Identifying suspicious executable files #
Last year, the folks at Panda found that "79% of new malware is using some type of packing technique". Here are two apps to help you identify such suspicious executables:
- Red Curtain "examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat 'score.'" (via Grand Stream Dreams)
- PEiD "detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files." Features include: heuristic scanning options, disassembler, hex viewer, and many more.
UPDATE: James kindly informs us of findssv, an app his professor built to "statically analyze an executable file for its administrative content, its layout and various security vulnerabilities". Further details can be found in this research paper (PDF) or this PowerPoint slideshow. For those who prefer plain text, here's the gist (quoted from the PPT):
- It quickly pares down a group of executable files to the ones in which secure programming was not an objective of the software developers
- It can do in seconds what could take a security analyst days or weeks to do using hex editors and file dump utilities
- It knows what to look for and where to look for it in the PE format
- It knows when to stop looking when specific security vulnerability indicators are not present
- Determine the compiler and linker used to build an executable file
- Establish the relationship between DLL function use and program purpose
- Provide more details on unknown regions
- Reveal the names of files stored in compressed file regions
- Detect the use of standard C functions by way of function call signatures searched for in the code sections of a PE file
/windows | May 11, 2008
Subscribe or visit the archives.