Automatically Analyzing Malware
Friday, January 13. 2006
With the help of tools like mwcollect, nepenthes, and Multipot it is very easy to collect binary samples of spreading worms, bots, and other malware. These samples are often not recognized by current anti-virus engines and therefore it is often necessary to analyze the binaries by hand. This is a time-consuming and error prone task.
A quick and dirty analysis of a captured binary can be performed with the help of the Norman Sandbox (technical whitepaper). This tool executes the binary in an emulated environment and extracts information during runtime. A sample report and more live data are available at the website. You will notice that it is possible to automatically submit binaries captured with the help of nepenthes to the sandbox.
While this is a nice tool, it would be more interesting to be able to carry out such an analysis at home, without the need to submit the binary to a central server. In the diploma thesis entitled "Automatic Behaviour Analysis of Malware" Carsten Willems will implement such a tool. More information can be found in the description of the thesis and I will regularly publish updates here.
A quick and dirty analysis of a captured binary can be performed with the help of the Norman Sandbox (technical whitepaper). This tool executes the binary in an emulated environment and extracts information during runtime. A sample report and more live data are available at the website. You will notice that it is possible to automatically submit binaries captured with the help of nepenthes to the sandbox.
While this is a nice tool, it would be more interesting to be able to carry out such an analysis at home, without the need to submit the binary to a central server. In the diploma thesis entitled "Automatic Behaviour Analysis of Malware" Carsten Willems will implement such a tool. More information can be found in the description of the thesis and I will regularly publish updates here.
".
