Penetration Testing mailing list archives
Re: [PEN-TEST] Suspect .EXE Trojan
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Thu, 14 Dec 2000 11:59:20 -0800
I might suggest this is more suited to the incidents or forensics list,
but briefly:
When I want to analyze a piece of malware, short of disassembling it, I
just run it on a specially prepared box. I get regmon and filemon from
sysinternals.com, and shut down all unneeded programs, disable sounds in
explorer, and run a sniffer. (If anyone has a "quieter" shell than
explorer they like for this sort of thing, let me know.)
Obviously, run this on a scratch box, in case the software does something
unrecoverable. Those combinations of monitoring tools will tell you just
about anything intereting the malware does, short of delayed actions.
Ryan
On Thu, 14 Dec 2000, Ruso, Anthony wrote:
I have a suspect executable that I think may be a Trojan. A search on the .exe doesn't return any result with any virus vendor. Are there any tools that would allow me to execute the file in isolation and actually see what's going on.
Current thread:
- [PEN-TEST] Suspect .EXE Trojan Ruso, Anthony (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan outcast (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan Rainer Duffner (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan Steve Goldsby (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan Ryan Russell (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan Eric Fitzgerald (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan Mike Forrester (Dec 15)
- <Possible follow-ups>
- Re: [PEN-TEST] Suspect .EXE Trojan Ken Pfeil (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan WernerC (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan Dom De Vitto (Dec 15)
- [PEN-TEST] Raw Disk Mounter Clem Colman (Dec 15)
- Re: [PEN-TEST] Raw Disk Mounter Crist Clark (Dec 16)
- Re: [PEN-TEST] Raw Disk Mounter Ryan Russell (Dec 16)
- Re: [PEN-TEST] Raw Disk Mounter Brian Russo (Dec 16)
- Re: [PEN-TEST] Raw Disk Mounter Berend De Schouwer (Dec 16)
- Re: [PEN-TEST] Suspect .EXE Trojan Dom De Vitto (Dec 15)