Saturday, October 31, 2009

Unknow Binary Files?

What to do if unknown executable file is running on your system?

1. Upload to virustotal - http://www.virustotal.com/ then read the report carefully if it is identified as malicious software (check the links on extra info about the executable e.g. ThreatExpert)

2. Upload to sandbox to get a report on the system level behavior of the malicious software
- I strongly recommend below listed free sanboxes
* Anubis - http://anubis.iseclab.org/
* Sunbelt CWSandbox - www.sunbeltsecurity.com
* Norman Sandbox - www.norman.com/technology/norman_sandbox/

3. Use sysinternals tools (now aquired by Microsoft) like tcp view, process monitor and process explorer

4. If you have a sacrificial PC or virtual PC then try to run the binary on it and monitor change using file integrity tools. Also use wireshark to monitor & capture network level activity

No comments:

Post a Comment