Various 'must have' Online Tools for Sec, pt 1
There are two updates to this post, (seen in white)...
UPDATE: another good online static malware analysis tool we all know and love, is back up and running. Based on the Cuckoo Sandbox: ~] Malwr.com [~
There's many tricks and trade secrets that we (or anyone within cybersec) just don't share. We have decided that there are just some online tools just too good to keep a secret. If they do, they arent around for long, a kind of respect thing. I have another shortlist of very handy online tools at the bottom of our most recent reversing and analysis ~] decoding a malicious webshell [~ . These play a big part in our processes and used several times daily.
Some of these below you may be familiar with, or not, or maybe even use already. If not, you should commit these to memory. Trust us, these will always come in handy. This is only a shortlist, we will add more/update as appropriate.
The first you hopefully are quite familiar with, if you are not using this religiously, (please) start. It's automatically installed with Chrome browser but is also available as an add-on for use with other browsers. The other 'versions' that need install are similar, but the Chrome version is by far the most powerful, IMO only, and why I made it first on our "Must Have" list. The power is incredible and capabilities are vast. You only need to start playing with it to realize it's worthiness in an analyst sense. I am talking ,of course, about Developer Tools, a wealth of tools is just a right-click away. its far too expansive to discuss and if you are reading this, we shouldn't have to teach you how to use it, (haha). Once you start navigating through everything, your mind will auto-populate with all its functional applications and wealth of info it can provide. I have it open every session, all sites visited. You would be surprised what's lurking behind the scenes of the displayed page.
Next up for those that are awoken (or in our case, leaning more towards the paranoia side) ;). A great site to check the http request info and view the page source (statically). Check out:
~] Web-Sniffer [~
A newly remodeled site with a wealth of network related tools and lookups:
~] MXToolbox [~
A great tool that dynamically visits a page, gives JavaScript totals, graphically displays all http connections (or as I like to call them, drive-by DL's and lists all request and response headers. I had someone tell me to check out this cool stats page, but obviously before I went I ran it through this site. My hunch was smart. The single page had almost 100 js evals and over 150 http connects. Everything from trackers, resource skimmers, malicious fonts, you name it, it had it. That being said...use it! ;) You can even emulate specific browsers and referrer agents to see how the data of modified:
~] URLQuery [~
Check up on latest blacklists and other caution datas:
~] URLVoid [~
I will list some other more task specific tools in pt 2, very handy sites to have bookmarked.But I will leave you with three gems for file/site malware and behavioral analysis (especially the last two). This first is pdf's only, and is really best for more advanced analysis and those with more experience in reading raw dumps. Although it does a great job of picking out malware and effective ID of any Yara rules broken. Taking apart and analyzing the hidden areas or the pdf:
~] Malware Tracker [~ (aka PDF-Examiner) The same authors have sister services for other styles of docs other than pdf's at:
~] Quicksand [~, focused on phishing using most M$ office docs or:
~] Cryptam [~, focusing on hidden exe's or payloads.
These two put most of the well-known malware analyzers to shame. If you don't have any suspicious files? They have many freshly analyzed samples and even categorized by threat:
~] Hybrid-Analysis [~ or sister site, ~] ReverseIt [~
And IMO, I've saved the best and most intelligent for last; digging more detail, revealing more hard-coded data and powerful, custom de-obsfucation capabilities. However, even though it provides you with a list of all the strings within the object, it does not 'translate' them, sorry. Amazing amount of detail though. Similarly to the data vast data results from others submissions on 'Hybrids's' site, you have a wealth of catagorized malware at < https://intel.deepviz.com/recap_samples.php >. Reviewing these samples can really give you an idea of how complex the new malz have become.
DeepViz UDATE: this site has moved to free acct signup needed. However, both the new member and the pw reset request is throwing invalid domain eooror codes. The app is degraded state.
That's all for now, check back for updates and get the most done...online. We only provide quality sites, tools and links and never compensated for any mentions. Please let us know if you have trouble with any links. There's many good tools and services out there. It doesn't always need to be your sandbox (or 'lab') that gets destroyed with malware analysis and reversing. It's OK to let the online resources take the hits when applicable. Save your own sandbox and/or Linux machine from fresh image rebuilds. Malware can leave a BIG mess on local, especially the new breeds! Cheerz All !
respects,
.. D_c0 ..
UPDATE: another good online static malware analysis tool we all know and love, is back up and running. Based on the Cuckoo Sandbox: ~] Malwr.com [~
There's many tricks and trade secrets that we (or anyone within cybersec) just don't share. We have decided that there are just some online tools just too good to keep a secret. If they do, they arent around for long, a kind of respect thing. I have another shortlist of very handy online tools at the bottom of our most recent reversing and analysis ~] decoding a malicious webshell [~ . These play a big part in our processes and used several times daily.
Some of these below you may be familiar with, or not, or maybe even use already. If not, you should commit these to memory. Trust us, these will always come in handy. This is only a shortlist, we will add more/update as appropriate.
The first you hopefully are quite familiar with, if you are not using this religiously, (please) start. It's automatically installed with Chrome browser but is also available as an add-on for use with other browsers. The other 'versions' that need install are similar, but the Chrome version is by far the most powerful, IMO only, and why I made it first on our "Must Have" list. The power is incredible and capabilities are vast. You only need to start playing with it to realize it's worthiness in an analyst sense. I am talking ,of course, about Developer Tools, a wealth of tools is just a right-click away. its far too expansive to discuss and if you are reading this, we shouldn't have to teach you how to use it, (haha). Once you start navigating through everything, your mind will auto-populate with all its functional applications and wealth of info it can provide. I have it open every session, all sites visited. You would be surprised what's lurking behind the scenes of the displayed page.
Next up for those that are awoken (or in our case, leaning more towards the paranoia side) ;). A great site to check the http request info and view the page source (statically). Check out:
~] Web-Sniffer [~
A newly remodeled site with a wealth of network related tools and lookups:
~] MXToolbox [~
A great tool that dynamically visits a page, gives JavaScript totals, graphically displays all http connections (or as I like to call them, drive-by DL's and lists all request and response headers. I had someone tell me to check out this cool stats page, but obviously before I went I ran it through this site. My hunch was smart. The single page had almost 100 js evals and over 150 http connects. Everything from trackers, resource skimmers, malicious fonts, you name it, it had it. That being said...use it! ;) You can even emulate specific browsers and referrer agents to see how the data of modified:
~] URLQuery [~
Check up on latest blacklists and other caution datas:
~] URLVoid [~
I will list some other more task specific tools in pt 2, very handy sites to have bookmarked.But I will leave you with three gems for file/site malware and behavioral analysis (especially the last two). This first is pdf's only, and is really best for more advanced analysis and those with more experience in reading raw dumps. Although it does a great job of picking out malware and effective ID of any Yara rules broken. Taking apart and analyzing the hidden areas or the pdf:
~] Malware Tracker [~ (aka PDF-Examiner) The same authors have sister services for other styles of docs other than pdf's at:
~] Quicksand [~, focused on phishing using most M$ office docs or:
~] Cryptam [~, focusing on hidden exe's or payloads.
These two put most of the well-known malware analyzers to shame. If you don't have any suspicious files? They have many freshly analyzed samples and even categorized by threat:
~] Hybrid-Analysis [~ or sister site, ~] ReverseIt [~
And IMO, I've saved the best and most intelligent for last; digging more detail, revealing more hard-coded data and powerful, custom de-obsfucation capabilities. However, even though it provides you with a list of all the strings within the object, it does not 'translate' them, sorry. Amazing amount of detail though. Similarly to the data vast data results from others submissions on 'Hybrids's' site, you have a wealth of catagorized malware at < https://intel.deepviz.com/recap_samples.php >. Reviewing these samples can really give you an idea of how complex the new malz have become.
That's all for now, check back for updates and get the most done...online. We only provide quality sites, tools and links and never compensated for any mentions. Please let us know if you have trouble with any links. There's many good tools and services out there. It doesn't always need to be your sandbox (or 'lab') that gets destroyed with malware analysis and reversing. It's OK to let the online resources take the hits when applicable. Save your own sandbox and/or Linux machine from fresh image rebuilds. Malware can leave a BIG mess on local, especially the new breeds! Cheerz All !
respects,
.. D_c0 ..
Comments
Post a Comment