There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely. My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment. Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs. This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs. For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.
I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier. MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.
It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine. If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection. So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.
RSS - Posts