Conociendo sobre Malware IX - Malware CookBook + Tools


Epale ya vamos con la novena entrega de Conociendo sobre Malware, esta vez con un aporte para nuestros conocimientos, y poder leer este excelente libro que es Malware Analyst's Cookbook, en el cual viene con consejos prácticos que los autores han previsto para la comprensión y la lucha contra el malware. Algo que resaltar que este libro no cuenta con un engorroso por así decirlo de todas las técnicas de malware  análisis, pero si tiene herramientas y enfoques bastante prácticos como también todo lo relacionado a comandos, y herramientas ya ustedes sacaran su propio resumen o atribuciones de este libro, este es un libro que cuando ando con tiempo o ando aburrido en mis cosas me pongo a leer en el Kindle, la aspiración es llegar a trabajar como analista de malware ya que me apasiona bastante este mundo.

Para saber mas del libro se puede acceder a su pagina oficial en la cual realizaron la liberación de las herramientas en code google Source Malware Cookbook y no puede falta el
PDF Malware CookBook descarga directa.

Un listado de las herramientas, que vienen extraído de la pagina oficial. Multi-platform TOR-enabled URL
* wwwhoney.tgz: CGI scripts to accept submissions from nepenthes and dionaea honeypots Convert ClamAV antivirus signatures to YARA rules Convert PEiD packer signatures to YARA rules Script to implement your own antivirus multi-scanner Detect malicious PE file attributes Detect self-mutating code on live Windows systems using ssdeep Command-line interface to VirusTotal, ThreatExpert, Jotti, and NoVirusThanks Malware artifacts database manager Application to scan live Windows systems for artifacts (files, Registry keys, mutexes) left by malware Create static PNG images of IP addresses plotted on a map using GeoIP Create dynamic/interactive geographical maps of IP addresses using Google charts
* Script to produce disassemblies (via DiStorm) of shellcode and optionally apply an XOR mask Python class for automating malware execution in VirtualBox and VMware guests Sample automation script for VirtualBox based on Sample automation script for VMware based on Python class for building sandboxes with support for analyzing network traffic, packet captures, and memory
RegFsNotify.exe: Tool to detect changes to the Registry and file system in real time (from user mode without API hooks)
HandleDiff.exe: Tool to detect changes to the handle tables of all processes on a system (useful to analyze the side-effects of code injecting malware) Kernel driver for monitoring notification routines, preventing processes from terminating, preventing files from being deleted, and preventing other drivers from loading
cmd.exe: Custom command shell (cmd.exe) for logging malware activity and backdoor activity
tsk-xview.exe: Cross-view based rootkit detection tool based on The Sleuth Kit API and Microsoft’s Offline Registry API
HTMLInjection Detector.exe: Detect HTML injection attacks on banking and financial websites RegRipper plug-in for printing a computer’s routing table RegRipper plug-in for printing files that are pending deletion RegRipper plug-in for printing processes that malware prevents from running RegRipper plug-in for printing ShellExecute hooks (a method of DLL injection) Parse::Win32Registry module to extract and examine cryptography certificates stored in Registry hives Parse::Win32Registry module for finding hidden binary data in the Registry
scloader.exe: Executable wrapper for launching shell code in a debugger
* Immunity Debugger PyCommand for finding shellcode in arbitrary binary files Immunity Debugger PyCommand for finding Inline-style user mode API hooks WinAppDbg plug-in for monitoring API calls, alerting on suspicious flags/parameters and producing an HTML report Python library for encoding/decoding XOR, including brute force methods and automated YARA signature generation Immunity Debugger PyCommand for assistance when rebuilding import tables with Import REconstructor Immunity Debugger PyCommand for cracking Kraken’s Domain Generation Algorithm (DGA) Immunity Debugger PyCommand for decrypting Silent Banker strings
rundll32ex.exe: Extended version of rundll32.exe that allows you to run DLLs in other processes, call exported functions, and pass parameters
* install_svc.bat: Batch script for installing a service DLL (for dynamic analysis of the DLL) Python script for installing a service DLL and supplying optional arguments to the service Python script for converting a DLL into a standalone executable
DriverEntryFinder: Kernel driver to find the correct address in kernel memory to set breakpoints for catching new drivers as they load Python script to convert WinDbg output into data that can be imported into IDA
WinDbgNotify.txt: WinDbg script for identifying malicious notification routines

Espero les agrade y sigamos metiendonos mas en este mundito del malware.


4 comentarios

  1. Buena entrada amigo, me quedo con el libro, gracias

  2. Muy buena la lista de Scripts y programas, gracias por el aporte (:

  3. De nada a ambos, el gusto es mio al poder compartir!


  4. Un profesor me dijo que si tienes un sueño y quieres hacerlo real, hay que darle forma.
    Si quiere ser analista de malware dele forma :)