Malware Scanner

Test against a sample to see if it's a malware.

Intro

This is a toy tool so please don't use it for commercial purposes. It uses existing engines to scan a file or a string and tells you whether or not it's a virus. It's small and extensible.

There are currently two versions but I'm focused on the online version. My desktop version is retired for now. Useful for quick look up on what's already out there.

As this is mostly static analysis, you could automate this into your analysis workflow. Typical workflow work like this, in short:
triage -> static analysis -> dynamic analysis -> report

The way static malware analysis usually works is you analyze the malware without running it. Your first step is to try to find the signature of a binary file.

Most major OS have some way of calculating the cryptographic hash of a file. You can also write one too as I did for the desktop version.

Following that, you can reverse engineer the sample by loading the binary file into a decompiler or disassembler such as IDA Pro.

Lab Setup

I recommend setting up an isolated lab. A poor man's working lab is a separate computer devoted to this task. It's more of an art than science. There are pre-existing tools you can use out there if you look it up. I recommend this setup because this was the setup I used:

  1. Setup Remnux (Default password: malware)
  2. Ensure there is enough space to clone
  3. When the terminal appears, run this:
    
                    update-remnux
                    sudo apt-get update
                    sudo apt-get upgrade
                    sudo apt-get install virtualbox-guest-utils virtualbox-guest-x11 virtualbox-guest-dkms
                  
  4. Clone this by selecting "Full clone"
  5. If you absolutely need a shared folder (a temporary one if you must): sudo adduser remnux vboxsf
  6. You will need to log out and back in for the effect to take place

Other techniques include verifying the filetype, using public databases and exploring the PE (portable executable, largely a Windows object).

Example Sample

Using "Bombermania.exe" as an example, start by checking the filetype. On most *nix boxes, you could just do this: file Bombermanmania.exe

This should yield: Bombermania.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

You can also use Python's magic (pip install --user python-magic) but there are some inconsistencies with the results.

If you are able to find a way to get the hash of the file as I have, putting it into the Malware Scanner should yield some stuff like this:

  • MD5: 471d39a51a79f342033c5b0636c244dc
  • SHA-1: b0324ddd99677d9b0458c7328879f8fde268effc
  • SHA-256: 1154535130d546eaa33bbc9051a9cb91e2b0e3a3991286c3d5b0a708110c9aa7
  • File Type: Win32 EXE
  • Magic literal: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Additional detail includes when it was first submitted, creation date, etc. This one was (at the time of writing in 2017) created in 2005, first submitted in 2009.

You can dig into the PE. Often, you can determine whether or not the file is good based on the PE header alone. You can use PE-Header-Parser or Icon-Extractor.

Ultimately what you do depends on you or your organization's goal but your report should probably include the following at least:

  1. Title
  2. Date
  3. Author (contact information, etc.)
  4. Abstract (summary, etc.)
  5. Files
  6. Traits (hashes, size, other names, etc.)
  7. Analysis (figures, statistics, etc.)