Sunday, May 18, 2014

Hook Analyser 3.1 : Major release


I'm glad to announce major release (community version)  of Hook Analyser 3.1. In this build, significant changes have been made to static malware analysis (option #3) and Cyber threat intelligence (option #6) modules, along with addition of a new module - batch analysis (option #7).

Following are key changes made - 
  1. (Major Improvements) Cyber threat intelligence module -
    1. (Added) : New dashboard - which includes 
      1. Global threat-landscape  
      2. Keyword based malware intelligence 
      3. IP based intelligence.
    2. (Added) : IP based intelligence output in XML format
    3. (Reference) : Videos - 

  2. (Moderate Improvements) Static malware analysis module - 
    1. (Added) : Signed file/malware detection and certificate extraction
    2. (Modified) :  Deep detection signatures improved
    3. (Added) : Output in XML format
  3. (Moderate Improvements) Other bug fixes
  4. (Minor Addition) Batch analysis module - Perform static analysis on all files in a directory.
As you'd noticed from above, there is an "exclusive" version of the software- with additional features on Cyber threat intelligence module, which includes -

  1. Keyword based search analysis
  2. "Unlimited" IP addresses and keywords analysis (instead of 1 - in community version) - through additional sources on the Internet 
  3. Keywords based search intelligence module (in concert with above item #2)  - Demo 1 and Demo 2
Important note - The software shall only be used for "NON-COMMERCIAL" purposes. For commercial usage, written permission from the Author must be obtained prior to use.

If you're interested, feel free to write back on - 

Download the software here

For quick guide or how-to document, click here

Thank you.

Saturday, May 3, 2014

Internet Explorer , Adobe Flash Player, MS-Office and Java Vulnerabilities - Used/Leveraged on Malware Attacks / Exploits


You might be aware, I'm working on the Hook Analyser v3.1. As part of the development, I put / test certain test use cases. On this instance, I was interested to understand (and visualise) which (and how many) vulnerabilities have been exploited (by malware) for various client side applications - MS Internet Explorer, Adobe Flash Player, MS Office and Oracle Java.

Observations -

  1. MS Internet Explorer outstands as being most exploited or targeted software. This can be attributed to large market share, which makes it an attractive target.
  2. MS applications (Internet Explorer and MS Office) have been exploited more compared to Adobe Flash Player and Oracle Java.

Saturday, March 22, 2014

Preview - 3 - Hook Analyser 3.1 :Cyber Threat Intelligence


Here is an update on the Hook Analyser 3.1, specifically on Cyber Threat Intelligence module -

The IP intelligence component (within the Cyber Threat Intelligence module) has come up well, and it can collect, normalise and visualise data sets collected from Open sources to provide actionable information sets.

Following is the short video (or preview) of the tool -

Tuesday, February 18, 2014

Preview (Part 2) - Hook Analyser 3.1: Cyber Threat Intelligence Module


As you might be aware, with the release of Hook Analyser 3.0 (released last year), Cyber Intelligence has become one of the key focus areas - which can be used to provide Strategic and Tactical directions related to Cyber threats to an organisation.

The following screenshots are taken from "development" version of Hook Analyser 3.1 -

Homepage -

Menu 1 (option 1): Threat landscape - by country - This module will ingest "user-specified" external (or Internet facing) IP addresses from Internal / external URLs and map them back to countries. This has a potential of realising Cyber risks, and putting controls at strategic road-map - for e.g. enforcing a stringent policy at DLP, travel to high-risk countries.

Menu 1 (option 2) : Threat landscape - by Geography- This module will ingest external (or Internet facing)  IP addresses from Internal / external URLs and map them back to exact location. This option compliments the above - in case an organisation has multiple offices in geography, they could zoom in and consider controls for a specific location.

Menu 1 (option 3): Vulnerability Feeds- This module will ingest "user-specified" external (or Internet facing) RSS feeds and generates a table. At the moment, the table can be used more on a tactical side (for e. a new 0-day got released), instead of Strategic (for e.g. which software or vendors have got more issues or timeline etc).

Menu 1 (option 4) : Top 50 suspicious IPs - This module will reach to websites (for e.g. Stopbadware) and pull information about known blacklisted IPs, along with a rational - for e.g. number of malware URLs (along with ASN and Owner detail) associated with an IP.

Menu 1 (option 5): Suspicious ASN - This module will reach to websites (for e.g. Stopbadware) and pull information about ASNs associated with malware related activities. The representation is then performed via a bubble chat. For reference, larger bubble would mean, ratio of number of malware URLs to number of IPs on that ASN is high!

Menu 1 (Option 6) - Malware Intelligence - The module will reach onto public sources to gather information about certain keywords and generates a "motion timeline" of malwares associated to the keywords.

Menu 2 (Option 1) - Keyword based malware intelligence - This module will reach onto public source to gather information about "user-specified" keywords linked to malware samples.

Menu 2 (Option 2) - Keyword based search intelligence - This module will reach onto Google to extract websites (and IPs) hosting information about the user-specified keyword, and map it back to geo-location. This module could be useful if an organisation wants to keep a closer look on phishing websites targeting their customers.

The menu (3) - which is not added on the dashboard yet, is about IP address based intelligence. The module basically pulls information about "user-specified" IP list/file from public sources for e.g. DNS records, associated malware URLs, malware files & associated HTTP/TCP/DNS connections, and generates "bird-eye" and "detailed" information graphs with correlation.

For reference, blue dot represents - an IP address, Purple dot represents - a DNS record , Orange dot represents -URL associated with a malware and Red rectangle represents - the malware sample associated with an IP address.

Here is the sample video -

Saturday, February 8, 2014

Preview - Hook Analyser 3.1 : Cyber Threat Intelligence Module


It's been sometime since I blogged about the upcoming version of Hook Analyser, i.e. v 3.1.

To give a quick update, following are improvements / features added -

  1. Static malware analysis module has been updated - included a feature to identify (and extract certificate) digitally signed malware
  2. Threat Intelligence module has been updated, along with a new dashboard (refer to the following video)
  3. Bug fixes.

To give a look & feel of the new (Threat Intelligence) dashboard, I've created a short video - 

As always, if you've any specific feedback on the tool or on a particular module, please do not hesitate to contact.

Thursday, December 19, 2013

Hook Analyser 3.0 (with Cyber Threat Intelligence)


Here is the new release of Hook Analyser project.

In terms of improvements, a new module has been added - Cyber Threat Intelligence. Threat Intel module is being created to gather and analyse information related to Cyber Threats and vulnerabilities.

The module can be run using HookAnalyser.exe (via Option 6 ), or can be run directly.

The module present information on a web browser (with dashboard alike representation) with the following sections -

  1. Threat Vectors - by (%) Country
  2. Threat Vectors - by Geography 
  3. Malware Intelligence (Beta) 2013 (New! - added on 30/12/2013)
  4. Vulnerability / Threat Feed.
Project documentation - Click Here

Here is the screenshot of the [Updated - 30/12/2013] Cyber Threat Intelligence dashboard -

To download the project - Click Here

Update - 

  • 08/1/2014: Project development status/update
  • 30/12/2013: Fixed a defect in the ThreatIntel module. Added Malware Intelligence (Beta) into the dashboard.
  •  21/12/2013: Fixed a defect in the ThreatIntel module. Thanks to Darren Fitzpatrick for reporting it.

Wednesday, December 18, 2013

Preview - Hook Analyser 3.0


This is probably one of the major releases after a few months. A lot of features have been added, with an additional "Major" feature update.

As I don't want to steal the thunder by myself, I will let you play with it once I release it :)