Penetration Testing mailing list archives

RE: Exploit package analysis

From: "Lars Troen" <Lars.Troen () sit no>
Date: Fri, 29 Jul 2005 19:57:04 +0200


Anyhow, the site at http://virusscan.jotti.org/ will probably 
be of use.
In the event that the previous site was not able to classify 
the suspected malware, I recommended running it on a separate 
box (or VM) and following it's execution with softice, strace


Another free service that can be used is Norman sandbox
(http://sandbox.norman.com/). It's running the provided application
inside a windows VM and reporting it's actions regarding registry, file
system, network and it's actions against many common applications. I've
used it many times where I'm in posession of a suspicios file and most
of the time it can tell me what it does. It will also report if this is
a known virus. But don't trust it blindly. I had an .exe file that I
found to contact a russian irc server, registering itself in windows
startup etc, but Norman didn't find anything so it might be possible to
fool Norman sandbox too. But this service is still very useful to
finding out what an application does.

Lars

Current thread:

Exploit package analysis Erin Carroll (Jul 28)
- RE: Exploit package analysis Eyal Udassin (Jul 28)
- Re: Exploit package analysis Mattias Ahnberg (Jul 29)
- RE: Exploit package analysis Matt (Jul 30)
- <Possible follow-ups>
- RE: Exploit package analysis Todd Towles (Jul 28)
  - Re: Exploit package analysis Justin Ferguson (Jul 29)
- Re: RE: Exploit package analysis mark . handy (Jul 29)
- RE: Exploit package analysis Todd Towles (Jul 29)
- RE: Exploit package analysis Lars Troen (Jul 29)