I have developed a Safari 6 extension in order to search virustotal.com (e.g. MD5 hash or keywords).
All the details and download links can be found here: http://www.simonganiere.ch/tools/
For any comments or bug report contact me on Twitter – @sganiere
Malware analysis usually involved the use of virtual environment (VM) such as VMware, VirtualBox and plenty of other virtualisation solutions. Mentioning the main virtualisation product is great but such products are also used in sandbox and other testing environment such as Virustotal, Anubis, etc. There is a lot of reason for using a virtual environment for such analysis. In particular it give the ability to run malicious code in a control manner. You can customize your VM to meet your needs, install vulnerable software, change configuration, etc. Not to mention the ability to start from scratch and restore a previous snapshot. You can do it the “old” way by running the malicious executable directly on your operating system but you will take a little more risk not to mention the time you will lose to restore your system.
Continue reading “Malware anti-VM technics”
You can found the latest honeypot results at the following URL: http://honeypot.simonganiere.ch (or use the above link in the menu).
This page is updated on a daily basis with the latest stats from the honeypot. You will found the stats for the last 30 days for various protocols and other useful information such as Virustotal.com links, etc.
Enjoy and stay tuned for other news!
After the (very) high-level introduction of the part I, we are going to start to go a little bit deeper in the subject. Let’s start by having a closure look to the memory (RAM) and the related registers (e.g. general purpose registers, segment registers, EFLAGS and EIP). The goal is not to make a complete overview of how RAM is working, but keep in mind the overall objective: malware analysis. Therefore we won’t review everything and we will reduce the scope to x86 (32 bits) architectures (as it’s the most common architecture).
Continue reading “Introduction to x86 Assembly Language – Part II”
Under OS X if you are interest to find out which process is using internet you can using the following command:
lsof -i -P -n
This command normally list all the open file on the system, but using the -i option it will list all the “internet” files. Continue reading “[OS X] List processes using internet”
This article is an attempt to introduce some of the key concepts of x86 Assembly Language. It will focus on how such language is used by malware analyst to understand what a malicious software is doing and how it has been programmed by its author. Before going into more details, this article will explain some of the general concept and why assembly code is used to do malware analysis.
Continue reading “Introduction to x86 Assembly Language – Part I”
Here are the latest graphs of my honeypot. Overall “normal traffic”, at the exception of several attempts to download a file named “h.exe” from a particular IP address. However it seems that this host has been cleaned in the meantime as all attempts results in a “404 Not Found”.
[Update] I have done a bit more research regarding this particular IP address. It seems that this host has been used for other piece of malwares based on the Malc0de database:
Continue reading “[Update] Honeypot results June 2012”