In the past weeks I published several posts describing malware analysis tools and approaches at other blogs:
- Installing the REMnux Virtual Appliance for Malware Analysis: Starting with version 4, the REMnux virtual appliance is available as the Open Virtualization Format (OVF/OVA) file, which can be imported into most virtualization tools, such as VMware and VirtualBox. Extra: Explore other updates in the Announcement of the REMnux v4 Release.
- Automating Static Malware Analysis With MASTIFF: MASTIFF is an open source framework for automating static malware analysis. This tool, created by Tyler Hudak, determines the type of file that is being analyzed and then applies only the static analysis techniques that are appropriate for that file type. MASTIFF offers a useful way for performing triage on a large set of suspicious files. Extra: See my MASTIFF demo as part of the recorded What’s New in REMnux v4 for Malware Analysis webcast.
- Extracting Digital Signatures from Signed Malware: Sometimes attackers digitally sign their malicious software. Examining properties of the signature helps malware analysts understand the context of the incident. Moreover, analysts could use the signature as an indicator of compromise. Here are some tips and tools for determining whether a suspicious Windows executable has been signed and for extracting the embedded signature in a Linux environment. Extra: Check out steps to extract signatures from Apple .app files and Didier Steven’s AnalyzePESig tool.
- Tools for Examining XOR Obfuscation for Malware Analysis: There are numerous ways of concealing sensitive data and code within malicious files and programs. Fortunately, attackers use one particular XOR-based technique very frequently, because offers sufficient protection and is simple to implement. Here’s a look at several tools for deobfuscating XOR-encoded data during static malware analysis. Extra: Experiment with Thomas Chopitea’s unXOR tool.
Also, on my own blog I took a look at Cylance’s Accelerify tool for speeding up the lab system’s clock for malware analysis.
Updated May 18, 2013