Malware analyzing tools?

[daniel at virturity.com (Daniel [Virturity.com])]

All good suggestions so far. Just adding a few more tools to the list.
The most important one is that freeware between your ear of course. ;)

Rapier - http://code.google.com/p/rapier/
Gmer - www.gmer.net
oSpy - http://code.google.com/p/ospy/
helios - http://helios.miel-labs.com


On Fri, 2009-05-15 at 13:45 -0400, Chris Hague wrote:
> So a few things that I usually do as part of my forensic
> investigations that involve malware.
>
>  
>
> I guess if you are analyzing malware as opposed to is my system
> infected with it, then I would suggest using a range of tools and
> resources. 
>
>  
>
> For instance, if you have come across an unknown binary you could
> upload it to a ?sandbox? like Norman Sandbox
> (http://www.norman.com/microsites/nsic/), or Virus Total
> (http://www.virustotal.com/) ? both are automated. If you prefer the
> more manual approach, then I would recommend a VM like environment so
> you don?t tank your machine. Use tools such as SysAnalyzer
> (http://labs.idefense.com/software/malcode.php) [somewhat dated], but
> still work. Another option is to use a debugger to see exactly what
> the file is doing.
>
>  
>
> As suggested in earlier threads, use filemon, regmon, process monitor
> and explorer, and Wireshark. However, if you have the time, set up a
> 2nd VM as a gateway basically becoming the man in the middle. 
>
>  
>
> For the infected systems several of the incident response companies
> offer free tools to help detect malcode
> (http://www.mandiant.com/software.htm) is one of them.
>
>  
>
> I think Shaun?s last point is spot on. When in doubt, reload.
>
>  
>
> Hope this helps,
>
>  
>
> Chris
>
>  
>
>                                    
> ______________________________________________________________________
> From:pauldotcom-bounces at mail.pauldotcom.com
> [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Shaun
> Curry
> Sent: Friday, May 15, 2009 11:08 AM
> To: PaulDotCom Security Weekly Mailing List
> Subject: Re: [Pauldotcom] Malware analyzing tools?
>
>
>  
>
> I'm not a forensics expert, but I work on this stuff on a daily basis
> for our customers.  I follow a pretty basic plan of attack for stuff
> like this:
>
> 1. Turn off system restore
> 2. Install, Update, and run Malwarebyte's (usually a quickscan in
> normal windows)
> 3. Run TrendMicro's housecall from their website.
> 4. Check IE for BHO's
>
> If there is still a problem I will move to autoruns to disable
> anything odd starting up with the system and run process explorer to
> research svchost.exe.
>
> And, when all else fails - Nuke and Pave buddy... nuke and pave :P
>
> Good Luck!
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com