Malware Domain List

Malware Related => Malware Analysis => Topic started by: shinzou87 on April 12, 2011, 09:53:12 am

Title: Tell-tale signs of Malware capabilities
Post by: shinzou87 on April 12, 2011, 09:53:12 am
Hi there, I'm thinking of using YARA (http://code.google.com/p/yara-project/) as a first-action when provided with a whole folder of samples.
My concept is to use the ability of YARA's rules to search binary or ascii strings in files in order to determine what anti-malware capability it has, i.e. anti-debugging, anti-VM, or even NET USE or reverse shell so that it would help to speed up the analysis process.

So far i have rules from HBGary's Fingerprint tool as well as those from the Malware Analyst's Cookbook, as well as others that I have researched that will come in handy in finding for embedded files in pdfs.
Such strings include simple ones like "/EmbeddedFiles", "/OpenAction", etc for PDF files or "SetWindowsHookEx" and "GetAsyncKeyState" for keylogging detection.

Are there any suggestions on other strings i could look for in files that are assumed to be already deobfuscated?
Or are there better tools out there to recommend?
Thanks alot guys! =D
Title: Re: Tell-tale signs of Malware capabilities
Post by: shinzou87 on April 15, 2011, 03:47:15 am
Currently I can detect the following capabilities of malware with a fast scan:
1) Writing MSR
2) Embedded EXEs
3) VM Detection
4) Encoding (Encryption/Compression)
5) IRC usage
6) Network Sniffing
7) Spam
8) URL Callback
9) IP Callback
10) PDf Embedded Files
11) PDF Javascript Execution
12) Keylogging
13) Anti Debugging

I'm still unable to search thoroughly for Reverse Shell and NET USE capabilities...