Grabbing fresh evil bits: Maltrieve

Transcript

1. Grabbing fresh evil bits Maltrieve Kyle Maxwell BSidesSATX 2013-05-04 Happy

   Star Wars Day!

2. No Imperial entanglements. All opinions are my own.

3. What it's for github.com/technoskald/maltrieve Retrieves malware directly from the sources

   as listed at a number of sites • Malware Domain List • VX Vault • Malc0de • Sacour.cn

4. Potted history Weekend side project that started as a set

   of patches to mwcrawler by Ricardo Dias. Add'l Contributions: Ben Jackson, Bryan Brannigan GPL software

5. Basic architecture Parallelized Python crawler with proxy support and good

   logging. If we haven't seen it before, get a little metadata and save it off

6. Adding a new feed • RSS feeds - best option!

   ◦ One line of code • HTML tables and delimited text (CSV) just need a regex Several pending feeds. More suggestions welcome!

7. Storing the retrieved malware • filesystem plus logging • Some

   pickled data • malwarehouse soon • VxCage? maybe

8. Cuckoo integration Immediate dynamic analysis (thanks Bryan!) that can extract

   IOCs and other metadata

9. thug integration buffer.github.io/thug/ Low-interaction browser honeyclient • Windows (2K/XP/7) •

   OS X • Android • Linux • IE 6-9 • Chrome 18-26 • Firefox (3,12,19) • Safari Adobe Reader and JRE plugin emulation as well

10. If you just want lots of data... Maltrieve is about

    fresh evil bits. For lots and lots of evil bits, see VirusShare.com

11. Ongoing development and questions