def analytics(self): debug_output("(url analytics for %s)" % self['value']) new = [] #link with hostname # host = toolbox.url_get_host(self['value']) # if host == None: # self['hostname'] = "No hostname" # else: # self['hostname'] = host # find path path, scheme, hostname = toolbox.split_url(self['value']) self['path'] = path self['scheme'] = scheme self['hostname'] = hostname if toolbox.is_ip(self['hostname']): new.append(('host', Ip(toolbox.is_ip(self['hostname'])))) elif toolbox.is_hostname(self['hostname']): new.append(('host', Hostname(toolbox.is_hostname(self['hostname'])))) else: debug_output("No hostname found for %s" % self['value'], type='error') return [] self['last_analysis'] = datetime.datetime.utcnow() # this information is constant and does not change through time # we'll have to change this when we check for URL availability self['next_analysis'] = None return new
def analyze(self, dict): evil = Evil() # description evil['description'] = dict['description'] host = re.search("Host: (?P<host>\S+),", dict['description']) if host: if toolbox.is_ip(host.group('host')): host = Ip(toolbox.is_ip(host.group('host'))) elif toolbox.is_hostname(host.group('host')): host = Hostname(toolbox.is_hostname(host.group('host'))) else: return None, None version = re.search("Version: (?P<version>[ABCD])", dict['description']) if version != None: evil['version'] = version.group('version') else: evil['version'] = 'N/A' # linkback evil['link'] = dict['link'] # tags evil['tags'] += ['feodo', 'cridex', 'malware', 'exe'] evil['value'] = "Feodo C2 ({})".format(host['value']) return host, evil
def analytics(self): debug_output("(url analytics for %s)" % self['value']) new = [] #link with hostname # host = toolbox.url_get_host(self['value']) # if host == None: # self['hostname'] = "No hostname" # else: # self['hostname'] = host # find path path, scheme, hostname = toolbox.split_url(self['value']) self['path'] = path self['scheme'] = scheme self['hostname'] = hostname if toolbox.is_ip(self['hostname']): new.append(('host', Ip(toolbox.is_ip(self['hostname'])))) elif toolbox.is_hostname(self['hostname']): new.append(('host', Hostname(toolbox.is_hostname(self['hostname'])))) else: debug_output("No hostname found for %s" % self['value'], type='error') return self['last_analysis'] = datetime.datetime.utcnow() return new
class FeodoTracker(Feed): descriptions = { 'A': "Hosted on compromised webservers running an nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.", 'B': "Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.", 'C': "Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo.", 'D': "Successor of Cridex. This version is also known as Dridex", } variants = { 'A': "Feodo", 'B': "Feodo", 'C': "Geodo", 'D': "Dridex", } def __init__(self, name): super(FeodoTracker, self).__init__(name) self.name = "FeodoTracker" self.source = "https://feodotracker.abuse.ch/feodotracker.rss" self.description = "Feodo Tracker RSS Feed. This feed shows the latest twenty Feodo C2 servers which Feodo Tracker has identified." def update(self): for dict in self.update_xml('item', ["title", "link", "description", "guid"]): self.analyze(dict) def analyze(self, dict): evil = dict date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)", dict['title']).group('datetime') try: evil['date_added'] = datetime.datetime.strptime( date_string, "%Y-%m-%d %H:%M:%S") except ValueError, e: pass g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)', dict['description']) g = g.groupdict() evil['host'] = g['host'] evil['version'] = g['version'] evil['description'] = FeodoTracker.descriptions[g['version']] evil['id'] = md5.new(dict['description']).hexdigest() evil['source'] = self.name del evil['title'] if toolbox.is_ip(evil['host']): elt = Ip(ip=evil['host'], tags=[FeodoTracker.variants[g['version']]]) elif toolbox.is_hostname(evil['host']): elt = Hostname(hostname=evil['host'], tags=[FeodoTracker.variants[g['version']]]) elt.add_evil(evil) self.commit_to_db(elt)
def analyze(self, dict): evil = dict date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)", dict['title']).group('datetime') try: evil['date_added'] = datetime.datetime.strptime( date_string, "%Y-%m-%d %H:%M:%S") except ValueError: pass g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)', dict['description']) g = g.groupdict() evil['host'] = g['host'] evil['version'] = g['version'] evil['description'] = FeodoTracker.descriptions[g['version']] evil['id'] = md5.new(dict['description']).hexdigest() evil['source'] = self.name del evil['title'] if toolbox.is_ip(evil['host']): elt = Ip(ip=evil['host'], tags=[FeodoTracker.variants[g['version']]]) elif toolbox.is_hostname(evil['host']): elt = Hostname(hostname=evil['host'], tags=[FeodoTracker.variants[g['version']]]) elt.seen(first=evil['date_added']) elt.add_evil(evil) self.commit_to_db(elt)
def analyze(self, dict): evil = dict date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)", dict['title']).group('datetime') try: evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d %H:%M:%S") except ValueError: pass g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)', dict['description']) g = g.groupdict() evil['host'] = g['host'] evil['version'] = g['version'] evil['description'] = FeodoTracker.descriptions[g['version']] evil['id'] = md5.new(dict['description']).hexdigest() evil['source'] = self.name del evil['title'] if toolbox.is_ip(evil['host']): elt = Ip(ip=evil['host'], tags=[FeodoTracker.variants[g['version']]]) elif toolbox.is_hostname(evil['host']): elt = Hostname(hostname=evil['host'], tags=[FeodoTracker.variants[g['version']]]) elt.seen(first=evil['date_added']) elt.add_evil(evil) self.commit_to_db(elt)
def analyze(self, dict): evil = dict try: evil['date_added'] = datetime.datetime.strptime(dict['first_seen'], "%Y-%m-%d %H:%M:%S") except ValueError: pass evil['host'] = dict['dst_ip'] evil['version'] = dict['malware'] evil['description'] = FeodoTracker.descriptions[dict['malware']] evil['id'] = md5.new(evil['host'] + evil['description']).hexdigest() evil['source'] = self.name if toolbox.is_ip(evil['host']): elt = Ip(ip=evil['host'], tags=[dict['malware']]) elif toolbox.is_hostname(evil['host']): elt = Hostname(hostname=evil['host'], tags=[dict['malware']]) elt.seen(first=evil['date_added']) elt.add_evil(evil) self.commit_to_db(elt)