A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #4885  by EP_X0FF
 Fri Feb 04, 2011 6:14 pm
Kinda useless and cannot be taken seriously.

Uses database from PEiD. So I will use PEiD instead to get the same packer verdict (in most cases for malware will be no verdict or fake verdict because of cryptor/obfuscation etc).
Gives section information. Use PETools or Hiew instead. Gives tons of false alarms on real malware, because this is static analyzer. So it think that all garbage in import table has sense. From this following numerous false alarms in "keyboard"/"antidebug" etc parts.

Signatures for malware in PEiD database format? When malware recrypts/repacks/morphs every day and chances to get the same sample is less then 50%?
Some sort of humor must be :)

In attach result with TDL4 dropper. Yes scary keyboards hooks in place, etc :)
http://www.virustotal.com/file-scan/rep ... 1296842389
Attachments
(6.75 KiB) Downloaded 35 times
 #4895  by Meriadoc
 Sat Feb 05, 2011 4:41 pm
I was sent a link to this on another forum and asked what I thought. Posting here for opinion I thought it would get a fair crack (thanks EP, always straight to the point :) )

Agree, as a static tool I couldn't see why to use this over what I already use but then it feels like a small project with 'what shall I add' without really thinking about malware.

As a 'malware analyzer' I would want to see more runtime analysis.
 #4897  by Meriadoc
 Sat Feb 05, 2011 5:53 pm
Thanks, looks good I will try this (cool name :) )
 #4903  by Buster_BSA
 Sun Feb 06, 2011 8:14 am
Cuckoo is another Windows malware analyzer running under Linux.

Image

That´s the main reason why I coded Buster Sandbox Analyzer.
 #4906  by nex
 Sun Feb 06, 2011 8:50 am
No need to be harsh, I'm just trying to have a conversation and understand your point.
As long as you want to motivate it.