< EUSecWest: Security Masters Dojo on Honeynets | MISC Magazine >

Automatically Analyzing Malware

With the help of tools like mwcollect, nepenthes, and Multipot it is very easy to collect binary samples of spreading worms, bots, and other malware. These samples are often not recognized by current anti-virus engines and therefore it is often necessary to analyze the binaries by hand. This is a time-consuming and error prone task.

A quick and dirty analysis of a captured binary can be performed with the help of the Norman Sandbox (technical whitepaper). This tool executes the binary in an emulated environment and extracts information during runtime. A sample report and more live data are available at the website. You will notice that it is possible to automatically submit binaries captured with the help of nepenthes to the sandbox.

While this is a nice tool, it would be more interesting to be able to carry out such an analysis at home, without the need to submit the binary to a central server. In the diploma thesis entitled "Automatic Behaviour Analysis of Malware" Carsten Willems will implement such a tool. More information can be found in the description of the thesis and I will regularly publish updates here.
This entry was posted by Thorsten Holz on Friday, January 13. 2006 at 08:30. and is filed under honeynets. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry
  1. CWSandbox: First Results

    Some time ago I blogged about the diploma thesis on "Automatic Behaviour Analysis of Malware" by Carsten Willems that I supervise. Preliminary results are now available and we will start a beta test soon. Below you find the (rather detailed) results of an

    Weblog: honeyblog
    Tracked: Apr 29, 15:17

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA