Picking out the interesting Malware from Dionaea

  • Dionaea
  • Honeypots
  • Scripts
  • Virustotal

So once you have Dionaea up and running and scanning with Virustotal you want to pick out the more interesting malware from your ever expanding collection.

I am choosing to define 'interesting' here as 'the least positive hits on virustotal.com', there are a number of reasons why this may very well not mean 'interesting' but I don't need to go in to those here. It is, at least, interesting enough.

We're going to use the sqlite database to poke around, there's already been some SQL magic documented on carnivore.it that you should check out if this interests you.

Top 10 Undected Malware

SELECT
    virustotalscans.virustotal,count(virustotalscans.virustotal) as hits,virustotal_md5_hash,virustotal_permalink
FROM
    virustotalscans, virustotals
WHERE
    virustotalscans.virustotal = virustotals.virustotal and virustotalscan_result != ''
GROUP BY
    virustotalscans.virustotal
ORDER BY
    hits asc;

This produces a nice little list, which for me is:

  1. 18798b6904059c9408888fa05da02fe0

  2. 0e19ae7fb3f3c70f81e321d4b2824d48

  3. 022c02f4104a157fb8c04ec11f4b3ce3

  4. 061a289056139e77388ad93bbab42d07

  5. 3773d1e9d976659d1e18f390cec6d85a

  6. 524305279349c3e0ce187384fe87ca13

  7. 6170cd45f1e0cd5d22c7a80d3b4d23f7

  8. 77296904b96d0905960a5ff23e5935db

  9. 4535c1f0ac6749a3c452a9bd4b3df655

  10. 2894c4e7df8fc9eb7d87a22255def354

Obviously it's entirely possible that 1 year ago Dionaea submitted a piece of malware that is since detected by all of scanners, but it's still quite a handy list when picking through lots of files.

Update

Similarly, if you want to see the most obscure viruses in the past 7 days, only a little tweak is required:

SELECT
    virustotalscans.virustotal,count(virustotalscans.virustotal) as hits,virustotal_md5_hash,virustotal_permalink
FROM
    virustotalscans, virustotals
WHERE
    virustotalscans.virustotal = virustotals.virustotal and virustotalscan_result != '' and virustotals.virustotal_timestamp >= strftime('%s','now','-7 days')
GROUP BY
    virustotalscans.virustotal
ORDER BY
    hits asc;

Comments !

social