0% found this document useful (0 votes)
183 views1 page

Practical Malware Analysis 1.0043-0043 PDF

Running suspected malware through multiple antivirus programs is a good first step in analysis, as some may have already identified it based on signatures of known malicious code or behavioral analysis. However, antivirus tools are not perfect, as malware can evade detection by modifying code signatures or being new and unique. It is useful to upload files to sites like VirusTotal for scanning by multiple antivirus engines to generate a report of detections. Hashing malware using MD5 or SHA-1 generates a unique fingerprint that can be used to uniquely identify malware, share with other analysts, and search online to see if it has been identified.

Uploaded by

drako123456789
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
183 views1 page

Practical Malware Analysis 1.0043-0043 PDF

Running suspected malware through multiple antivirus programs is a good first step in analysis, as some may have already identified it based on signatures of known malicious code or behavioral analysis. However, antivirus tools are not perfect, as malware can evade detection by modifying code signatures or being new and unique. It is useful to upload files to sites like VirusTotal for scanning by multiple antivirus engines to generate a report of detections. Hashing malware using MD5 or SHA-1 generates a unique fingerprint that can be used to uniquely identify malware, share with other analysts, and search online to see if it has been identified.

Uploaded by

drako123456789
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Antivirus Scanning: A Useful First Step

When first analyzing prospective malware, a good first step is to run it


through multiple antivirus programs, which may already have identified it.
But antivirus tools are certainly not perfect. They rely mainly on a database
of identifiable pieces of known suspicious code ( file signatures), as well as
behavioral and pattern-matching analysis (heuristics) to identify suspect
files. One problem is that malware writers can easily modify their code,
thereby changing their programs signature and evading virus scanners.
Also, rare malware often goes undetected by antivirus software because its
simply not in the database. Finally, heuristics, while often successful in
identifying unknown malicious code, can be bypassed by new and unique
malware.
Because the various antivirus programs use different signatures and
heuristics, its useful to run several different antivirus programs against the
same piece of suspected malware. Websites such as VirusTotal (http://www
.virustotal.com/) allow you to upload a file for scanning by multiple antivirus
engines. VirusTotal generates a report that provides the total number of
engines that marked the file as malicious, the malware name, and, if available, additional information about the malware.

Hashing: A Fingerprint for Malware


Hashing is a common method used to uniquely identify malware. The malicious software is run through a hashing program that produces a unique
hash that identifies that malware (a sort of fingerprint). The Message-Digest
Algorithm 5 (MD5) hash function is the one most commonly used for
malware analysis, though the Secure Hash Algorithm 1 (SHA-1) is also
popular.
For example, using the freely available md5deep program to calculate the
hash of the Solitaire program that comes with Windows would generate the
following output:
C:\>md5deep c:\WINDOWS\system32\sol.exe
373e7a863a1a345c60edb9e20ec3231 c:\WINDOWS\system32\sol.exe

The hash is 373e7a863a1a345c60edb9e20ec3231.


The GUI-based WinMD5 calculator, shown in Figure 1-1, can calculate
and display hashes for several files at a time.
Once you have a unique hash for a piece of malware, you can use it as
follows:

10

Use the hash as a label.

Share that hash with other analysts to help them to identify malware.

Search for that hash online to see if the file has already been identified.

Chapter 1

www.it-ebooks.info

You might also like