Okay, so let's talk now about some of the
open source tools for intelligence gathering that are freely available on the Internet.
There's ah lot of good variety out there, and
some of you may already be familiar with these sites.
Virus total in particular
is pretty good. And as you can see, it has very simple interface. I can upload a file if I've perhaps captured some malware
or suspected Now where I should say
a file that I think is infected and have a multitude of scanners.
Do some checking I can also up submitted you are l or do a search for something like a hash or domain or I p address.
So for you, R l weaken type, type something. Uh, that should probably come up clean.
I would help. Comes up clean
All right, so it tells me this was already analyzed, but I could look at the most recent
And as you'll see on the left here, I've got all these different. You are all scanners.
How many that is? It looks like over 30 or so.
This is amazing that it's free and you can look at this. Any time you need to do a quick check to see what all the major scanners think about a website or file or something else,
I can also look at information here. Show me an I p address
people that want a vote yes or no on these different results and so on. It's pretty handy.
I don't have a file that I can upload
you get the basic idea. In any case, there's also met a defender.
Another threat. Intelligence platform.
So file's hash is or I p addresses.
I could go back to here and get my I P address.
I didn't do a quick scan.
And this is not a bad idea in a general best practices manner, because I'm using one tool to do some checking and using another tool
And this one doesn't have a CZ many scanning engines
the I P address, but
it's still a good way to corroborate your results with another secondary tool. And then, lastly, we have
virus scanner veer scan so similar, very similar simple interface uploading files,
and it gives you the information on all the different scanners here. There's probably a decent amount of overlap between Veer Scan and
It's still very useful, and free
can't beat it when it's free,
all right. Another thing to consider
a super since we're talking about malware is some of the tools that can be used to do deeper analysis.
Sure, you can upload a file, as we just saw, to let you know that you do have a sample of malware.
But what if you want to actually get into the lower level functionality of the malware and you want to know, How does it actually work? How did it get into the environment?
How does it operate? What is this behavior? What kinds of
resource is doesn't try to use on the infected system, such as memory or network connections?
new files and folders or move things around on the file system.
These are all questions that malware reverse engineering
As we can see here, we've got to ID a pro and Ali debug
screenshots. These are both very popular tools
for doing this kind of work.
It's obviously work that is not for the faint of heart. There you're looking at here is a similar language or assembly language,
and this is the lowest level, instruction said that you can use to program a computer.
Obviously, anyone who's writing malware is going to be interested in assembler because it gives you
the most complete control over the processor of the machine that you're trying to. In fact,
so with these tools allow you to do then is to step through the program
and monitor memory registers that we see here
as well as looking at other data. That's that's in the system's temporary storage,
the instruction pointer and all kinds of other aspect.
So as the code is executed line by line, the output can be examined, and the engineer could now get a better understanding of how this malware actually functions. The ultimate goal here would be to figure out okay, well, if we understand them our completely enough
now, the engineer can have a decent chance of defending against it.
By perhaps blocking any kind of
ports that were open that might have been taken advantage of
whatever. Whatever the vulnerability was that allowed the malware to propagate should be identified and remediated.
You always want to think about threats and vulnerabilities being paired up together for that reason. So if you're so inclined, there are plenty of videos online. YouTube, perhaps to look at Ali debug and I'd approach
great tools to add your arsenal once you get to a more advanced age, where you really want to dig into the malware and see what's going up.