Playing With Malware

3:10 PM -- Malware, whether it's a bot, Trojan or Web-based JavaScript, is one of my favorite topics. It's sort of a hobby for me -- whenever I come across a new sample, I download it to my collection and do some basic analysis to get an understanding of what's going on. Using a tool like Strings or BinText, I look for ASCII and Unicode text that give me a quick feel for what the sample does. Are there URLs, IP addresses, file names, or registry entries that are recognizable? (Unfortunately, string analysis is futile for most malware that uses packers and crypters to compress and encrypt the code.)

Next, I send my sample to Virus Total to see if any of the current antivirus solutions will detect it. Virus Total scans the sample with over 30 different antivirus engines. Given that I'm part of a university, with students browsing sites of varying legitimacy, you can imagine that I get plenty of samples that aren't detected. The main benefit of using Virus Total is that I don't need to have all of these AV products in my own lab -- and Virus Total submits the samples to antivirus companies so they can build appropriate signatures.

If the malware sample is not an isolated case and affects several hosts, I take a greater interest in finding out more about it. I'll submit it to a few other online resources for behavioral analysis. CWSandbox and Anubis do a great job of providing enough information that I can then pass on to system administrators so that they can be on the lookout for certain behaviors on their hosts that would indicate an infection. Both online tools provide analysis of registry, file, process, Windows service, and network analysis to determine exactly what the malware is doing on a Windows system.

For obvious reasons, all of the online behavioral analysis tools are for Windows malware. (Virus Total is a bit different: It's not behavioral-based and it scans all files, no matter what system they came from.) Maybe as Mac OS X and Linux gain a better foothold in the desktop market, more analysis tools for those types of malware will surface.

So next time you have a machine acting strangely, and have some unknown binaries that need analysis, send them to the sites above. It's a lot easier than building your own lab to do the analysis yourself, although it does take a little fun out of it.

If you've got questions about malware analysis, let us know.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading