dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10283
share rss forum feed


CalamityJane
Premium,MVM
join:2002-08-27
Eustis, FL
kudos:8

1 edit

3 recommendations

Seeking new Malware Analyzer Tool (A.D.E.M.A)

Version l.2
Michael, can we get a copy of this somewhere?

Written by: Gladiator_AV See Profile

said by Gladiator_AV:
But it is not a "scanner" like a AV-Scanner, it is a tool
to classificating Malware (new and unknown malware).

You have to "Drag'n'Drop" Malware into it and if it detects something it alerts you.

Proberly you should start a thread in the public security DSLR Forum, because if i send it only to you i will get other requests from other peoples as well.

And maybe the users (which are suspecting a file to be a virus or something) can scan it before with ADEMA so that we know about what type of malware we are speaking.

I improve this little program all the time, because it is for me here at work even a great help.

It is even be able to analyse polymorphic viruses (such as parite.b and Mimail.Q or Dumaru) and so on.
I think this would be very useful for some of us who have suspicious files to submit
--
It takes a disaster to make a woman out of a female

Gladiator Security Forum

psloss
Premium
join:2002-02-24
Lebanon, KS

2 recommendations

said by CalamityJane:
I think this would be very useful for some of us who have suspicious files to submit
Absolutely -- if it has a general Portable Executable (Windows 32-bit executable) unpacking engine, then I could use it every day for stuff that's packed with things like ExeStealth or double-packed or packed and then altered and so on.

Rather than purely just for submitting though, I want to be able to at least dump embedded strings from the unpacked file and also dump the different headers to get a better idea about what a particular nasty does...

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org


Gladiator_AV
Premium
join:2002-10-20

3 recommendations

reply to CalamityJane
Click for full size
Collector Dialog
Click for full size
Adema detects a Porn Dialer
Click for full size
Polymorphic Virus Detected
I am just working (updating) to version 1.3 now - it is then beable to collect malware from a whole pc into one single directory (called MALWARE-FOLDER) - all you have to do is then to zip this folder and to send it.

It includes a analysis of ADEMA for each sample, that a AV Vendor knows what it is (for instance a dialer, a worm, a polymorphic virus and so on).

I will provide some screenshots here first.

Here is the first screenshot: The Malware-Collector-Dialog (new since Version 1.3)
--
Live Video Stream from home!
Here you can watch me at home in realtime.


John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
kudos:1
reply to CalamityJane
That looks good Michael.


Gladiator_AV
Premium
join:2002-10-20

6 recommendations

reply to CalamityJane
downloadsetup.zip 623,333 bytes
Setup Version 1.3
(setup.exe)
SETUP-DOWNLOAD for Version 1.3

Please Note: This is NOT a virus scanner. It does NOT protect you. It is a Malware Analyser which is be able to deal with new, unknown malware.

This means you can scan your PC and it will "collect" suspicious files into one Folder called "MALWARE" (Subfolder of your Installation Folder).

It does NOT unpack ZIP or RAR Files. But it is very very fast and detects a lot of brand new malware and even polymorphic viruses / worms.

It can even create signatures (for some types of malware) full automaticaly.

You can scan single files via Drag'n'Drop or whole Drives / Folders via the "Collector Mode".

This program does NOT delete any files. The Collector does only copy a suspicious file into the MALWARE FOLDER.

And... it stills under development. There is not a daily update because it works completely without signatures.

Have fun,
Michael
--
Live Video Stream from home!
Here you can watch me at home in realtime.


Martinus
Premium
join:2001-08-06
EU
said by Gladiator_AV:
SETUP-DOWNLOAD for Version 1.3
Thanks for your work, Michael.

Regards
Martin
--
From the GSV "Dubious Existence"

Tablet
Premium
join:2003-01-15
Czech
reply to Gladiator_AV
Thanks for this excellent tool.. so far I got only one FP with a file ConfigWizard.exe in Kazaa Lite installation. No other suspicious files on my system drive..


CalamityJane
Premium,MVM
join:2002-08-27
Eustis, FL
kudos:8

1 edit

1 recommendation

reply to CalamityJane
Very Cool Beans! THANK YOU MICHAEL (and just in time for my birthday )

Now if I can just figure out how to work it LOL....I'm slow but I'll get there

A question: Is this just for worms and trojans, viruses, etc. (not for spyware/hijackers?)

P.S. It Talks! (Maybe we can have some of your infamous cool music at the start on the next version? )
--
It takes a disaster to make a woman out of a female

Gladiator Security Forum


dp
Premium,MVM
join:2000-12-08
Greensburg, PA
kudos:7
reply to Gladiator_AV
said by Gladiator_AV:
SETUP-DOWNLOAD for Version 1.3

Thank you very much!!
--
Write your questions down on the back of a $20 dollar bill and send them to me


Martinus
Premium
join:2001-08-06
EU

1 edit
reply to Gladiator_AV
I checked the Enable Polymorphic Analysing and it doesn't look slow to me. That's on a spare PIII 700 Mhz box, so it must be pretty tight coded

Edited for this observation:

It would be even faster if the scan skipped some files, either user chosen or standard *.inf, *.txt, *.gif, etc

--
From the GSV "Dubious Existence"


markwp2001
Spreadhead
Premium
join:2002-05-25
Long Beach, MS

2 recommendations

reply to CalamityJane
Things that cause people to be excited:

Sports fans: March Madness and the start of baseball season

Nature lovers: Beginning of spring

Geeky computer security fanatics: A new security app

Thanks, Michael
--
Widespread Panic - when only the best will do ...


Gladiator_AV
Premium
join:2002-10-20
reply to Martinus
said by Martinus:
I checked the Enable Polymorphic Analysing and it doesn't look slow to me. That's on a spare PIII 700 Mhz box, so it must be pretty tight coded

Edited for this observation:

It would be even faster if the scan skipped some files, either user chosen or standard *.inf, *.txt, *.gif, etc


It does not polymorphic analyzing "all" files; only direct infectable files such as executables.

It has a filetype engine, so it does not analysing "useless" files.
--
Live Video Stream from home!
Here you can watch me at home in realtime.


Martinus
Premium
join:2001-08-06
EU
said by Gladiator_AV:
It does not polymorphic analyzing "all" files; only direct infectable files such as executables.

It has a filetype engine, so it does not analysing "useless" files.

Sorry. I saw in the scanning status some references to ini and inf files. It probably displays all the files, not only those processed.
--
From the GSV "Dubious Existence"


Gladiator_AV
Premium
join:2002-10-20
reply to CalamityJane
said by CalamityJane:


A question: Is this just for worms and trojans, viruses, etc. (not for spyware/hijackers?)

Most of the spyware containing some sort of "Downloader-Trojans" - many of them are detected in advance.
However, it does not (yet) analysing browser helper objects (such as Explorer DLL's) but if i have the mood to do that i will try it
--
Live Video Stream from home!
Here you can watch me at home in realtime.


Gladiator_AV
Premium
join:2002-10-20
reply to Martinus
said by Martinus:
Sorry. I saw in the scanning status some references to ini and inf files. It probably displays all the files, not only those processed.

Well, it must scan *.INI files because of IRC Worms
--
Live Video Stream from home!
Here you can watch me at home in realtime.


Martinus
Premium
join:2001-08-06
EU
said by Gladiator_AV:
Well, it must scan *.INI files because of IRC Worms
Well done, lad !
--
From the GSV "Dubious Existence"


CalamityJane
Premium,MVM
join:2002-08-27
Eustis, FL
kudos:8
reply to CalamityJane
Click for full size
Woooo Hoooo, even I figured out how to work it ....(life is good!)


Martinus
Premium
join:2001-08-06
EU

3 recommendations

said by CalamityJane:
Woooo Hoooo, even I figured out how to work it ...
Great!!

Michael, you won't need to make a chick version after all.:) Cut development time by 2.
--
From the GSV "Dubious Existence"


spy1
Welcome to Amerika
Premium
join:2002-06-24
Charlotte, NC
reply to CalamityJane
Click for full size
Looks good, Michael. Great job. Pete


Gladiator_AV
Premium
join:2002-10-20

4 recommendations

reply to CalamityJane
Click for full size
Screenshot of Logfile
downloadsetup.zip 623,765 bytes
Setup Version 1.4
(setup.exe)
  
And here the version 1.4 now with LOG-Support for the collector-Mode (see screenshot)



markwp2001
Spreadhead
Premium
join:2002-05-25
Long Beach, MS
said by Gladiator_AV:
And here the version 1.4 now with LOG-Support for the collector-Mode (see screenshot)



You're just showing off now ....
--
Widespread Panic - when only the best will do ...


markwp2001
Spreadhead
Premium
join:2002-05-25
Long Beach, MS
reply to Martinus
said by Martinus:
said by CalamityJane:
Woooo Hoooo, even I figured out how to work it ...
Great!!

Michael, you won't need to make a chick version after all.:) Cut development time by 2.

You do realize CalamityJane is armed and dangerous?
--
Widespread Panic - when only the best will do ...


Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
kudos:1

1 edit
reply to CalamityJane
Several false positives, one is WallWatcher this program WallWatcher is made by a dslreports member and it's not a VB5 Backdoor.
--
Spam Officially Legal


anthrorules
Premium
join:2003-09-14
Rollinsville, CO
False Postitive: LeechGet.exe


Gladiator_AV
Premium
join:2002-10-20
reply to CalamityJane
I am waiting for "VNC false positive"... (Yes it is detected as backdoor...)

Guy's, this is not a "normal av scanner" - it doesn't use signatures. It looks for the behavior and if something is similar to a known malwaretype it tells you this.

However, i can fix the so called "false positives" with the next update.
--
Live Video Stream from home!
Here you can watch me at home in realtime.


lolaa

@205.166.x.x
The next update? When will that be posted?? 5pm?

Heh. I downloaded v1.3, came back 20 minutes later and v1.4 was posted!

I jest. Nice program. My s-i-l's PC is an excellent candidate for using this program in collector mode.

Cable modem, no firewall, no patches, no SPs, and she is running WinXP. Adaware 6 found somewhere on the order of 360 problems, Spybot found a few more.

She has a file called calsdr that is malware of some type. When I try to delete it her computer reboots itself.

Oh, well...guess ill RDC into her box and dig around. Install this and see what nasty bugs rear their ugly heads.

They used to call me a geek. I never believed them until just now.


gkweb

join:2003-06-09
Fort Worth, TX
reply to CalamityJane
Good job !

seems a nice program, added to my security program list


MapleLeaf
Premium
join:2001-09-04
Burnaby, BC
reply to Gladiator_AV
Thanks, Michael, you are the best


Gladiator_AV
Premium
join:2002-10-20
reply to CalamityJane
One of the next versions will be able to disassembling code into readable source code and drawing graphicaly flowcharts of the program behavior.

Maybe i add a decryption function to decrypt backdoor / Trojan notifier data (that you can see to which email / ICQ Num your Data was send) all is possible
--
Live Video Stream from home!
Here you can watch me at home in realtime.


Alwill
Lost time is never found again.
Premium,MVM
join:2002-09-25
Sydney, OZ

1 edit
reply to CalamityJane
TVM Michael; now, similar to CJ, will be putting on my Learner tags.

EDIT And thanks CJ for introducing the topic; forgive my initial omission.