Specialized Tools and Resources
This is a page dedicated to specialized tools and resources that are useful for various malware-fighting and security tasks. Most of these tools are not geared towards malware researches, but for users that need to remove specific difficult to remove parasites. The complete 2-viruses resource directory is available here.
Anti-Rootkit tools
Anti-Rootkit tools are specialized programs to detect and remove rootkits. Although “perfect” rootkit can not be detected (in theory) as they hide its processes and files, most of the rootkits can be detected and removed by one or another program. Some of the antiviruses offer rootkit detection as well.
| Rootkit Revealer | Free | Rootkit revealer is an utility made by sysinternals, which was later acquired by Microsoft. It is classic rootkit detection utility, however it works on 32 bit windows systems only. |
|---|---|---|
| Gmer | Free | Gmer is advanced rootkit detection and removal utility. Although you can download zip, it offers randomized name executable download which is harder to block for rootkit applications. |
| TDSS Killer | Free | TDSS Killer, developed in Kaspersky Lab, targets specific rootkit, known as Tidserv, TDSServ or Alureon. This rootkit is quite popular as it causes browser redirection to infected websites. Note: Not all browser redirection is caused by rootkits, for other causes check our redirection guide here. |
| Sophos Anti-Rootkit | Free | anti-rootkit |
| Avira AntiRootkit Tool | Free | anti-rootkit |
| Rootkit Buster | Free | anti-rootkit |
| F-Secure BlackLight | Free | anti-rootkit |
| McAfee Rootkit Detective | Beta | anti-rootkit |
| Panda Anti-Rootkit | Free | anti-rootkit |
| RootRepeal | Beta | anti-rootkit |
| Vba32 AntiRootkit | Free | anti-rootkit |
Firewalls
| Comodo | Comodo Firewall is one of the most widely used free firewalls around. It is efficient, reliable and hard to beat at costs. |
|---|---|
| Zone Alarm | Zonealarm by CheckPoint is another very popular free firewall |
| Online Armor | Online Armor is another good firewall with free version available. Paid versions provide anti-phishing filters, web shield and virus/malware protection |
| PCTools Firewall Plus | A powerful firewall solution by PCTools, free of charge. |
| Lavasoft Personal Firewall | A powerful firewall solution |
| Outpost Firewall Pro | A powerful firewall solution |
| Norman Personal Firewall | A powerful firewall solution |
| Ashampoo FireWall | Free |
| Jetico Personal Firewall | A powerful firewall solution |
Junkware / Browser cleaners
These tools detect and clean unnecessary toolbars and other programs from your browser. They are useful in cases of browser hijack as long as no other malware is present.
| Adwcleaner | Adwcleaner is one of the most used stand-alone browser extension cleaners. It is free program developed by Xplode. |
|---|---|
| Junkware removal tool | Junkware Removal Tool is a bloatware cleaner made by Thisisu. I faced some problems running it on Windows 8, though it should work perfectly on other versions. |
Security Toolbars and browser extensions
Browser extensions try to make browser a bit more secure by automatically scanning the website or checking it against infected website databases. In many cases this functionality is similar to the one provided by Internet Security Suites, however browser extensions are usually free.
Online file scanners
Online file scanners provide a way to check if the file is infected or not. The scanners either check it against one or multiple antivirus engines or unpacks and analyses what the file does (behavioral analysis).
| VirusTotal | 42 Engines | Virustotal provides one of the most in-depth file scanning services, as it scans each file with 42 detection engines including most popular antivirus and antimalware choices. Although the updates might be 1 day old sometimes, this is very useful website to check if download is infected or not. It allows file up to 20 mb in size. |
|---|---|---|
| Virscan.org | 36 Engines | Virscan scans up to 20 mb file against 36 antiviruses. The definition update process might be a bit slower than with virustotal, but that is my own impression. |
| Novirusthanks | 24 Engines | NoVirusThanks offers scanning with 24 antivirus engines. The upload is maximum 20 mb. Also it offers basic website scan for iframes. |
| Jotti | 19 Engines | Jotti scans each file towards 19 Linux-based antivirus programs and submits the infected file to antivirus companies. |
| Filterbit | 10 Engines | Filterbit scans file with 10 antivirus engines. What makes this service different, it is a demo version of Metascan – a SDK for building on-demand multiple antivirus scanners yourself. |
| Anubis | Behavioral | Anubis performs behavioral windows executable analysis, that is provides information what submitted program does. This service is useful to determine if executable performs some strange, possibly malicious operations or something it should not do. The results show which registry and file keys the program tries to access, which files are created or accessed, what devices the application tries to use. The results are provided on-the-fly. |
| Sunbelt | Behavioral | Sunbelt Sandobox provides behavioral analysis for executable sample. You will have to provide a working email address for the results. |
| ThreatExpert | Behavioral | ThreatExpert provides behavioral analysis for files up to 5 MB. The size limitation is the biggest drawback of this service, as many of the analyzers accept bigger files. |
| Camas | Behavioral | Comodo Instant Malware Analyzer provides web-based results for submitted file samples. Although at first it shows only basic file tests like its MD5 sum, after a minute or so you will get a full report. The service is faster than Anubis. |
| Xandora | Behavioral | Xandora is created by the Panda Labs. It provides scanning of binary files or archives, supports Zip archives with passwords so malware can pass antivirus engines on researchers PC. |
| Joebox | Behavioral | Joebox allows choice on what OS and how the infected binary will be run. It also allows some additional control on how the binaries will be tested. Archives are supported. |
Websites scanners and blacklists
| IPVoid.com | Ipvoid scans multiple blacklists for IP address. It will find out if IP address was already detected for spamming or malware distribution |
|---|---|
| URLVoid | An URL meta-scan engine. Scans several blacklist databases for url |
| Google Safebrowsing | Google site check. Provides information about url and its ip address, together with info about malware detected on particular website |
| Wepawet | A tool for analyzing PDF, flash or Javascript samples for malicious actions |
| PhishTank | PhishTank |
Update 06/21/2012. TDSS Remover link removed – no longer works.