Re: Analize Virus

To:	"Rafa Richart" <rafa@ontinet.com>
Subject:	Re: Analize Virus
From:	"Andre' - SemperSecurus" <sempersecurus@gmail.com>
Date:	Thu, 2 Aug 2007 11:39:38 -0400
Cc:	pen-test@securityfocus.com
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SES2gKljILCoUlwyYczhG0pUMY0VaOAc/1wo80RHdRC3D2AwMbwavLOb06JNgkNrKyMoLpuWTSCwp5UWQmk5S9PjaxLjLUFTb1gHV4rxGNYvuyGD2T1nk/ckdkKNqrxp5VfuY+VYeYvbl1ptq1lU7VDVjLadBsiPZKWCu167Dvw=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XZf5lStJnKQcViR0K9oTyCZ+qhpaeWNwLKjyhyllOiC8PuJVUT9lWoGCTETKZk0CfaQ+WZHPlTdGtePYVz9PtCub/fBSiexxPF0J8ZiDfrmFk3cSmVPJLvL41xfDgZ/A8NGYWFavhJTA+6Lm4QwO3o9m4bxutN7/KF9MjffN6uM=
In-reply-to:	<1862113696.20070731192813@ontinet.com>
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
References:	<1862113696.20070731192813@ontinet.com>
Resent-date:	Fri, 3 Aug 2007 09:49:52 -0600 (MDT)
Resent-from:	pen-test-return-1078484752@securityfocus.com
Resent-message-id:	<20070803154952.022E4144C50@outgoing2.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com

My $.02

For static or code analysis, I use IDAPro or Ollydbg as well as good
old 'strings' and 'objdump', I've also been starting to play with PE
Explorer lately.

For dynamic studies, I'll run wireshark on my host system and use a
combo of Winalysis, Process Explorer, filemon, and fport. Lately, I've
been kicking SysAnalyzer around a bit.

Keep in mind, more and more malware is becoming VMWare aware, so a
hardware solution such as a CoreRestore card might be a good
investment.

In general:

Behavioral Analysis:
Wireshark
Process Monitor
Process Explorer
FileMon
RegMon
TCPView
Winalysis
SysAnalyzer
Snort
tcpdump

Static Analysis:
AV Scanners
IDA Pro
Ollydbg
strings
Various unpackers
PE Explorer
LordPE
Google

HTH

On 7/31/07, Rafa Richart <Rafa@ontinet.com> wrote:
>
> Hi Pals,
>
> we're looking for some tools to analize the Malware behaivor, we've a Lab 
> under contrucción, but we need some advices of what tools we've to use. tools 
> to see what have benn changin the registry, stat conexions etc...
>
> Any help is wellcome.
>
> Thanks in advance
>
> Rafa
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

-- 
Andre' M. Di Mino - SemperSecurus
The Shadowserver Foundation
http://www.shadowserver.org

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Analize Virus, 杨峰 Re: Analize Virus, Paul Halliday Re: Analize Virus, Jason Ross Re: Analize Virus, Robert McArdle Re: Analize Virus, Colin Copley RE: Analize Virus, Matt Steer Re: Analize Virus, lists73 Re: Analize Virus, Andre' - SemperSecurus <= Re[2]: Analize Virus, Rafa Richart Re: Re: Analize Virus, ebk_lists

Previous by Date:	Re: Analize Virus, lists73
Next by Date:	RE: Analize Virus, Matt Steer
Previous by Thread:	Re: Analize Virus, lists73
Next by Thread:	Re[2]: Analize Virus, Rafa Richart
Indexes:	[Date] [Thread] [Top] [All Lists]