Daan Raman from NVISO Labs has published a blog post about their new tool – binsnitch.py. You can use this tool to detect unwanted changes to the file system.
Use binsnitch.py to:
- create a baseline of trusted files for a workstation (golden image) and use it again later on to automatically generate a list of all modifications made to that system (for example caused by rogue executables installed by users, or dropped malware files). The baseline could also be used for other detection purposes later on (e.g., in a whitelist);
- automatically generate hashes of executables in a certain directory (and its subdirectories);
- carefully track which files are touched by malware during live malware analysis.