Packer Detection for AMIR (Advance Malware Identification & Removal) RRS feed

  • Question

  • I have recently completed the development of AMIR (Advance Malware Identification & Removal) and have released a beta version of the application in my website: www.malwareinfo.org  .


    Download Link: http://www.malwareinfo.org/Utilities/AMIR.zip


    Below is a brief description about AMIR:



    AMIR or Advance Malware Identification & Removal is an application that will help you to quickly identify any Malware and it will also give you the option to remove them. Once it runs in the system, it will highlight the possible suspect programs. It will also give you an opportunity to analyze them and their activities at the click of a button. It shows you PE Details, actual Memory Hex Dumps of the running programs and also the various Resources used by the executable. It even has a Heuristic Scanner that can sniff out malicious code from .Vbs, .Inf, .Bat files. AMIR can enable Regedit, Task Manager & Folder Option that has been locked by Malware activity. Armed with numerous options, it becomes very easy to detect any kind of Malware running in the system.



    I would request you to take a look at this application at your convenience and let me know what you feel about it.


    Also, I would like some ideas about detecting packers...

    Does anyone have a DB/List of the Section Names that different packers use?
    UPX0/UPX1 -----> UPX
    .aspack/.adata -----> ASPack
    PEC2 -----> PECompact
    ---- like these?

    Also, what is the best and the fastest way of identifying a packed binary programaticaly (with VB6) ?

    Can Entropy values of binaries help and what are the chances of false positives?

    Any kind of suggestion/idea from your end will be greatly helpful.



    aka. MaliciousBrains

    Sunday, November 16, 2008 5:26 AM