When it comes to malware infections, you can never get comfortable with your own system and paranoia is your best friend, as we can observe in the second episode of the third season of Mr Robot, when Elliot uses rkhunter to control if a malware has been installed on his
computer. In this article we’ll see that is possible to create a virtual environment to test and debug a malicious file, trying to understand how it spreads, what are the actions it performs on the infected computer, what network communications it implements. A series of free and open source tools are easily disposable for this purpose; we will download and install some of them to understand how they work.
The lab
A wealth of tools
The lab
A wealth of tools
You’ll be surprised to know that a wealth of tools exists for your malware analysis purposes, many of them free, so you are literally spoiled with choice. While you look up to some interesting lists like this one for malware analysis or this other one for malicious sites analysis, let’s clarify a little what these tools do and what are the skills that you need from them.
1) A process monitor, apparently similar to your windows’ task manager, but more focused on malware activities
2) A network analyzer like wireshark, to study the way the malware connects back to its creator
3) A code analyzer. It is really hard to deobfuscate the code of a malware but if you succeed in this, you’ll have plenty of information to work on.
3) Free online malware analyzer like the ones listed here to automate these time-consuming activities
Once arrived at this point, you should have clear what are your weapons against a virus, so let’s try to go more in depth with a couple of interesting tools of our lists.
ProcDOT
I decided to cite this one because ProcDOT is unique in its genre. In fact, it joins the two main functionalities of a process monitor and a network analyzer. Usually you find these two things separated but having the results of the process monitor not linked to the results of the network analyzer, will end in a lot of effort trying to understand how a process shares info. ProcDOT resolves this problem being an all-in-one tool and for this reason I think it’s essential in a malware analysis lab. The functionalities of ProcDOT are:
Correlation of Procmon and PCAP data
1) Visualization as an interactive graph
2) Animation mode to easily understand timing aspects
3) Smart following algorithms to focus only relevant stuff
4) Detection and visualization of thread injection
5) Correlation of network activities and the causing processes
Activity timeline
6) Full text search and find of graph content also showing up in activity time-line
7) Filters to cleanup noise (global and session wise)
Support of various matching modes
And many, many others…
To download ProcDOT go to this link if you use Linux or to this other if you use Windows.
Process Monitor v3.40
Process Monitor v3.40, like you can guess from its name, is only focused on a task and it is produced by Microsoft. It is designed to work exclusively with Windows and it’s an advanced task manager capable of performing real-time system activities checking, process details capturing showing user, session ID, command line and so on. Process Monitor v3.40 also allows boot time logging for all operations, cancellable search and non-destructive filters that keep your data when you set another search. Process Monitor v3.40 combines the features of two sysinternal utilities no more used, Filemon and Regmon. Filemon provided a useful system activities’ display, while Regmon provided the forensics about the usage of the Windows registry.
All these features make Process Monitor v3.40 a useful tool used for system administration, computer forensics, and debugging of applications and all of this is incredibly for free.>
