Grabbing fresh evil bits: Maltrieve

Transcript

1. Grabbing fresh evil bits Maltrieve BSidesNOLA 2013-05-25 Happy Geek Pride

   Day! @kylemaxwell technoskald.github.io

2. No Imperial entanglements. All opinions are my own.

3. What it's for technoskald.github.io/maltrieve Retrieves malware directly from the sources

   as listed at a number of sites • Malware Domain List • VX Vault • Malc0de • Sacour.cn

4. Potted history Weekend side project that started as a set

   of patches to mwcrawler by Ricardo Dias. Add'l Contributions: Ben Jackson, Bryan Brannigan GPL software

5. Basic architecture Parallelized Python crawler with proxy support and good

   logging. If we haven't seen it before, get a little metadata and save it off

6. Invoking maltrieve Command line: python maltrieve.py Options: -p : proxy

   specification -l : log file -d : dump directory (def: /tmp/malware) -c : enable Cuckoo analysis

7. Adding a new feed • RSS feeds - best option!

   ◦ One line of code • HTML tables and delimited text (CSV) just need a regex Several pending feeds. More suggestions welcome!

8. Storing the retrieved malware • filesystem plus logging • Some

   pickled data • malwarehouse soon • VxCage? maybe

9. Cuckoo integration Immediate dynamic analysis (thanks Bryan!) that can extract

   IOCs and other metadata

10. Future stuff Bug fixes, duh! Enabling actual research Twitter integration

    Community input...

11. thug integration buffer.github.io/thug/ Low-interaction browser honeyclient • Windows (2K/XP/7) •

    OS X • Android • Linux • IE 6-9 • Chrome 18-26 • Firefox (3,12,19) • Safari Adobe Reader and JRE plugin emulation as well

12. If you just want lots of data... Maltrieve is about

    fresh evil bits. For lots and lots of evil bits, see VirusShare.com

13. Ongoing development and questions @kylemaxwell