Saturday, October 31, 2009

Unknow Binary Files?

What to do if unknown executable file is running on your system?

1. Upload to virustotal - then read the report carefully if it is identified as malicious software (check the links on extra info about the executable e.g. ThreatExpert)

2. Upload to sandbox to get a report on the system level behavior of the malicious software
- I strongly recommend below listed free sanboxes
* Anubis -
* Sunbelt CWSandbox -
* Norman Sandbox -

3. Use sysinternals tools (now aquired by Microsoft) like tcp view, process monitor and process explorer

4. If you have a sacrificial PC or virtual PC then try to run the binary on it and monitor change using file integrity tools. Also use wireshark to monitor & capture network level activity

PCAP Analysis Tools

I found these tools extremely easy to operate and useful in network level forensic investigation - Wireshark captured file (*.pcap)

1. Network Miner-
2. Netwitness Investigator -
3. Xplico -

Yes there are free ;)

Additional details on Xplico fo Ubuntu 9.x
- run apt-get install apache2
- run apt-get install xplico
- edit /etc/php5/apache2/php.ini to increase the size of files to upload:
* post_max_size = 100M
* upload_max_filesize = 100M
- restart Apache2
- sudo sh /opt/xplico/script/
- http://localhost:9876
- create new case in Xplico
- create new session then upload you pcap file