Ejemplo n.º 1
0
	def analyze(self, line):
		if line.startswith('#') or line.startswith('\n'):
			return

		try:
			url = toolbox.find_urls(line)[0]

		except Exception, e:
			# if find_ip raises an exception, it means no ip 
			# was found in the line, so we return
			return
Ejemplo n.º 2
0
	def analyze(self, dict):
			
		# We create an Evil object. Evil objects are what Malcom uses
		# to store anything it considers evil. Malware, spam sources, etc.
		# Remember that you can create your own datatypes, if need be.

		#print dict
		#return
		mdl = Url()

		# We start populating the Evil() object's attributes with
		# information from the dict we parsed earlier

		mdl['feed'] = "MDLTracker"
		try: 
			mdl['value'] = toolbox.find_urls(dict['description'])[0]
		except Exception,e:
			return
Ejemplo n.º 3
0
    def analyze(self, dict):

        # We create an Evil object. Evil objects are what Malcom uses
        # to store anything it considers evil. Malware, spam sources, etc.
        # Remember that you can create your own datatypes, if need be.

        evil = Evil()

        # We start populating the Evil() object's attributes with
        # information from the dict we parsed earlier

        evil["feed"] = "SpyEyeConfigs"
        evil["url"] = toolbox.find_urls(dict["description"])[0]

        # description
        evil["description"] = dict["link"] + " " + dict["description"]

        # status
        if dict["description"].find("offline") != -1:
            evil["status"] = "offline"
        else:
            evil["status"] = "online"

            # md5
        md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})", dict["description"])
        if md5 != None:
            evil["md5"] = md5.group("md5")
        else:
            evil["md5"] = "No MD5"

            # linkback
        evil["source"] = dict["guid"]

        # type
        evil["type"] = "evil"

        # tags
        evil["tags"] += ["spyeye", "malware", "SpyEyeConfigs"]

        # date_retreived
        evil["date_retreived"] = datetime.datetime.utcnow()

        # This is important. Values have to be unique, since it's this way that
        # Malcom will identify them in the database.
        # This is probably not the best way, but it will do for now.

        evil["value"] = "SpyEye Config"
        if md5:
            evil["value"] += " (MD5: %s)" % evil["md5"]
        else:
            evil["value"] += " (URL: %s)" % evil["url"]

            # Save elements to DB. The status field will contain information on
            # whether this element already existed in the DB.

        evil, status = self.analytics.save_element(evil, with_status=True)
        if status["updatedExisting"] == False:
            self.elements_fetched += 1

            # Create an URL element
        url = Url(evil["url"], ["evil", "SpyEyeConfigs"])

        # Save it to the DB.
        url, status = self.analytics.save_element(url, with_status=True)
        if status["updatedExisting"] == False:
            self.elements_fetched += 1

            # Connect the URL element to the Evil element
        self.analytics.data.connect(url, evil, ["hosting"])
Ejemplo n.º 4
0
	def analyze(self, dict):
			
		# We create an Evil object. Evil objects are what Malcom uses
		# to store anything it considers evil. Malware, spam sources, etc.
		# Remember that you can create your own datatypes, if need be.

		evil = Evil()

		# We start populating the Evil() object's attributes with
		# information from the dict we parsed earlier

		evil['feed'] = "SpyEyeDropzones"
		evil['url'] = toolbox.find_urls(dict['description'])[0]
		
		# description
		evil['description'] = dict['link'] + " " + dict['description'] 

		# status
		if dict['description'].find("offline") != -1:
			evil['status'] = "offline"
		else:
			evil['status'] = "online"

                # md5 
                md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",dict['description'])
                if md5 != None:
                        evil['md5'] = md5.group('md5')
                else:
                        evil['md5'] = "No MD5"

		# linkback
		evil['source'] = dict['guid']

		# type
		evil['type'] = 'evil'

		# tags
		evil['tags'] += ['spyeye', 'malware', 'SpyEyeDropzones']

		# date_retreived
		evil['date_retreived'] = datetime.datetime.utcnow()

		# This is important. Values have to be unique, since it's this way that
		# Malcom will identify them in the database.
		# This is probably not the best way, but it will do for now.

		evil['value'] = "SpyEye Dropzone (%s)"%evil['url']

		# Save elements to DB. The status field will contain information on 
		# whether this element already existed in the DB.

		evil, status = self.analytics.save_element(evil, with_status=True)
		if status['updatedExisting'] == False:
			self.elements_fetched += 1

		# Create an URL element
		url = Url(evil['url'], ['evil', 'SpyEyeDropzones'])

		# Save it to the DB.
		url, status = self.analytics.save_element(url, with_status=True)
		if status['updatedExisting'] == False:
			self.elements_fetched += 1

		# Connect the URL element to the Evil element
		self.analytics.data.connect(url, evil, 'hosting')
Ejemplo n.º 5
0
    def analyze(self, dict):

        # We create an Evil object. Evil objects are what Malcom uses
        # to store anything it considers evil. Malware, spam sources, etc.
        # Remember that you can create your own datatypes, if need be.

        evil = Evil()

        # We start populating the Evil() object's attributes with
        # information from the dict we parsed earlier

        evil['feed'] = "ZeusTrackerBinaries"
        evil['url'] = toolbox.find_urls(dict['description'])[0]

        # description
        evil['description'] = dict['link'] + " " + dict['description']

        # status
        if dict['description'].find("offline") != -1:
            evil['status'] = "offline"
        else:
            evil['status'] = "online"

        # md5
        md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",
                        dict['description'])
        if md5 != None:
            evil['md5'] = md5.group('md5')
        else:
            evil['md5'] = "No MD5"

        # linkback
        evil['source'] = dict['guid']

        # type
        evil['type'] = 'evil'

        # context
        evil['context'] += ['zeus', 'malware', 'ZeusTrackerBinaries']

        # date_retreived
        evil['date_retreived'] = datetime.datetime.utcnow()

        # This is important. Values have to be unique, since it's this way that
        # Malcom will identify them in the database.
        # This is probably not the best way, but it will do for now.

        evil['value'] = "ZeuS bot"
        if md5:
            evil['value'] += " (MD5: %s)" % evil['md5']
        else:
            evil['value'] += " (URL: %s)" % evil['url']

        # Save elements to DB. The status field will contain information on
        # whether this element already existed in the DB.

        evil, status = self.analytics.save_element(evil, with_status=True)
        if status['updatedExisting'] == False:
            self.elements_fetched += 1

        # Create an URL element
        url = Url(evil['url'], ['evil', 'ZeusTrackerBinaries'])

        # Save it to the DB.
        url, status = self.analytics.save_element(url, with_status=True)
        if status['updatedExisting'] == False:
            self.elements_fetched += 1

        # Connect the URL element to the Evil element
        self.analytics.data.connect(url, evil, ['hosting'])
Ejemplo n.º 6
0
    def analytics(self, analytics):

        self.elements_fetched = 0

        for entry in self.parsed:
            
            # Evil object
            evil = Evil()

            evil['feed'] = "ZeusTrackerBinaries"
            evil['url'] = toolbox.find_urls(entry['description'])[0]
            
            # description
            evil['description'] = entry['link'] + " " + entry['description'] 

            # status
            if entry['description'].find("offline") != -1:
                evil['status'] = "offline"
            else:
                evil['status'] = "online"

            # md5 
            md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",entry['description'])
            if md5 != None:
                evil['md5'] = md5.group('md5')
            else:
                evil['md5'] = "No MD5"
            
            # linkback
            evil['source'] = entry['guid']

            # type
            evil['type'] = 'evil'

            # context
            evil['context'] += ['zeus', 'malware']

            # date_retreived
            evil['date_retreived'] = datetime.datetime.utcnow()

            evil['value'] = "ZeuS bot"
            if md5:
                evil['value'] += " (MD5: %s)" % evil['md5']
            else:
                evil['value'] += " (URL: %s)" % evil['url']

            # commit to db
            evil = analytics.save_element(evil, ['ZeusTrackerBinaries'])

            # URL object
            url = Url(evil['url'], ['evil', 'ZeusTrackerBinaries'])

            # commit to db
            url = analytics.save_element(url)

            # connect url with malware
            analytics.data.connect(url, evil, ['hosting'])

            if evil.is_recent():
                self.elements_fetched += 1
            if url.is_recent():
                self.elements_fetched += 1


        analytics.process()