Malware Investigation Tools and Notes

Investigating possible malware involves both detection and identification phases. Here are some notes regarding the tools I commonly use for these two phases .. note this is intended to be a living document so may change as I learn of new resources or as older resources become stale or no longer very useful.

WARNING: Links shown below may lead to sites with active malware. Do not navigate to any site or link unless you know what you are doing.

Detection

Tools like HP TippingPoint IPS do a good job of detecting vulnerabilities (versus exploits) and also use vulnerability research and lighthouse sensors across the world to confirm infected systems (by IP) and sites (by domain).

Research

Both Google and Scumware have good domain and URL status reporting data.  URL shortening services are notorious for masking domains that have become infected, although there may be a large percentage of legitimate sites to which they refer. An example is the WordPress site wp.me:

http://www.google.com/safebrowsing/diagnostic?site=wp.me

http://www.scumware.org/report/wp.me

 Broad industry trends and general knowledge of attacks, outbreaks and other relevant news can be found on various blog sites:

hp.com/go/hpsrblog