
Zero Wine is a tool for Malware Behavior Analysis. Zero wine is an open
source (GPL v2) research project to dynamically analyze the behavior of
malware. Zero wine just runs the malware using WINE in a safe virtual
sandbox (in an isolated environment) collecting information about the
APIs called by the program.
The output generated
by wine (using the debug environment variable WINEDEBUG) are the API
calls used by the malware (and the values used by it, of course). With
this information, analyzing malware's behavior turns out to be very
easy.
Zero wine is distributed
as one QEMU virtual machine image with a Debian operating system
installed. The image contains software to upload and analyze malware and
to generate reports based on the information gathered (this software is
stored in /home/malware/zerowine).
Running the
distributed virtual machine with the correct command line options (use
the supplied startup shell script to run the virtual machine) provides a
web based (web server is written in python) graphical interface to
upload malware to be analyzed (a CGI written, also, in python).
When a new malware is
uploaded, it is copied to the directory /tmp/vir/MD5_OF_THE_FILE, them,
the previous created WINE environment (WINEPREFIX if you prefer) is
removed and a backup system is untared (the backup system is
/home/malware/backup/backup.tar.gz). After this operation, the malware
is executed using the shell script malware_launcher.sh (the file is
stored in the folder /home/malware/bin).
NOTE:
The current system is subject to change as it doesn't allow the
analysis of more than one malware at a time. In the future, every time
you upload a new malware file it will be added to a queue for later
analysis and a new WINEPREFIX specific to run this malware will be
created.
Download Here :: Zero Wine 2.0.0.tar.bz2
Tutorial / Official Website :: http://zerowine.sourceforge.net/
0 comments :
Post a Comment