Penetration Testing mailing list archives
RE: Exploit package analysis
From: "Lars Troen" <Lars.Troen () sit no>
Date: Fri, 29 Jul 2005 19:57:04 +0200
Anyhow, the site at http://virusscan.jotti.org/ will probably be of use. In the event that the previous site was not able to classify the suspected malware, I recommended running it on a separate box (or VM) and following it's execution with softice, strace
Another free service that can be used is Norman sandbox (http://sandbox.norman.com/). It's running the provided application inside a windows VM and reporting it's actions regarding registry, file system, network and it's actions against many common applications. I've used it many times where I'm in posession of a suspicios file and most of the time it can tell me what it does. It will also report if this is a known virus. But don't trust it blindly. I had an .exe file that I found to contact a russian irc server, registering itself in windows startup etc, but Norman didn't find anything so it might be possible to fool Norman sandbox too. But this service is still very useful to finding out what an application does. Lars
Current thread:
- Exploit package analysis Erin Carroll (Jul 28)
- RE: Exploit package analysis Eyal Udassin (Jul 28)
- Re: Exploit package analysis Mattias Ahnberg (Jul 29)
- RE: Exploit package analysis Matt (Jul 30)
- <Possible follow-ups>
- RE: Exploit package analysis Todd Towles (Jul 28)
- Re: Exploit package analysis Justin Ferguson (Jul 29)
- Re: RE: Exploit package analysis mark . handy (Jul 29)
- RE: Exploit package analysis Todd Towles (Jul 29)
- RE: Exploit package analysis Lars Troen (Jul 29)