Author Topic: Tell-tale signs of Malware capabilities  (Read 3292 times)

0 Members and 1 Guest are viewing this topic.

April 12, 2011, 09:53:12 am
Read 3292 times

shinzou87

  • Newbie

  • Offline
  • *

  • 2
Hi there, I'm thinking of using YARA (http://code.google.com/p/yara-project/) as a first-action when provided with a whole folder of samples.
My concept is to use the ability of YARA's rules to search binary or ascii strings in files in order to determine what anti-malware capability it has, i.e. anti-debugging, anti-VM, or even NET USE or reverse shell so that it would help to speed up the analysis process.

So far i have rules from HBGary's Fingerprint tool as well as those from the Malware Analyst's Cookbook, as well as others that I have researched that will come in handy in finding for embedded files in pdfs.
Such strings include simple ones like "/EmbeddedFiles", "/OpenAction", etc for PDF files or "SetWindowsHookEx" and "GetAsyncKeyState" for keylogging detection.

Are there any suggestions on other strings i could look for in files that are assumed to be already deobfuscated?
Or are there better tools out there to recommend?
Thanks alot guys! =D

April 15, 2011, 03:47:15 am
Reply #1

shinzou87

  • Newbie

  • Offline
  • *

  • 2
Currently I can detect the following capabilities of malware with a fast scan:
1) Writing MSR
2) Embedded EXEs
3) VM Detection
4) Encoding (Encryption/Compression)
5) IRC usage
6) Network Sniffing
7) Spam
8) URL Callback
9) IP Callback
10) PDf Embedded Files
11) PDF Javascript Execution
12) Keylogging
13) Anti Debugging

I'm still unable to search thoroughly for Reverse Shell and NET USE capabilities...