A comparison of tools for malware analysis
Upcoming SlideShare
Loading in...5

A comparison of tools for malware analysis






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

A comparison of tools for malware analysis A comparison of tools for malware analysis Presentation Transcript

  • A COMPARISON OF TOOLS FOR MALWARE ANALYSIS Tiziana Spata tizianaspata@yahoo.it Università degli Studi di Catania Dipartimento di Matematica e Informatica
  • Malware is everywhere...
  • Malware Analysis PROGRAM UNDERSTANDING PREVENT MALWARE ATTACK Static Analysis  Dinamic Analysis 
  • Static Analysis It’s performed without executing the program: • Disassemble the malware • Control flow or Data flow analysis: provide a great deal of information on how malware functions
  • IDA Pro The Interactive Disassembler Professional is a product of Hex-Rays. It’s a recursive descent disassembler: • Sequential Flow Instructions • Conditional Branching Instructions • Unconditional Branching Instructions • Function Call Instructions • Return Instructions
  • Dinamic Analysis It’s performed by executing programs on a real or virtual environment. • Black Box Analysis: "what you see is all you get" • White Box Analysis: it’s different from Static Analysis!
  • Wireshark It’s a free and open-source packet analyzer. Most network interfaces can be put in “promiscuous mode”, in which they supply to the host all network packets they see.
  • oSpy It’s a packet sniffing tool which aids in reverse-engineering software running on the Windows platform. The sniffing is done on the API level which allows a much more fine-grained view of what’s going on.
  • Process Monitor It’s an advanced monitoring tool for Windows that shows real-time file system, registry and process/thread activity. Process Monitor includes powerful monitoring and filtering capabilities: • File System • Registry • Process • Network • Profiling
  • OllyDbg It’s a debugger that races registers, recognizes procedures, API calls… It has a friendly interface, and its functionality can be extended by third party plugins.
  • Conclusions A good analysis of malware can be made thanks to the combination of several tools that implement techniques of static and dynamic analysis. Thanks for your attention!