RE: Exploit package analysis
From: Lars Troen (Lars.Troen_at_sit.no)
Date: 07/29/05
- Previous message: Todd Towles: "RE: Exploit package analysis"
- Maybe in reply to: Erin Carroll: "Exploit package analysis"
- Next in thread: mark.handy_at_morganstanley.com: "Re: RE: Exploit package analysis"
- Maybe reply: mark.handy_at_morganstanley.com: "Re: RE: Exploit package analysis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Jul 2005 19:57:04 +0200 To: <pen-test@securityfocus.com>
>
> Anyhow, the site at http://virusscan.jotti.org/ will probably
> be of use.
> In the event that the previous site was not able to classify
> the suspected malware, I recommended running it on a separate
> box (or VM) and following it's execution with softice, strace
Another free service that can be used is Norman sandbox
(http://sandbox.norman.com/). It's running the provided application
inside a windows VM and reporting it's actions regarding registry, file
system, network and it's actions against many common applications. I've
used it many times where I'm in posession of a suspicios file and most
of the time it can tell me what it does. It will also report if this is
a known virus. But don't trust it blindly. I had an .exe file that I
found to contact a russian irc server, registering itself in windows
startup etc, but Norman didn't find anything so it might be possible to
fool Norman sandbox too. But this service is still very useful to
finding out what an application does.
Lars
- Previous message: Todd Towles: "RE: Exploit package analysis"
- Maybe in reply to: Erin Carroll: "Exploit package analysis"
- Next in thread: mark.handy_at_morganstanley.com: "Re: RE: Exploit package analysis"
- Maybe reply: mark.handy_at_morganstanley.com: "Re: RE: Exploit package analysis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
