Did you find a suspicious file? Your instinct says that it could be malware but your anti-virus software says it isn’t and now you’re in doubt? In this article I’ll give some basic tools that you can use to identify malicious binaries.
The first thing you can do is to upload the suspicious file to virustotal.com. This ’registration free’ online tool, scans your file with more than 40 virus scanners and gives you a clear overview. Is your file not detected by any of them? No reason to believe that it’s not malware, as it can just be a variant of existing malware or new malware.
This is were malwr.com comes in. This is a website that is built upon the open source malware analysis system Cuckoo sandbox. Just calculate the MD5 checksum of the file and search for it. If you can’t find it by searching the hash, you can always upload your file to it, which can optionally send you a mail when the analysis of the binary is done. This mail contains a link to the analysis report that contains the following information:
- Behavior analysis
- Network analysis
- Static analysis
- Dropped files
Of course, it is also possible to run your own Cuckoo sandbox (http://www.cuckoosandbox.org/).
If the suspicious file appears to be malicious, submit it to malware.lu (which is a malware repository). Like this you can provide security researchers with samples.