Rokop Security

Willkommen, Gast ( Anmelden | Registrierung )

Reply to this topicStart new topic
> Zero Wine: Malware Behavior Analysis, ebenfalls, was für die experten hier !
Beitrag 27.09.2012, 18:58
Beitrag #1

Salmei, Dalmei, Adonei

Gruppe: Mitglieder
Beiträge: 4.868
Mitglied seit: 28.05.2003
Mitglieds-Nr.: 95

Zero Wine: Malware Behavior Analysis, ebenfalls, was für die experten hier !


Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware's behavior turns out to be very easy.

How does it works?

Zero wine is distributed as one QEMU virtual machine image with a Debian operating system installed. The image contains software to upload and analyze malware and to generate reports based on the information gathered (this software is stored in /home/malware/zerowine).

Running the distributed virtual machine with the correct command line options (use the supplied startup shell script to run the virtual machine) provides a web based (web server is written in python) graphical interface to upload malware to be analyzed (a CGI written, also, in python).

When a new malware is uploaded, it is copied to the directory /tmp/vir/MD5_OF_THE_FILE, them, the previous created WINE environment (WINEPREFIX if you prefer) is removed and a backup system is untared (the backup system is /home/malware/backup/backup.tar.gz). After this operation, the malware is executed using the shell script (the file is stored in the folder /home/malware/bin).

NOTE: The current system is subject to change as it doesn't allow the analysis of more than one malware at a time. In the future, every time you upload a new malware file it will be added to a queue for later analysis and a new WINEPREFIX specific to run this malware will be created.




Ich habe keine Homepage, wers nicht glaubt:

Spend most of my time in a state of Dementa wondering where I am.
Go to the top of the page
+Quote Post

Reply to this topicStart new topic
1 Besucher lesen dieses Thema (Gäste: 1 | Anonyme Besucher: 0)
0 Mitglieder:


Vereinfachte Darstellung Aktuelles Datum: 18.01.2019, 07:33