Security researchers can often be seen posting “YARA rules” on Twitter or VirusTotal’s community section for malware samples. Each description, a.k.a rule, consists of a set of strings and a Boolean expression which determine its logic,” reads YARA’s official documentation. “With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Originally developed by Victor Alvarez of VirusTotal, YARA has become a must for malware researchers and SOC analysts alike. The higher the number of suspicious tasks or a function calls within a binary, the higher will be the “score” calculated by the tool. The tool also highlights signs of any suspicious activities like as information gathering, reconnaissance (e.g., retrieving environment variables), process manipulation and other such tasks being performed by a binary. ELF Parser neatly breaks down strings found inside of an ELF executable by URLs, strings, IP addresses, calls and network functions. This is where, ELFParser, combined with traffic analysis tools like WireShark and static analysis tools like hexdump, made the research a tad easier.
I experienced this challenge when ascertaining the behavior of a hard-to-detect macOS and Linux malware packed in an ELF executable. Many virtualized malware analysis and sandboxing solutions exist to peek into Windows malware, but analyzing suspicious macOS or Linux binaries becomes slightly more challenging with limited tools available to study the behavior of these native executables. Whether you are a sysadmin, a threat intel analyst, a malware researcher, forensics expert, or even a software developer looking to build secure software, these 15 free tools from GitHub or GitLab can easily fit into your day-to-day work activities and provide added advantages.Įditor's note: This article, originally published in April 2016, has been updated to include tools that are currently in popular use.
0 kommentar(er)
