Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Grabbing fresh evil bits: Maltrieve

Grabbing fresh evil bits: Maltrieve

BSides San Antonio - May 2013 - retrieving malware from sources

Kyle Maxwell

May 04, 2013
Tweet

More Decks by Kyle Maxwell

Other Decks in Technology

Transcript

  1. What it's for github.com/technoskald/maltrieve Retrieves malware directly from the sources

    as listed at a number of sites • Malware Domain List • VX Vault • Malc0de • Sacour.cn
  2. Potted history Weekend side project that started as a set

    of patches to mwcrawler by Ricardo Dias. Add'l Contributions: Ben Jackson, Bryan Brannigan GPL software
  3. Basic architecture Parallelized Python crawler with proxy support and good

    logging. If we haven't seen it before, get a little metadata and save it off
  4. Adding a new feed • RSS feeds - best option!

    ◦ One line of code • HTML tables and delimited text (CSV) just need a regex Several pending feeds. More suggestions welcome!
  5. Storing the retrieved malware • filesystem plus logging • Some

    pickled data • malwarehouse soon • VxCage? maybe
  6. thug integration buffer.github.io/thug/ Low-interaction browser honeyclient • Windows (2K/XP/7) •

    OS X • Android • Linux • IE 6-9 • Chrome 18-26 • Firefox (3,12,19) • Safari Adobe Reader and JRE plugin emulation as well
  7. If you just want lots of data... Maltrieve is about

    fresh evil bits. For lots and lots of evil bits, see VirusShare.com