Comments on: My Virus lab part 1: downloading a malicious file

By: Didier Stevens

Didier Stevens — Wed, 28 Nov 2007 22:44:54 +0000

I don’t want to install malware on my computer.

By: freebsd

freebsd — Mon, 26 Nov 2007 20:44:44 +0000

Why exactly would you wan’t to install malware on your computer ?

By: insecure

insecure — Tue, 30 Jan 2007 14:57:14 +0000

sysinternals’ procmon also monitors windoze activity very well

yet another honeypot tool is honeynet
http://www.honeynet.org/

hope this helps

By: Luke

Luke — Tue, 23 Jan 2007 16:02:33 +0000

Thanks for the tip – afik and regshot sound extremely useful.

By: jim

jim — Thu, 04 Jan 2007 21:36:44 +0000

regshot & afick huh? cool i’ll have to check that out! thanks for the info! i’ll be checking back for your blog
thanks!,
jim b

By: Didier Stevens

Didier Stevens — Thu, 28 Dec 2006 13:41:52 +0000

I will blog about this, but in a nutshell:
- use Rootkitrevealer by Sysinternals (now MS) to detect rootkits
- you can export the registry before installation and after, and then check for differences
- a tool to automate this is regshot
- afick allows you to detect changes to the filesystem
- and then you have process monitor (also by Sysinternals)

By: jim

jim — Wed, 27 Dec 2006 15:15:20 +0000

hi didier,
i’ve been curious about how some of the malware works (and it was going to do to my system) that was sent to me by means of spam so i’ve created a testing lab as well. i’m interested so read how you set up your testing environment; here’s what i’ve been using:
i’m running vmware on my linux box and have multiple instances of windoze set up so that they can communicate & wreck havok on each other, but not reach the outside network nor the parent OS. then i can simply copy & paste a new instance of the OS when it’s been wrecked.
what i haven’t found is a program that can monitor for all changes on the win OS and report what registry changes have been made, root kit installed, etc.. have you found anything of this sort?
thank,
jim