Catching Windows Malware

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
I get pissed off when my Windows system gets infected (rarely), even more when a freaking server has been pwned (even more rarely).

Catching malware in a butterfly net is a secret hobby of mine.

Analyze files using densityscout to see if they are packed/encrypted executables. A great place to check could be around Windows files where an attacker may try hiding them.

pescan is another great software, to check into information like the file type, CPU (32 or 64 bit), and notes like "Debug section not present.." this can highlight malware files and has a rating system. An unknown publisher can be worthy of checking into.

Analyzing executables with sigcheck can give you an idea whether something is suspicious also. There is a VT (Virus Total) scan option for files.

Running 10 tools and seeing the same file showing up in 3 for example - this can help narrow down a specific anomalous file. You do not have to run 10 tools on files, just keep in mind that multiple tools detecting a file can mark it stronger as suspicious.

Finding an anomaly does not mean something is malware, but it gives you an initial point of interest to start scouting. It's like a face on a missing persons poster, look around for it and use discretion.

Similar to separating oil from water, using: densityscout, pescan, and sigcheck can separate Windows (OS) from malware.

...

There is a lot more to come ;)
 
Top