You can consider PEiD as the first step in identifying a potential malware. But, when you are not sure if it is a malware or not, you have no option to run it under a VM or run it in a sandbox like enviornment. That is where Zero Wine comes in handy.
Zero Wine is a a QEmu+Wine based malware auto-analysis tool. It is a sandbox created with WINE and QEmu to (automatically) analyze malware. It is behavioral based: Just upload your malware to the zerowine’s web server and let it analyze the malware’s behavior by running it (in a isolated environment)!
If you are some one like me and have already downloaded the VM image and would like to login to it, you can do so using these credentials: The root’s password for the Virtual Machine is ‘zerowine’. You have also the user ‘malware’ with password ‘malware’.
In this updated version, the author has added support to dump the malware from memory while running! These dumps can also be downloaded for later analysis with IDA Pro. Now, this is a real good feature considering the fact that IDA Pro is another great debugger you can use. Another good feature that Zero Wine offers is that, it detects both anti-debugging and anti-vm techniques. The detection of anti-debugging techniques is done by analyzing the APIs called by the malware while the anti-vm detection is done by looking for patterns in both the packed version of the malware (the original one) and the unpacked (memory dump) version of the malware. Also, the author seems keen enough to add some nice signature database updates to this tool. An updated ‘userdb’ file with 4463 signatures can be found attached to this post here. Basically, you just have to replace the file located (inside the virtual machine’s image) in the directory ‘/home/malware/zerowine/’. If you are well versed with PEiD, then you will find the userdb.txt file similar to it and you can add a few of your own signatures!
You can download the latest version of Zerowine as a Prebuilt QEmu virtual machine (you can convert it to one VMWare image if you prefer using the help found in this blog) or in source code form.
A good addition to Malzilla I should say! It is open source too!
Happy Malwaring! 
Related Blogs
- Related Blogs on malware
- Another Exploit Targets IE7 Bug | Malware Blog | Trend Micro …
- Full free Torchsoft Malware Defender 2.0.2 Rapidshare Download
- Malware Software like MySearch is Risky Business | SpyZooka
- Linux malware « Aronzak’s Rantings
- Related Blogs on Malware Analysis
- Zlob – Best Wishes With A Hidden Message – Malware Analysis …
- Unintended Results » Blog Archive » Zerowine: Better reports …
- Related Blogs on PEiD
- Themida Winlicense ID +peid plugin « Reverse Engineering b10g | REM
- PE iDentifier v 0.95 (PEiD) « Reverse Engineering b10g | REM
- PEiD v0.95 « 0day in {REA_TEAM}
- Analyzing the VMWare VirtualCenter client (vpxagent.exe)
- advanced scan peid plugin Sep2008 « Reverse Engineering b10g | REM
- Related Blogs on sandbox
- Xenocode Browser Sandbox – Test for cross browser compatibility …
- iShed » Media Sandbox 2009 projects
- SEO The Sandbox and the Overoptimization Filter
- Related Blogs on Zero Wine
- SAVORING KENTUCKY » Holly Hill Inn’s Sub-Zero Wine Tasting
- Malware Behavior Analysis: Zero Wine
- Zero Wine: Malware Behavior Analysis Tool (Sandbox)
- Magellan Rewards ABT & Sub Zero Cooking, Wine and Shopping Event …
- Zero calorie wine?
wine peid, convert zerowine vmware, zerowine login, zerowine vmware
Comments on this entry are closed.