First of all, thanks for all the great feedback from everyone about Vera. Keep the feedback coming!
Vera 0.11 is out on the main Vera page. This release fixes a major memory leak for those of you who aren't running video cards with a gig of ram. This should also alleviate problems that were related to running under Windows XP. A future port to a wxWidgets version is underway. This will eventually allow for cross-platform versions, hopefully timed with the IDA QT release.
As always, please report bugs to dquist at this domain.
God's Unpacking tool for automated unpacking.
A generic unpacking tool works well against almost all the packers, except few.
Buster Sandbox Analyzer 1.23 has been released.
Actually the tool is being hosted here: http://bsa.isoftware.nl
Version 1.23 introduces the automatic malware analysis mode. This mode allows the analysis of multiple files without any user intervention.
New version also adds other features like the digital signature verification.
The tool can be downloaded directly from: http://bsa.isoftware.nl/bsa.rar
Buster Sandbox Analyzer makes the malware analysis accesible to everybody in a simple and safe manner.
A new version of YARA have been released. This version improves the scanning speed and fix an annoying bug which causes crashes on 64-bits Windows. It also introduces external variables, a feature that allows you to create rules dependent on variables provided from the outside world.
Get the latest documentation here
What is zero wine tryouts?
zero wine tryouts is an open source malware analysis tool.
Just upload your suspicious PE file (Windows executable) through the web interface and let it analyze the behaviour of the process.
zero wine + X = zero wine tryouts
The zero wine tryouts project is a fork of the original zero wine project.
The last modification to the source code of the original project was done back in Jan 2009.
For more information, visit here.
Rule2Alert's goal, is to read in snort rules and generate packets that would make snort produce an alert. It is written entirely in python and utilizes Scapy to craft the packets. It is still under heavy development with myself, Pablo Rincon, and Will Metcalf.
Currently, it is able to generate pcaps based off simple content snort compatible rules. I loaded in the emerging-all.rules file and was able to create a pcap that alerted snort 514 times. The project is not ready to be released yet, but the results look promising so far. This project is currently under the Open Information Security Foundation, as all of the project members are currently working on the new IDS/IPS system Suricata.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)
famousjs@youbantoo:~/rule2alert$ sudo python r2a.py -vt -c /etc/snort/snort.conf -f rules/test.rule -w test.pcap
Ether / IP / TCP 192.168.0.1:9001 > 220.127.116.11:www S
Ether / IP / TCP 18.104.22.168:www > 192.168.0.1:9001 SA
Ether / IP / TCP 192.168.0.1:9001 > 22.214.171.124:www A
Ether / IP / TCP 192.168.0.1:9001 > 126.96.36.199:www PA / Raw
-------- Hex Payload Start ----------
56 24 5a 63 20 20 20 20
20 68 65 79
--------- Hex Payload End -----------
Loaded 1 rules successfully!
Writing packets to pcap...
Successfully alerted on all loaded rules
OSAM: Autorun Manager v5.0 - against rookits that hide their files!
As mentioned before, a few weeks ago we recommenced the works on our first public product, namely OSAM: Online Solutions Autorun Manager.
Releasing this, fifth, version of the product has turned hard for our company. For a number of reasons of different nature the release data had to be moved several times. However, we managed to brace up and - thanks to join efforts - finally released the new version of the product.
Now, greet OSAM: Online Solutions Autorun Manager v5.0!
The 5th version provides a unique possibility to detect and remove rootkits that hide their files on the hard disk. Hiding registry keys and files rootkit techniques are spreading wider and wider, so our company had nothing to do but invent and implement a solution for detecting and removing such malware. And we did it! OSAM applies algorithms that parse and the structure of file systems on hard disks without involving any mechanisms of the operating system and thus detects and removes almost all the known viruses and other types of malware.
Presently OSAM detects hidden files, in addition to detecting hidden registry entries, which allows for using it in detecting and removing newest and up-to-date viruses.
I released Buster Sandbox Analyzer 1.0.
Buster Sandbox Analyzer is a malware analyzer using Sandboxie as environment to run programs.
You can follow the development of the tool here:
And you can download the tool from here:
Reading the manual before using the tool is necessary.
Do you want to analyze malware and you are tired of complicated environments where you almost must be a computer engineer to get it working and the hardware requirements are too exigent for the computer you have? Then the solution is Buster Sandbox Analyzer.
Buster Sandbox Analyzer runs under Windows using Sandboxie (www.sandboxie.com) as environment to run the malwares.
A default installation of Sandboxie, which takes less than 1 minute to install, will be enough to start working with Buster Sandbox Analyzer.
Ether Bunny is a script that I use to automatically startup and run Xen domains, copy files, and then execute them with Ether. It is a quick hack I put together. Most of the variables at the top of the file will need to be changed to match your configuration. This script is made available as-is. If it doesn't work you'll need to debug it on your own. That being said if you find it useful and modify it let me know and I'll be happy to update the public version.
You'll need to get a copy of Winexe as well to remotely run the files. There are some setup instructions at the Winexe page that will help you to configure your host machine.
Here's how I use it:
snoosnoo:/xen# ./eb.py 192.168.0.2 malware.exe Ether Bunny v0.1 by Danny Quist Analyzing malware.exe to on VM 192.168.0.50 Destroying old vm image /xen/winxp-sp2-malware-instance/ Restoring vm image... Starting vm from /etc/xen/ramdisk-winxp-sp2.cfg Copying malware.exe to VM 1166 at 192.168.0.50 Attempt: 1 Running malware.exe on VM winxp-sp2-ramdisk (1166) 192.168.0.50 Letting program run... dos charset 'CP850' unavailable - using ASCII EPOLL_CTL_ADD failed (Operation not permitted) - falling back to select() Killing ether. Destroying VM ID: 1166 Aborting...
Download Ether Bunny here.
Edit Jan 18 2011: The Winexe site seems to have disappeared, so I have linked to my local compiled copy.