Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Grabbing fresh evil bits: Maltrieve
Search
Kyle Maxwell
May 25, 2013
Technology
170
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Grabbing fresh evil bits: Maltrieve
Slightly updated presentation for BSidesNOLA
Kyle Maxwell
May 25, 2013
More Decks by Kyle Maxwell
See All by Kyle Maxwell
In the Lair of the Beholder
krmaxwell
0
120
Using Python to Fight Cybercrime
krmaxwell
2
240
Incident Patterns
krmaxwell
0
460
Hackertainment
krmaxwell
1
240
Threat Intelligence for Incident Response
krmaxwell
0
210
From Minion to Engineer
krmaxwell
0
140
Why XOR Crypto Sucks
krmaxwell
0
220
Open Source Threat Intelligence - Shakacon
krmaxwell
1
910
Secure Blogging
krmaxwell
0
150
Other Decks in Technology
See All in Technology
しくみを学んで使いこなそう GitHub Copilot app
torumakabe
1
180
Claude Code公式skillで 自分の仕事を少しずつ手放そう!(Claude Code開発ノウハウ大公開スペシャル by クラスメソッド)
kaym
0
120
ruby.wasmとPicoRuby.wasmに対応した仮想DOMライブラリを作ってる話 #kaigieffect_kaigi
sue445
PRO
0
120
プロダクトだけじゃない、社内プロセスにおける自動化・省力化ノススメ
kakehashi
PRO
1
3.4k
AIと共生する開発者プラットフォーム:バクラクのモノレポ×マイクロサービス基盤
sakajunquality
2
3.2k
攻撃者がいなくてもAIエージェントはインシデントを起こす
nomizone
0
210
ループエンジニアリングでE2Eテストを実践
noriyukitakei
0
340
SRE Lounge Hiroshimaへの招待
grimoh
0
600
product engineering with qa
nealle
0
160
「ちゃんとやっている」は独りよがりだった ― 不安に寄り添うインシデント対応へ / Towards incident response that addresses anxieties
chmikata
1
4.5k
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
15
110k
LLMやAIエージェントをソフトウェアに組み込むプラクティス
shibuiwilliam
1
270
Featured
See All Featured
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
220
Odyssey Design
rkendrick25
PRO
2
730
GitHub's CSS Performance
jonrohan
1033
470k
The World Runs on Bad Software
bkeepers
PRO
72
12k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
220
How STYLIGHT went responsive
nonsquared
100
6.2k
The agentic SEO stack - context over prompts
schlessera
0
840
Optimising Largest Contentful Paint
csswizardry
37
3.8k
Evolving SEO for Evolving Search Engines
ryanjones
0
240
HTML-Aware ERB: The Path to Reactive Rendering @ RubyCon 2026, Rimini, Italy
marcoroth
2
320
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
550
Transcript
Grabbing fresh evil bits Maltrieve BSidesNOLA 2013-05-25 Happy Geek Pride
Day! @kylemaxwell technoskald.github.io
No Imperial entanglements. All opinions are my own.
What it's for technoskald.github.io/maltrieve Retrieves malware directly from the sources
as listed at a number of sites • Malware Domain List • VX Vault • Malc0de • Sacour.cn
Potted history Weekend side project that started as a set
of patches to mwcrawler by Ricardo Dias. Add'l Contributions: Ben Jackson, Bryan Brannigan GPL software
Basic architecture Parallelized Python crawler with proxy support and good
logging. If we haven't seen it before, get a little metadata and save it off
Invoking maltrieve Command line: python maltrieve.py Options: -p : proxy
specification -l : log file -d : dump directory (def: /tmp/malware) -c : enable Cuckoo analysis
Adding a new feed • RSS feeds - best option!
◦ One line of code • HTML tables and delimited text (CSV) just need a regex Several pending feeds. More suggestions welcome!
Storing the retrieved malware • filesystem plus logging • Some
pickled data • malwarehouse soon • VxCage? maybe
Cuckoo integration Immediate dynamic analysis (thanks Bryan!) that can extract
IOCs and other metadata
Future stuff Bug fixes, duh! Enabling actual research Twitter integration
Community input...
thug integration buffer.github.io/thug/ Low-interaction browser honeyclient • Windows (2K/XP/7) •
OS X • Android • Linux • IE 6-9 • Chrome 18-26 • Firefox (3,12,19) • Safari Adobe Reader and JRE plugin emulation as well
If you just want lots of data... Maltrieve is about
fresh evil bits. For lots and lots of evil bits, see VirusShare.com
Ongoing development and questions @kylemaxwell