Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Grabbing fresh evil bits: Maltrieve
Search
Kyle Maxwell
May 25, 2013
Technology
1
150
Grabbing fresh evil bits: Maltrieve
Slightly updated presentation for BSidesNOLA
Kyle Maxwell
May 25, 2013
Tweet
Share
More Decks by Kyle Maxwell
See All by Kyle Maxwell
In the Lair of the Beholder
krmaxwell
0
95
Using Python to Fight Cybercrime
krmaxwell
2
220
Incident Patterns
krmaxwell
0
380
Hackertainment
krmaxwell
1
220
Threat Intelligence for Incident Response
krmaxwell
0
170
From Minion to Engineer
krmaxwell
0
120
Why XOR Crypto Sucks
krmaxwell
0
200
Open Source Threat Intelligence - Shakacon
krmaxwell
1
880
Secure Blogging
krmaxwell
0
140
Other Decks in Technology
See All in Technology
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
160
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
440
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
170
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
2
230
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
520
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
600
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
140
TypeScript、上達の瞬間
sadnessojisan
46
13k
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
130
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
200
Featured
See All Featured
4 Signs Your Business is Dying
shpigford
180
21k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
How STYLIGHT went responsive
nonsquared
95
5.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Adopting Sorbet at Scale
ufuk
73
9.1k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Visualization
eitanlees
145
15k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
10 Git Anti Patterns You Should be Aware of
lemiorhan
655
59k
Transcript
Grabbing fresh evil bits Maltrieve BSidesNOLA 2013-05-25 Happy Geek Pride
Day! @kylemaxwell technoskald.github.io
No Imperial entanglements. All opinions are my own.
What it's for technoskald.github.io/maltrieve Retrieves malware directly from the sources
as listed at a number of sites • Malware Domain List • VX Vault • Malc0de • Sacour.cn
Potted history Weekend side project that started as a set
of patches to mwcrawler by Ricardo Dias. Add'l Contributions: Ben Jackson, Bryan Brannigan GPL software
Basic architecture Parallelized Python crawler with proxy support and good
logging. If we haven't seen it before, get a little metadata and save it off
Invoking maltrieve Command line: python maltrieve.py Options: -p : proxy
specification -l : log file -d : dump directory (def: /tmp/malware) -c : enable Cuckoo analysis
Adding a new feed • RSS feeds - best option!
◦ One line of code • HTML tables and delimited text (CSV) just need a regex Several pending feeds. More suggestions welcome!
Storing the retrieved malware • filesystem plus logging • Some
pickled data • malwarehouse soon • VxCage? maybe
Cuckoo integration Immediate dynamic analysis (thanks Bryan!) that can extract
IOCs and other metadata
Future stuff Bug fixes, duh! Enabling actual research Twitter integration
Community input...
thug integration buffer.github.io/thug/ Low-interaction browser honeyclient • Windows (2K/XP/7) •
OS X • Android • Linux • IE 6-9 • Chrome 18-26 • Firefox (3,12,19) • Safari Adobe Reader and JRE plugin emulation as well
If you just want lots of data... Maltrieve is about
fresh evil bits. For lots and lots of evil bits, see VirusShare.com
Ongoing development and questions @kylemaxwell