From the mailbag, December 3rd edition

Several months ago, I wrote about Mandiant releasing Mandiant Red Curtain (MRC), a tool that attempts to characterize files to point an investigator at files that might require more careful investigation.  Earlier this week, Russ McRee sent us info on a nice little presentation he gave on malcode analysis techniques for incident handling.  In it, he shows use of MRC and a couple of other tools that I'm quite fond of for malware analysis.  His presentation can be found here.

Speaking of incident response data gathering, I'm finally starting to read a book that has been on my list since before it was published.  That book is Harlan Carvey's execellent, Windows Forensic Analysis Including DVD Toolkit.  Lots of excellent tools.

One of the things that MRC does is look at entropy in the files.  Ero Carrerra's pefile (which I've mentioned previously I use in my own little script for packer identification) also calculates the entropy for each section of a PE file.  One of the other things that I've been looking at is hashing sections (or even individual functions) in an executable to see if that was useful in establishing relationships between malware variants.  Since Ero was already calculating entropy of each section, I asked if he'd be willing to hash the sections as well.  He graciously agreed and put the feature in version 1.2.8 of pefile which he released the following day.  Thanx, Ero.

I also discovered another new tool that hashes the sections of an executable.  Chris Rohlf has released a useful little tool called binhash.

 Finally, this morning, Thorsten Holz pointed out that the Chinese Honeynet Project has released 2 new technical reports.  The first entitled Characterizing the IRC-based Botnet Phenomenon, and the second, Studying Malicious Websites and the Underground Ecomony on the Chinese Web.

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Tokyo Autumn 2022


423 Posts
ISC Handler
Dec 4th 2007

Sign Up for Free or Log In to start participating in the conversation!