In this quick project I decided that the goal would be to automate the downloading of malware and submitting samples to VirusTotal that aren’t currently in VirusTotal. I decided that to gather the malware I would use Maltrieve.
From the github, “Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including Malc0de, Malware Black List, Malware Domain List, Malware Patrol, Sacour.cn, VX Vault, URLqery, and CleanMX” I would like to thank technoskald for taking the time to build this out.
To upload samples to VirusTotal, I utilized a script written by @it4sec. It can be found at http://ondailybasis.com/blog/wp-content/uploads/2012/12/yaps.py_.txt. All I had to do was add my API key to the script and tell it what directory my samples were in. At that point, it handles checking if the sample is already in the VirustTotal data set and if it isn’t, it will upload it. It even keeps track of everything in a log file for future reference.
I added a cron job that runs Maltrieve at the top of every hour and another cron job that runs yaps.py 30 minutes after. This essentially allows me to pull down new samples every hour and do my part in uploading new samples to VirusTotal.
So far I’ve pulled down 7,424 malware samples by using Maltrieve over the last few days. Out of that 7,424 samples, ~1400 samples have never been seen by Virus Total. I’ve found different variants of malware such as Zeus, Asprox, and lot’s of malicious iframe injections on web pages. I’m actually surprised in the amount of unique samples being uploaded, I was expecting someone to be doing this exact same process and uploading samples sooner than I can.
The next step of the project is to get malware uploaded automatically to Malwr.com to generate sandboxing of the samples. I look forward to expanding this out and hopefully receiving some input on what direction this should/could go.
– Max Rogers