Antivirus Scanning: A Useful First Step

When first analyzing prospective malware, a good first step is to run it

through multiple antivirus programs, which may already have identified it.
But antivirus tools are certainly not perfect. They rely mainly on a database
of identifiable pieces of known suspicious code ( file signatures), as well as
behavioral and pattern-matching analysis (heuristics) to identify suspect
files. One problem is that malware writers can easily modify their code,
thereby changing their programs signature and evading virus scanners.
Also, rare malware often goes undetected by antivirus software because its
simply not in the database. Finally, heuristics, while often successful in
identifying unknown malicious code, can be bypassed by new and unique
malware.
Because the various antivirus programs use different signatures and
heuristics, its useful to run several different antivirus programs against the
same piece of suspected malware. Websites such as VirusTotal (http://www
.virustotal.com/) allow you to upload a file for scanning by multiple antivirus
engines. VirusTotal generates a report that provides the total number of
engines that marked the file as malicious, the malware name, and, if available, additional information about the malware.

Hashing: A Fingerprint for Malware

Hashing is a common method used to uniquely identify malware. The malicious software is run through a hashing program that produces a unique
hash that identifies that malware (a sort of fingerprint). The Message-Digest
Algorithm 5 (MD5) hash function is the one most commonly used for
malware analysis, though the Secure Hash Algorithm 1 (SHA-1) is also
popular.
For example, using the freely available md5deep program to calculate the
hash of the Solitaire program that comes with Windows would generate the
following output:
C:\>md5deep c:\WINDOWS\system32\sol.exe
373e7a863a1a345c60edb9e20ec3231 c:\WINDOWS\system32\sol.exe

The hash is 373e7a863a1a345c60edb9e20ec3231.

The GUI-based WinMD5 calculator, shown in Figure 1-1, can calculate
and display hashes for several files at a time.
Once you have a unique hash for a piece of malware, you can use it as
follows:

10

Use the hash as a label.

Share that hash with other analysts to help them to identify malware.

Search for that hash online to see if the file has already been identified.

Chapter 1

www.it-ebooks.info