Malware Hunting – Reviewing the Best Scanners

Identifying Malware

Identifying Malware

I am interested in computer security issues and have often had to investigate infections with a variety of different systems. As I mentioned in a previous article, relying on a single antivirus solution to handle an infection can be a lesson in futility.

If you are investigating a machine, then you will need to know how to differentiate good files from malware files. In the article below I will review the various options available for determining how safe a file really is. The tools I am reviewing are specific to Microsoft Windows. I have categorized the tools into online MD5/SHA-1 hash scannersFile Upload Scanners, and downloadable scanning applications.

MD5/SHA-1 Hash Scanners

The National Software Reference Library

This site hosts a large collection of digital signatures of known software (MD5 and SHA-1 hashes). If you are tracking down the safety of a file it is a good idea to use this database to first rule out known legitimate files.

The downside of using the NSRL database is the sheer volume of data. Their file is several GB large and is ever growing in size. Furthermore, there are no viable online search options for anyone looking to validate a file or two.

http://www.nsrl.nist.gov/

To gain access to the NSRL library there are several options including the ISC online search tool. However, the ISC database is too old, and the Hashsets.com database impossibly slow.

However if you are willing to download the database and write your own lookup function, then the NSRL whitelist library could be of use.

ISC Tools Searchable WhiteList Hash Db.

This site has an online search your for a hash or filename in the NIST National Software reference Library. The downside is that they are running their search against an old version of the database (version 2.27 (December 2009)). Since new files are constantly appearing, it is very likely that you will not find the hash you are searching for using this tool.

http://isc.sans.edu/tools/hashsearch.html

Another option to search the NSRL database online is the NSRL Search Engine provided by:

Whitehat Computer Forensics, LLC

I tried a search with their online engine for McAfee’s mcshield.exe and the search lasted several minutes and afterwards the site would no longer load for me. I can’t claim that this is a fast tool to use. Supposedly it scans hashes and returns a safe/not-safe result.

http://nsrl.hashsets.com/MD5/output/nsrl_search.php

Team Cymru’s MD5 Sha-1 Online Hash lookup (MHR)

http://hash.cymru.com/

This is a good resource for checking your files online. Note that only malware will return a positive; Whitelisted files will not be found. I confirmed this by submitting the MD5 for mcshield.exe.

MHR is a nonprofit organization free for non-commerical use.

ViCheck

https://vicheck.ca/

The ViCheck online service allows you to either check a file’s MD5 signature for known malware, or you can upload the file directly.

Their MD5 hash scanner is located at:

https://vicheck.ca/md5query.php

The nice thing about ViCheck’s hash scan is that it checks some of the other hash scanners I have reviewed, so in this regard ViCheck is a meta-scanner based on other meta-scanners.

You can upload multiple files to scan on the ViCheck.ca home page, but must provide your email address for them to get back to you with the results. The file checking utility is useful for extracting and analyzing executables from common document format files.

Bit9 Online FileAdvisor

https://fileadvisor.bit9.com/services/search.aspx

Bit9 offers an online search function as well as an application. They seem to be pushing users towards their paid solution by requiring a login and limiting their lookups to just 10 files/day. I am not convinced their service is better than the freely available ones I have tried out.

As I mentioned, the online search will let you look up a maximum of just 10 files/day. You search by the file name or hash in their search tool. Be aware that you must create an account with a somewhat long form before you can start searching. Interestingly the Bit9 site also lets you browse by virus publisher, or by infection source (URL).

You can also download and run their FileAdvisor software. I was not able to get this service to work properly on Win 7 so I would suggest going with their online search tool.

Online File Scanners

VirusTotal:

One of the most well known meta-scanners today; VirusTotal analyzes files by sending the file to the scan engines of several antivirus labs. Your File is uploaded, analyzed, & shared. You can also choose to search by MD5, SHA1, and SHA256. You can also enter a suspicious URL to check.

The Virus Total Online file scanner supports file sizes of 64MB on the Web and 32MB through their API. This should be more than enough in most cases.

https://www.virustotal.com/en/#file

VirusTotal supports user-built apps using their Public API v2.0

https://www.virustotal.com/en/documentation/public-api/

You can also download and run the VirusTotal Uploader (VTUploader) application to automatically upload multiple files for scanning.

Here is the Wikipedia entry for VirusTotal:

http://en.wikipedia.org/wiki/VirusTotal

System Explorer

http://systemexplorer.net/file-database

The System Explorer online tool allows you to look up files by name. They claim to have one of the biggest online databases of file information available, which I certainly believe given the popularity of their free scanning tool (System Explorer).

Unfortunately in the online site, I did not see a place to look up a file by name or by hash. One needs to browse their convoluted directory to try to track down files. It would be nice if they had search functionality.

However, if you are using the System Explorer application to check your system, then you will find it very easy and intuitive to use and to look up files with. I highly recommend this tool if you are checking your local machine.

http://systemexplorer.net/download.php

Meta Scan

https://www.metascan-online.com/

The Meta Scan online scanning engine is freely available and checks your files with 43 AntiVirus providers. As the name indicates, it is a meta scanner that aggregates the scan results for  you to check. As with other scanners, once  your file has been uploaded, it will be shared with the AntiVirus labs for analysis, so don’t upload confidential files, or files you don’t want publicly available.

Meta Scan offers a public API that you need to contact their sales department to use:

https://www.metascan-online.com/en/public-api

Anubis

http://anubis.iseclab.org/

Anubis supports Windows and Android. Its service is somewhat different from others. You can submit your executable file and the Anubis services will attempt to tell you what it does. Alternately, you can give Anubis a URL and it will check the site for attacks such as drive-by downloads.

The analysis done by Anubis is quite thorough and problems with the uploaded executable are pinpointed in detail. The average analysis time, though, can easily be 10 minutes for a single file.

Some useful information reported are processes spawned by the executable, files created, registry values modified, and run-time DLLs. This is definitely an invaluable tool for tracking the footprint of a virus or of malware.

Threat Expert

http://www.threatexpert.com/

Their Web site has a lot of useful information including the geographic distribution of threats, and lists of the top malware and adware currently in circulation. They have a number of tools available including a free online file scanner.

Their site also offers a threat browser where you can look throughan a-z directory of threats, the threat magnitude, and threat description.

They also offer a so called side effect scanner, which lets you enter unknown registry keys or CLSIDs for analysis. You can also use their memory scanner to check our running memory for malware.

I find that their site is prone to slowness. Often the scanning options freeze or become unavailable.

Jotti: VirusScan.jotti.org

http://virusscan.jotti.org/en (File submission/analysis URL)

You can submit files to be checked online with Jotti’s malware scanner. Jotti is an aggregator similar to VirusTotal that will show the results of multiple scans of your file from various AntiVirus providers. Note that any file that you upload will be freely shared with the anti-virus companies that check your file.

In addition to its file scan, Jotti also offers an MD5/Sha-1 hash search function. Here is the URL for the hash search:

http://virusscan.jotti.org/hashsearch.php

Downloadable Scanning Applications

Here I will review some of the system scanning applications I found. Note that I have already covered some above such as the System Explorer application which ties in very closely with the System Explorer online service.

Overall I was not impressed with the file scanning tools that I found. I would definitely stick with the online file checking services. The only file scanning application that I like and actually use is System Explorer.

RunScanner

http://www.runscanner.net/

This is a freeware scanner for Windows that scans your system for malware and hijack points. The scanner works well on my Win 7 machine and the report that the tool generated was somewhat useful.

You can submit your results for anonymous online analysis, but the database was not able to identify many common files, which makes me doubt the extent of their database. I do not feel that this is particularly impressive software, but it does seem like it could be useful.

WINMHR Scanning Application:

http://www.team-cymru.org/Services/MHR/WinMHR

I like the MHR’s online file scanner. I do not, however, like their application.

Specifically, here are my findings: the MHR scanner is offered as freeware that does not share your files, but is intended as a freely available virus detector to complement your Anti-Virus software. It can also monitor running programs for malicious activity. It is based on Team Cymru’s Malware Hash Registry which I reviewed earlier. Team Cymru is a nonprofit organization. The current version of their software cannot scan 64bit processes, which makes it virtually useless for anyone with a modern computer. In the end I did not find this tool useful for that reason. Team Cymru’s Malware Hash Registry, on the other hand is quite useful.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s