Sunday, September 21, 2014

Preview 1 : Hook Analyser 3.2


It's been a while since I posted any news about the next version (v 3.2) of Hook Analyser, so decided to give some update on this front.

New (Sub) Module : I am happy to announce that the next release will have a capability to pull information (near real-time) from social media website (Twitter), and you'd be able to analyse the results efficiently, including your brand promoter etc. This module will be a part of overarching Cyber Threat Intelligence module.

Thoughts - The module is not only useful for pulling and analysing information related to Cyber security, it can be used for other purposes e.g. brand monitoring, data breach monitoring or 'any' news / feeds etc. There are several use-cases which can be made out of this.

I have prepared a short video of the above however, this is still in development stage (so things may look different in release).

Image -

Tweets categorised by Date

Brand Monitoring


  • Cyber Threat Intelligence : You'd be able to analyse analyse and co-related information of 1  3 IP addresses. 
    • As you're aware, there is a restricted (or commercial) version of the tool which would allow you to do the following - 
      • Analyse and co-relate information related to unlimited IP addresses, and / or , for "any" keyword (e.g. CryptoLocker)
      • Parse PCAP file format and perform analysis on external IP addresses (with Visualisation)
      • Parse forward proxy logs and perform analysis over external IP addresses and domains (with Visualisation)
  • Hook Analyser : Signatures updated. Ability to export results into XML format.

Sunday, May 18, 2014

Hook Analyser 3.1 : Major release


I'm glad to announce major release (community version)  of Hook Analyser 3.1. In this build, significant changes have been made to static malware analysis (option #3) and Cyber threat intelligence (option #6) modules, along with addition of a new module - batch analysis (option #7).

Following are key changes made - 
  1. (Major Improvements) Cyber threat intelligence module -
    1. (Added) : New dashboard - which includes 
      1. Global threat-landscape  
      2. Keyword based malware intelligence 
      3. IP based intelligence.
    2. (Added) : IP based intelligence output in XML format
    3. (Reference) : Videos - 

  2. (Moderate Improvements) Static malware analysis module - 
    1. (Added) : Signed file/malware detection and certificate extraction
    2. (Modified) :  Deep detection signatures improved
    3. (Added) : Output in XML format
  3. (Moderate Improvements) Other bug fixes
  4. (Minor Addition) Batch analysis module - Perform static analysis on all files in a directory.
As you'd noticed from above, there is an "exclusive" version of the software- with additional features on Cyber threat intelligence module, which includes -

  1. Keyword based search analysis
  2. "Unlimited" IP addresses and keywords analysis (instead of 1 - in community version) - through additional sources on the Internet 
  3. Keywords based search intelligence module (in concert with above item #2)  - Demo 1 and Demo 2
Important note - The software shall only be used for "NON-COMMERCIAL" purposes. For commercial usage, written permission from the Author must be obtained prior to use.

If you're interested, feel free to write back on - 

Download the software here

For quick guide or how-to document, click here

Thank you.

Saturday, May 3, 2014

Internet Explorer , Adobe Flash Player, MS-Office and Java Vulnerabilities - Used/Leveraged on Malware Attacks / Exploits


You might be aware, I'm working on the Hook Analyser v3.1. As part of the development, I put / test certain test use cases. On this instance, I was interested to understand (and visualise) which (and how many) vulnerabilities have been exploited (by malware) for various client side applications - MS Internet Explorer, Adobe Flash Player, MS Office and Oracle Java.

Observations -

  1. MS Internet Explorer outstands as being most exploited or targeted software. This can be attributed to large market share, which makes it an attractive target.
  2. MS applications (Internet Explorer and MS Office) have been exploited more compared to Adobe Flash Player and Oracle Java.

Saturday, March 22, 2014

Preview - 3 - Hook Analyser 3.1 :Cyber Threat Intelligence


Here is an update on the Hook Analyser 3.1, specifically on Cyber Threat Intelligence module -

The IP intelligence component (within the Cyber Threat Intelligence module) has come up well, and it can collect, normalise and visualise data sets collected from Open sources to provide actionable information sets.

Following is the short video (or preview) of the tool -

Tuesday, February 18, 2014

Preview (Part 2) - Hook Analyser 3.1: Cyber Threat Intelligence Module


As you might be aware, with the release of Hook Analyser 3.0 (released last year), Cyber Intelligence has become one of the key focus areas - which can be used to provide Strategic and Tactical directions related to Cyber threats to an organisation.

The following screenshots are taken from "development" version of Hook Analyser 3.1 -

Homepage -

Menu 1 (option 1): Threat landscape - by country - This module will ingest "user-specified" external (or Internet facing) IP addresses from Internal / external URLs and map them back to countries. This has a potential of realising Cyber risks, and putting controls at strategic road-map - for e.g. enforcing a stringent policy at DLP, travel to high-risk countries.

Menu 1 (option 2) : Threat landscape - by Geography- This module will ingest external (or Internet facing)  IP addresses from Internal / external URLs and map them back to exact location. This option compliments the above - in case an organisation has multiple offices in geography, they could zoom in and consider controls for a specific location.

Menu 1 (option 3): Vulnerability Feeds- This module will ingest "user-specified" external (or Internet facing) RSS feeds and generates a table. At the moment, the table can be used more on a tactical side (for e. a new 0-day got released), instead of Strategic (for e.g. which software or vendors have got more issues or timeline etc).

Menu 1 (option 4) : Top 50 suspicious IPs - This module will reach to websites (for e.g. Stopbadware) and pull information about known blacklisted IPs, along with a rational - for e.g. number of malware URLs (along with ASN and Owner detail) associated with an IP.

Menu 1 (option 5): Suspicious ASN - This module will reach to websites (for e.g. Stopbadware) and pull information about ASNs associated with malware related activities. The representation is then performed via a bubble chat. For reference, larger bubble would mean, ratio of number of malware URLs to number of IPs on that ASN is high!

Menu 1 (Option 6) - Malware Intelligence - The module will reach onto public sources to gather information about certain keywords and generates a "motion timeline" of malwares associated to the keywords.

Menu 2 (Option 1) - Keyword based malware intelligence - This module will reach onto public source to gather information about "user-specified" keywords linked to malware samples.

Menu 2 (Option 2) - Keyword based search intelligence - This module will reach onto Google to extract websites (and IPs) hosting information about the user-specified keyword, and map it back to geo-location. This module could be useful if an organisation wants to keep a closer look on phishing websites targeting their customers.

The menu (3) - which is not added on the dashboard yet, is about IP address based intelligence. The module basically pulls information about "user-specified" IP list/file from public sources for e.g. DNS records, associated malware URLs, malware files & associated HTTP/TCP/DNS connections, and generates "bird-eye" and "detailed" information graphs with correlation.

For reference, blue dot represents - an IP address, Purple dot represents - a DNS record , Orange dot represents -URL associated with a malware and Red rectangle represents - the malware sample associated with an IP address.

Here is the sample video -

Saturday, February 8, 2014

Preview - Hook Analyser 3.1 : Cyber Threat Intelligence Module


It's been sometime since I blogged about the upcoming version of Hook Analyser, i.e. v 3.1.

To give a quick update, following are improvements / features added -

  1. Static malware analysis module has been updated - included a feature to identify (and extract certificate) digitally signed malware
  2. Threat Intelligence module has been updated, along with a new dashboard (refer to the following video)
  3. Bug fixes.

To give a look & feel of the new (Threat Intelligence) dashboard, I've created a short video - 

As always, if you've any specific feedback on the tool or on a particular module, please do not hesitate to contact.