FireEye 2011 Q1~Q2 惡意程式趨勢分析報告
http://www.fireeye.com/resources/pdfs/FireEye_Advanced_Threat_Report_1H2011.pdf
2011年9月6日 星期二
2011年8月4日 星期四
YARA v1.6!
“YARA is a malware identification and classification tool. It is aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic.
It is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.”
This is the official change log:
It is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.”
This is the official change log:
- Added support for bitwise operators
- Added support for multi-line hex strings
- Scan speed improvement for regular expressions (with PCRE)
- Yara-python ported to Python 3.x
- Yara-python support for 64-bits Python under Windows
- BUGFIX: Buffer overflow in error printing
2011年6月23日 星期四
惡意文件分析工具與方法
從 典型執行檔惡意程式 演進到 社交工程郵件,APT 攻擊事件都是透過惡意文件 PDF、Office 等系列檔案來滲透,而這些文件裡都夾藏了惡意指令( Payload ) 向外部下載惡意程式到電腦裡執行起來 ( 植入木馬 ),所以同鞋們需提高警覺唷!
此篇文章做一個整理
針對惡意文件分析好哪些資源可以運用:
惡意文件分析指引
Analyzing Malicious Documents Cheat Sheet
線上版免費分析工具 :
1. Jsunpack
2. PDF Examiner
3. Wepawet
4. Gallus
5. Multi-Engine Antivirus Scanners:VirusTotal, Jotti’s Malware Scan, Filterbit and VirSCAN
非線上版免費分析工具 :
1.PDF Tools
2.PDF Stream Dumper
3.Jsunpack-n
4.Peepdf
5.Origami
6.MalObjClass
7.pdf-parser_V0_3_7.zip
8.make-pdf_V0_1_1.zip
9.pdfid_v0_0_11.zip
10.PDFTemplate.zip
惡意文件分析相關 Paper:
obfuscation_detection_pdf_files_peepdf
malicious-pdf-analysis-ebook
Getting Owned By Malicious PDF - Analysis
Reverse engineering a malicious PDF Part 1
Reverse engineering a malicious PDF Part 2
Reverse engineering a malicious PDF Part 3
此篇文章做一個整理
針對惡意文件分析好哪些資源可以運用:
惡意文件分析指引
Analyzing Malicious Documents Cheat Sheet
線上版免費分析工具 :
1. Jsunpack
2. PDF Examiner
3. Wepawet
4. Gallus
5. Multi-Engine Antivirus Scanners:VirusTotal, Jotti’s Malware Scan, Filterbit and VirSCAN
非線上版免費分析工具 :
1.PDF Tools
2.PDF Stream Dumper
3.Jsunpack-n
4.Peepdf
5.Origami
6.MalObjClass
7.pdf-parser_V0_3_7.zip
8.make-pdf_V0_1_1.zip
9.pdfid_v0_0_11.zip
10.PDFTemplate.zip
惡意文件分析相關 Paper:
obfuscation_detection_pdf_files_peepdf
malicious-pdf-analysis-ebook
Getting Owned By Malicious PDF - Analysis
Reverse engineering a malicious PDF Part 1
Reverse engineering a malicious PDF Part 2
Reverse engineering a malicious PDF Part 3
2011年6月22日 星期三
透過工具簡單分析惡意程式
今天介紹的工具是: Malware Analyser 3.1 - Download from Here
這個一個免費的惡意程式分析工具,進行靜態和動態分析,支援 Windows 平台,且非常容易上手。
Malware Analyser 3.1 特色:
1.String based analysis for registry, API calls, IRC Commands, DLL’s called and VMAware.
2.Display detailed headers of PE with all its section details, import and export symbols etc.
3.On distros, can perform an ASCII dump of the PE along with other options (check –help argument).
4.For windows, it can generate various section of a PE : DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Directories, Sections
5.ASCII dump on windows machine.
6.Code Analysis (disassembling)
7.Online malware checking (www.virustotal.com) - 會自動把 md5 丟到 virustotal 比對
8.Check for Packer from the Database.
9.Tracer functionality: Can be used to identify
10.Anti-debugging Calls tricks, File system manipulations Calls Rootkit 11.Hooks, Keyboard Hooks, DEP Setting Change, Network Identification traces.
12.Signature Creation: Allows to create signature of malware.
13.Batch Mode Scan to Scan all DLL and Exe in directories and sub-directories
使用方法:
command:
run 樣本.exe
run gh0st.exe
run 樣本.exe > malware.txt ( 把分析過程中的 log 另存起來比較方便解讀 )
Note:工具只是輔助,並不是百分百偵測率,對於特殊樣本,針對病毒碼特徵與動態分析做繞過的動作 ( 免殺FUD ),一般常見分析工具,基本上是檢測不到!
這個一個免費的惡意程式分析工具,進行靜態和動態分析,支援 Windows 平台,且非常容易上手。
Malware Analyser 3.1 特色:1.String based analysis for registry, API calls, IRC Commands, DLL’s called and VMAware.
2.Display detailed headers of PE with all its section details, import and export symbols etc.
3.On distros, can perform an ASCII dump of the PE along with other options (check –help argument).
4.For windows, it can generate various section of a PE : DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Directories, Sections
5.ASCII dump on windows machine.
6.Code Analysis (disassembling)
7.Online malware checking (www.virustotal.com) - 會自動把 md5 丟到 virustotal 比對
8.Check for Packer from the Database.
9.Tracer functionality: Can be used to identify
10.Anti-debugging Calls tricks, File system manipulations Calls Rootkit 11.Hooks, Keyboard Hooks, DEP Setting Change, Network Identification traces.
12.Signature Creation: Allows to create signature of malware.
13.Batch Mode Scan to Scan all DLL and Exe in directories and sub-directories
使用方法:
command:
run 樣本.exe
run gh0st.exe
Note:工具只是輔助,並不是百分百偵測率,對於特殊樣本,針對病毒碼特徵與動態分析做繞過的動作 ( 免殺FUD ),一般常見分析工具,基本上是檢測不到!
訂閱:
文章 (Atom)