(The quickest way to register)

Forum

Dear visitor! The webpage is only available in English. We're sorry for the inconvenience.
  1. User picture
    • osfijwoei390WEFw23sf on Mon 19 Oct 2009
    • 06:56:47 AM UTC

    What tools/methods do you use to look at malware sites?

    I'm wondering what tools/methods you guys use to analyze suspicious links to websites that are posted here and on malware lists. Do you guys actually visit them on your home computer's browser or do you use a virtual machine? If you use a virtual machine, are you still not concerned about the security risk of drive by exploits that may be able to compromise virtual machine and move out into your host system? Example: The VMware exploits that can let programs in a virtual machine move out into a Windows host.

    When I see the links to the malware sites on the forums or on Google, I never visit them because I know that is asking for trouble even if I use a virtual machine. Hence, it is kind of touch to rate or comment on a list of malware sites without risking infection.

Comments:

  2. User picture
    • Warxas on Mon 19 Oct 2009
    • 07:35:57 AM UTC

    _

    Hi osfijwoei390WEFw23sf!
    This was discussed a little while ago, check out MysteryFCM's post .

    I think it is pretty close to what you are asking. Welcome to WOT!
  3. User picture
    • Delan Azabani on Mon 19 Oct 2009
    • 08:01:09 AM UTC

    Wow...hard to type

    Wow...hard to type username... :P
    • User picture
      • Warxas on Mon 19 Oct 2009
      • 08:04:35 AM UTC

      I

      Copied and pasted, haha.
      But I can tell you this, it's original!! :D
  4. User picture
    • LiVeRpUdLiAn932 on Mon 19 Oct 2009
    • 09:16:29 AM UTC

    ...

    Did somebody just encrypt his username? :P
    You'll Never Walk Alone
  5. User picture
    • g7w on Mon 19 Oct 2009
    • 08:31:47 PM UTC

    re: What tools/methods do you use to look at malware sites?

    WOT Wiki::Tools
    That what I use... ;-)

    Welcome to WOT Forum.
    -------
    WOT Services Ltd. - gives us safety through Web of Trust.
    WOT Community - gives us security through unity.
    Thank you all
    - G7W
  6. User picture
    • amishrabbit on Mon 19 Oct 2009
    • 08:35:29 PM UTC

    VMWare Workstation and Network Miner

    Got a research VM image, clean snapshot. I open it up, launch IE, and browse the site in question. Meanwhile, on the host OS, I'm running Network Miner, pointing it at the virtual NIC, and capturing files/images/scripts/PE files off the wire.

    edit: http://networkminer.sourceforge.net/
    • User picture
      • g7w on Mon 19 Oct 2009
      • 08:54:53 PM UTC

      Thanks

      Added the link to the Miscellaneous section of Tools on the Wiki.
      -------
      WOT Services Ltd. - gives us safety through Web of Trust.
      WOT Community - gives us security through unity.
      Thank you all
      - G7W
  7. User picture
    • jpvip on Mon 19 Oct 2009
    • 10:56:33 PM UTC

    A few of my Misc. tools...

    iDefense Malcode Analysis Tools
    It contains SysAnalyzer, which "is an automated malcode run time analysis application that monitors various aspects of system and process states.

    SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. "

    It also contains a Malcode Analyst Pack: "The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis."

    It also contains HookExplorer: "HookExplorer is a small utility designed to scan a target process and identify any user land hooks that may be installed by unknown code. "

    You will also see: "Multipot is a emulation based honeypot designed to capture malicious code which spreads through various exploits across the net. Design specifications for this project mandated that the captures be done in such a way so that the host machine would require only minimal supervision and would not itself risk getting infected. Multipot was designed to emulate exploitable services to safely collect malicious code."

    More info and link: http://labs.idefense.com/software/malcode.php

    CurrPorts by NirSoft
    "CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it. "

    More info and link: http://www.nirsoft.net/utils/cports.html

    HashTab
    "HashTab provides OS extensions to calculate file hashes. HashTab supports many hash algorithms such as MD5, SHA1, SHA2, RipeMD, HAVAL and Whirlpool. Hashtab is supported as a Windows shell extension and a Mac Finder plugin. HashTab provides an easy way to verify file integrity and authenticity."

    More info and link: http://beeblebrox.org/hashtab/

    PXServer WinAudit
    "PC audit and inventory of software, licenses, security configuration, hardware, network settings..."

    More info and link: http://www.pxserver.com/WinAudit.htm

    ~DragonMaster Jay, malware researcher,
    Admin, helpmyos.com
    • User picture
      • g7w on Tue 20 Oct 2009
      • 12:33:34 AM UTC

      a bit off topic ...

      Check out www.bullzip.com
      -------
      WOT Services Ltd. - gives us safety through Web of Trust.
      WOT Community - gives us security through unity.
      Thank you all
      - G7W