Picking out the interesting Malware from Dionaea
- Dionaea
- Honeypots
- Scripts
- Virustotal
So once you have Dionaea up and running and scanning with Virustotal you want to pick out the more interesting malware from your ever expanding collection.
I am choosing to define 'interesting' here as 'the least positive hits on virustotal.com', there are a number of reasons why this may very well not mean 'interesting' but I don't need to go in to those here. It is, at least, interesting enough.
We're going to use the sqlite database to poke around, there's already been some SQL magic documented on carnivore.it that you should check out if this interests you.
Top 10 Undected Malware
SELECT
virustotalscans.virustotal,count(virustotalscans.virustotal) as hits,virustotal_md5_hash,virustotal_permalink
FROM
virustotalscans, virustotals
WHERE
virustotalscans.virustotal = virustotals.virustotal and virustotalscan_result != ''
GROUP BY
virustotalscans.virustotal
ORDER BY
hits asc;
This produces a nice little list, which for me is:
Obviously it's entirely possible that 1 year ago Dionaea submitted a piece of malware that is since detected by all of scanners, but it's still quite a handy list when picking through lots of files.
Update
Similarly, if you want to see the most obscure viruses in the past 7 days, only a little tweak is required:
SELECT
virustotalscans.virustotal,count(virustotalscans.virustotal) as hits,virustotal_md5_hash,virustotal_permalink
FROM
virustotalscans, virustotals
WHERE
virustotalscans.virustotal = virustotals.virustotal and virustotalscan_result != '' and virustotals.virustotal_timestamp >= strftime('%s','now','-7 days')
GROUP BY
virustotalscans.virustotal
ORDER BY
hits asc;
Comments !