa98f6a9a5905f37661a23fd48d10232MD5:  25c7e10bb537b4265f6144f2cd7f6d95Size: 22602
File: e8e1148f7497aa546e46a45f35704ed6d9f9cb8d83d04a825aaa5ae6335d979MD5:  73dd85951ea154fbb40c26cd259ee0b7Size: 12334

Download Link : http://115.com/file/dpc6h6jx
©2012, copyright BLACK BURN

Flame aka Skywiper (malware) samples

Description :: http://en.wikipedia.org/wiki/Flame_(malware)

Code:

0A17040C18A6646D485BDE9CE899789F    mssecmgr2.dll
20732C97EF66DD97389E219FC0182CB5    comspol32.ocx
296E04ABB00EA5F18BA021C34E486746    soapr32.ocx
296e04abb00ea5f18ba021c34e486746    soapr32.ocx
37c97c908706969b2e3addf70b68dc13    name?
581F2EF2E3BA164281B562E435882EB5    noname.dll
5AD73D2E4E33BB84155EE4B35FBEFC2B    ccalc32.sys
5B03ED3894D88ADE1C72BA4A700A193F    mscrypt.dat
646FE96ABF038834F8FEAEED8FFBD334    boot32.ocx
75DE82289AC8C816E27F3215A4613698    noname.dll
8ED3846D189C51C6A0D69BDC4E66C1A5    advnetcfg2.ocx
96E04ABB00EA5F18BA021C34E486746    soapr32.ocx
b604c68cd46f8839979da49bb2818c36    00006411.dl
BB4BF0681A582245BD379E4ACE30274B    nteps32.ocx
BB5441AF1E1741FCA600E9C433CB1550    advnetcfg.ocx
BDC9E04388BDA8527B398A8C34667E18    mssecmgr.ocx
BDDBC6974EB8279613B833804EDA12F9    noname.dll
c09306141c326ce96d39532c9388d764    name?
C4D1CA8DD6ADA3EB1C5EB507516F7C84    mscrypt.dat
C81D037B723ADC43E3EE17B1EEE9D6CC    boot32drv.sys
C9E00C9D94D1A790D5923B050B0BD741    nteps32.ocx
D53B39FB50841FF163F6E9CFD8B52C2E    msglu32.ocx
ec992e35e794947a17804451f2a8857e    00004784.dl
ee4b589a7b5d56ada10d9a15f81dada9    
F0A654F7C485AE195CCF81A72FE083A2    advnetcfg.ocx
F47BD1AF6F6FBC2559D6AB5069D394EB
etc...

Download ::
http://www.kuaipan.com.cn/file/id_11112673827618867.htm
passwd: infected

Decrypted sample mscrypt: 
http://115.com/file/e78qmz8z#mscrypt-decrypted.rar
if need passwd: malware


Created by NSA CIA ...
©2012, copyright BLACK BURN