Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Grabbing fresh evil bits: Maltrieve

Grabbing fresh evil bits: Maltrieve

Slightly updated presentation for BSidesNOLA

Kyle Maxwell

May 25, 2013
Tweet

More Decks by Kyle Maxwell

Other Decks in Technology

Transcript

  1. What it's for technoskald.github.io/maltrieve Retrieves malware directly from the sources

    as listed at a number of sites • Malware Domain List • VX Vault • Malc0de • Sacour.cn
  2. Potted history Weekend side project that started as a set

    of patches to mwcrawler by Ricardo Dias. Add'l Contributions: Ben Jackson, Bryan Brannigan GPL software
  3. Basic architecture Parallelized Python crawler with proxy support and good

    logging. If we haven't seen it before, get a little metadata and save it off
  4. Invoking maltrieve Command line: python maltrieve.py Options: -p : proxy

    specification -l : log file -d : dump directory (def: /tmp/malware) -c : enable Cuckoo analysis
  5. Adding a new feed • RSS feeds - best option!

    ◦ One line of code • HTML tables and delimited text (CSV) just need a regex Several pending feeds. More suggestions welcome!
  6. Storing the retrieved malware • filesystem plus logging • Some

    pickled data • malwarehouse soon • VxCage? maybe
  7. thug integration buffer.github.io/thug/ Low-interaction browser honeyclient • Windows (2K/XP/7) •

    OS X • Android • Linux • IE 6-9 • Chrome 18-26 • Firefox (3,12,19) • Safari Adobe Reader and JRE plugin emulation as well
  8. If you just want lots of data... Maltrieve is about

    fresh evil bits. For lots and lots of evil bits, see VirusShare.com