マルウェアの自動収集 (Maltrieve)

• 比較的新しいマルウェアを収集したい場合、以下スクリプトを使用すると便利。

• マルウェア自動収集スクリプト(Python)
  • Maltrieve
• マルウェア収集元サイト
  • Malware Domain List
  • VX Vault
  • Malc0de
  • Sacour.cn
• 実行するには、BeautifulSoup version 4 が必要
  • Ubuntuでのインストール

aptitude install python-bs4

• スクリプトを実行するのみ

# python ./maltrieve.py -d /tmp/malware/                                                                                                                                           
2013-03-28 13:22:43 -1221842176 Using /tmp/malware/ as dump directory
2013-03-28 13:22:44 -1221842176 Parsing description Host: www.paypal-servcies.com/server/gate.php, IP address: 69.10.52.162, ASN: 19318, Country: US, Description: Zeus drop zone
2013-03-28 13:22:44 -1221842176 Parsing description Host: www.paypal-servcies.com/server/cp.php?m=login, IP address: 69.10.52.162, ASN: 19318, Country: US, Description: Zeus control panel
2013-03-28 13:22:44 -1221842176 Parsing description Host: adilsondocavacoaulasvianet.com/admin/blood-cell-costume, IP address: 200.58.111.26, ASN: 27823, Country: AR, Description: redirects to exploit kit with Google referrer
2013-03-28 13:22:44 -1221842176 Parsing description Host: heilaiqo.garagesport.ch:7354/cont/reprints.php?space=253&features=378&documents=897&students=843&press=355&pubsphoto=24&release=297, IP address: 192.111.144.12, ASN: 31863, Country: US, Description: Sweet Orange exploit kit
[snip]

usage: maltrieve.py [-h] [-p PROXY] [-d DUMPDIR] [-l LOGFILE]

optional arguments:
  -h, --help            show this help message and exit
  -p PROXY, --proxy PROXY
                        Define HTTP proxy as address:port
  -d DUMPDIR, --dumpdir DUMPDIR
                        Define dump directory for retrieved files
  -l LOGFILE, --logfile LOGFILE
                        Define file for logging progress