Friday, October 20, 2006

Online Malware Scanners and Sandboxes

I spend some time everyday looking at botnet traffic, collecting binaries and either analyzing the binaries myself or submitting them to an online scanner/sandbox. It surprises me how many people I talk to that don't realize these resources are freely available out there.

Why are they free? Ever heard of Nepenthes? It is sweet malware collection tool that emulates vulnerable services, lets attackers/bots/worms/etc attack it and push its payload onto it. So, what's my point besides asking too many questions in one post? These sites use people like me like a distributed Nepenthes. Make sense? Good!

On to the good stuff...

VirusTotal is the most comprehensive scanning site I've seen. It uses around 25 different virus/malware scanners to scan submitted files. The downside is that the site has become quite popular and it sometimes takes 5-20 minutes to get a file scanned. One highlight of using this site is that submitted files are passed along to AV companies so signatures are produced quicker (hopefully!).

Jotti's Virus Scan site doesn't use nearly as many scanners as VirusTotal but you can usually don't have to wait as long to get a file scanned.

Kaspersky is, in my opinion, the best virus scanning engine out. When you look at the stats for VirusTotal, they consistently identify more malware than any other tool. We've seen this based on internal testing, also. I've mostly left this link up here as a reminder that Kaspersky used to show what file packers were used. This was an awesome feature of their web scanner but it no longer shows this information. :-(

Online sandbox tools are HOT! The two I use are Norman's Sandbox and the recently released CWSandbox. I recommend you test out both tools to see how they compare. Norman gives a more "user-friendly" output while CWSandbox e-mails an XML results file. Additionally, Norman is based on a commercial product and CWSandbox is the result of a graduate student's research.

That's it for today. If you know of any other sites that provide similarly functionality such VirusTotal or the sandboxes, let me know.

1 comment:

-->j said...

Looks like you're not the only one sponsoring Kapersky:

http://news.yahoo.com/s/zd/20061020/tc_zd/191975

The new site looks good!

-->jason