Tools

Tools deployed :

Surf-IDS

Current Distributed Intrusion Detection Systems (D-IDS) are most often based on a client-server approach where the client is called a sensor. These sensors often contain a honeypot and/or a passive analysis tool like snort.

SMTP-HP

The SMTP honeypot is a stand-alone honeypot, which was developed to analyze malicious e-mails as a way for spreading malware and use these data in Surfnetids system.

Kippo

Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker. Kippo is inspired, but not based on Kojoney.

Dionaea

Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls

Glastopf

Glastopf is a Honeypot which emulates thousands vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.

Honeynet Webviz

Creating a 3D Earth Visualization, that will show malware/attack analysis on a time line basis with heat map tiles and mesh structure.

Old tools deployed

Honeywall

Honeywall is a proof of concept of network security hardware device capable of translate and forward packets. Designed for high availability, Honeywall is able to provide load balancing and anti flooding. Unlike a firewall, it does not block packets.

Honeyd

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses.

Honeytrap

Honeytrap is a low-interaction honeypot daemon for observing attacks against network services. In contrast to other honeypots, which often focus on malware collection, honeytrap aims for catching the initial exploit – It collects and further processes attack traces.

Nepenthes

Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.

Argos

An emulator for capturing zero-day attacks: Argos is a full and secure system emulator designed for use in honeypots. It is based on Qemu, an open source emulator that uses dynamic translation to achieve a fairly good emulation speed.

Kojoney

Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.


Malware Sandbox Web Services

http://sempersecurus.blogspot.com/2011/06/malware-sandbox-services-and-software.html

ViCheck.ca

“We can accept any type of file including executables, documents, spreadsheets, presentations, compiled help files, database packages, PDF, images, emails, or archives. You can also submit a file from a remote web address.”

Malware Tracker

View PDF objects as hex/text, PDF dissector and inspector, scan for known exploits

Joe Sandbox (formerly JoeBox)

Joe Sandbox is a fully automated analysis system for trojans, viruses and rootkits (malware). It requests malicious executables such as PE, PDF (Acrobat Reader) or DOC (Microsoft Word) files as input and returns highly detailed reports describing the behavior of executables being executed

Note:  Joe Sandbox has an online service with three account types. It is described more fully here: http://www.joesecurity.org/service.php

Anubis

Anubis is a service for analyzing malware. Submit your Windows executable and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL

Wepawet

"Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files."

Norman Sandbox

Submit a Suspicious File for a FREE Malware Analysis

GFI SandBox (formerly Sunbelt CWSandbox)

Due to heavy load, the public site does not support: URL or BHO analysis, zipped files or analysis of infected documents

ThreatExpert

ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.

Comodo Instant Malware Analysis

Automated Analysis System:

If you have a suspicious file, please submit it online by using the form below. Once the file is submitted, COMODO Automated Analysis System will scan it and report back its findings.

Panda Security Autovin Automated Tools for Virus Incidents

Accepts:
- Windows executable (exe,dll)
– Adobe PDF (Beta Testing)
– Zip file (with password “panda”)
– RAR compressed file (without password)
– 7zip Compressed file (without password)
– Autovin File Extractor compressed file

MalBox Program Behavior Analysis System

"Submit your Windows executable(*.exe) and receive an analysis report telling you what it does,
or submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL."

Eureka Malware Analysis Internet Service

"Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic. "

Xandora Online Binary Analyzer

"xandora.net is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of xandora.net results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary.
The generated report includes detailed data about modifications made to the Windows registry or the file system or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching."

BitBlaze Malware Analysis Service - 

Currently Offline

jsunpack 

Currently Offline

 

 

 

 

Standalone Malware Sandboxing Software

Cuckoo Sandbox

An Open Source dynamic malware analysis system which allows you to get informations on suspicious files in a completely automated fashion.
Such results include:
    * Relevant Windows API calls tracing of all recursively spawned                                  processes.
    * Network traffic dump generated during malware execution.
    * Files being downloaded and deleted during execution.
    * Screenshots taken during malware the whole analysis process.

Minibis from CERT.at

Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper Mass Malware Analysis: A Do-It-Yourself Kit.

Zero Wine Malware Behavior Analysis

Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

Buster Sandbox Analyzer

Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.
The changes made to system can be of several types: file system changes, registry changes and port changes.https://vicheck.ca/

PDF Stream Dumper

This is a free tool for the analysis of malicious PDF documents. Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode

jsunpack -n

jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:
PDF files - samples/sample-pdf.file
Packet Captures - samples/sample-http-exploit.pcap
HTML files
JavaScript files
SWF files
This project contains the source code which runs at the website http://jsunpack.jeek.org/.