When investigating an incident that involves malicious software, it helps to understand the context of the infection before starting to reverse the malware specimen. Some of the ways to accomplish this involves:
- Examining the websites that may be associated with the incident, often because they are suspected in hosting exploits that acted as the infection vector
- Obtaining reputational data about IP addresses of systems involved in the incident, often because they are suspected of hosting malicious files that were dropped on the system, or acting as the command and control server for the attacker
- Looking up IP addresses associated with the infected organization in blocklists, to determine whether additional systems may have been performing malicious activities and may have gotten compromised
- Performing automated behavioral analysis of malware involved in the incident, to get a general sense for its characteristics to plan subsequent manual reverse-engineering tasks
Each of the following pages lists 10 or so freely-available on-line tools for helping to perform the tasks outlined above:
- On-Line Tools for Malicious Website Lookups
- Blocklists of Suspected Malicious IPs and URLs
- Automated Malware Analysis Services
What other on-line tools help understand the context of the infection? Tell us in comments below.