Quick & Easy Malware Discovery/Submission

In this quick project I decided that the goal would be to automate the downloading of malware and submitting samples to VirusTotal that aren’t currently in VirusTotal. I decided that to gather the malware I would use Maltrieve.

From the github, “Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including Malc0de, Malware Black ListMalware Domain ListMalware PatrolSacour.cnVX VaultURLqery, and CleanMX” I would like to thank  for taking the time to build this out.

To upload samples to VirusTotal, I utilized a script written by @it4sec. It can be found at http://ondailybasis.com/blog/wp-content/uploads/2012/12/yaps.py_.txt. All I had to do was add my API key to the script and tell it what directory my samples were in. At that point, it handles checking if the sample is already in the VirustTotal data set and if it isn’t, it will upload it. It even keeps track of everything in a log file for future reference.

I added a cron job that runs Maltrieve at the top of every hour and another cron job that runs yaps.py 30 minutes after. This essentially allows me to pull down new samples every hour and do my part in uploading new samples to VirusTotal.

Analysis:
So far I’ve pulled down 7,424 malware samples by using Maltrieve over the last few days. Out of that 7,424 samples, ~1400 samples have never been seen by Virus Total. I’ve found different variants of malware such as Zeus, Asprox, and lot’s of malicious iframe injections on web pages. I’m actually surprised in the amount of unique samples being uploaded, I was expecting someone to be doing this exact same process and uploading samples sooner than I can.

The next step of the project is to get malware uploaded automatically to Malwr.com to generate sandboxing of the samples. I look forward to expanding this out and hopefully receiving some input on what direction this should/could go.

– Max Rogers

Tagged

4 thoughts on “Quick & Easy Malware Discovery/Submission

  1. Michael says:

    Hey so where the yaps.py do you specify the malware file directory?

  2. maxrogers5 says:

    Hey Michael, you just specify the malware file directory when you run the python script.

    Example:
    user$ python yaps.py path/to/malware.exe

    or you can use the (*) wildcard to specify multiple files in a directory:

    user$ python yaps.py path/to/* or path/to/*.exe

  3. Michael says:

    Yes, thank you. after reading the the script again I saw the instructions.

  4. ben says:

    Have you looked at creating your own sandbox cuckoo?

Leave a Reply

Your email address will not be published. Required fields are marked *