Exemple #1
0
	def analytics(self):
		debug_output("(url analytics for %s)" % self['value'])

		new = []
		#link with hostname
		# host = toolbox.url_get_host(self['value'])
		# if host == None:
		# 	self['hostname'] = "No hostname"
		# else:
		# 	self['hostname'] = host

		# find path
		path, scheme, hostname = toolbox.split_url(self['value'])
		self['path'] = path
		self['scheme'] = scheme
		self['hostname'] = hostname

		if toolbox.is_ip(self['hostname']):
			new.append(('host', Ip(toolbox.is_ip(self['hostname']))))
		elif toolbox.is_hostname(self['hostname']):
			new.append(('host', Hostname(toolbox.is_hostname(self['hostname']))))
		else:
			debug_output("No hostname found for %s" % self['value'], type='error')
			return []

		self['last_analysis'] = datetime.datetime.utcnow()

		# this information is constant and does not change through time
		# we'll have to change this when we check for URL availability
		self['next_analysis'] = None

		return new
Exemple #2
0
	def analyze(self, dict):

		evil = Evil()

		# description
		evil['description'] = dict['description'] 

		host = re.search("Host: (?P<host>\S+),", dict['description'])
		if host:
			if toolbox.is_ip(host.group('host')):
				host = Ip(toolbox.is_ip(host.group('host')))
			elif toolbox.is_hostname(host.group('host')):
				host = Hostname(toolbox.is_hostname(host.group('host')))
			else:
				return None, None

		version = re.search("Version: (?P<version>[ABCD])", dict['description'])
		if version != None:
			evil['version'] = version.group('version')
		else:
			evil['version'] = 'N/A'

		# linkback
		evil['link'] = dict['link']

		# tags
		evil['tags'] += ['feodo', 'cridex', 'malware', 'exe']

		evil['value'] = "Feodo C2 ({})".format(host['value'])

		return host, evil
Exemple #3
0
	def analytics(self):
		debug_output("(url analytics for %s)" % self['value'])

		new = []
		#link with hostname
		# host = toolbox.url_get_host(self['value'])
		# if host == None:
		# 	self['hostname'] = "No hostname"
		# else:
		# 	self['hostname'] = host

		# find path
		path, scheme, hostname = toolbox.split_url(self['value'])
		self['path'] = path
		self['scheme'] = scheme
		self['hostname'] = hostname

		if toolbox.is_ip(self['hostname']):
			new.append(('host', Ip(toolbox.is_ip(self['hostname']))))
		elif toolbox.is_hostname(self['hostname']):
			new.append(('host', Hostname(toolbox.is_hostname(self['hostname']))))
		else:
			debug_output("No hostname found for %s" % self['value'], type='error')
			return

		self['last_analysis'] = datetime.datetime.utcnow()
		
		
		return new
Exemple #4
0
    def analyze(self, dict):

        evil = Evil()

        # description
        evil['description'] = dict['description']

        host = re.search("Host: (?P<host>\S+),", dict['description'])
        if host:
            if toolbox.is_ip(host.group('host')):
                host = Ip(toolbox.is_ip(host.group('host')))
            elif toolbox.is_hostname(host.group('host')):
                host = Hostname(toolbox.is_hostname(host.group('host')))
            else:
                return None, None

        version = re.search("Version: (?P<version>[ABCD])",
                            dict['description'])
        if version != None:
            evil['version'] = version.group('version')
        else:
            evil['version'] = 'N/A'

        # linkback
        evil['link'] = dict['link']

        # tags
        evil['tags'] += ['feodo', 'cridex', 'malware', 'exe']

        evil['value'] = "Feodo C2 ({})".format(host['value'])

        return host, evil
Exemple #5
0
class FeodoTracker(Feed):

    descriptions = {
        'A':
        "Hosted on compromised webservers running an nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.",
        'B':
        "Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.",
        'C':
        "Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo.",
        'D': "Successor of Cridex. This version is also known as Dridex",
    }

    variants = {
        'A': "Feodo",
        'B': "Feodo",
        'C': "Geodo",
        'D': "Dridex",
    }

    def __init__(self, name):
        super(FeodoTracker, self).__init__(name)
        self.name = "FeodoTracker"
        self.source = "https://feodotracker.abuse.ch/feodotracker.rss"
        self.description = "Feodo Tracker RSS Feed. This feed shows the latest twenty Feodo C2 servers which Feodo Tracker has identified."

    def update(self):
        for dict in self.update_xml('item',
                                    ["title", "link", "description", "guid"]):
            self.analyze(dict)

    def analyze(self, dict):
        evil = dict

        date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)",
                                dict['title']).group('datetime')
        try:
            evil['date_added'] = datetime.datetime.strptime(
                date_string, "%Y-%m-%d %H:%M:%S")
        except ValueError, e:
            pass

        g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)',
                     dict['description'])
        g = g.groupdict()
        evil['host'] = g['host']
        evil['version'] = g['version']
        evil['description'] = FeodoTracker.descriptions[g['version']]
        evil['id'] = md5.new(dict['description']).hexdigest()
        evil['source'] = self.name
        del evil['title']

        if toolbox.is_ip(evil['host']):
            elt = Ip(ip=evil['host'],
                     tags=[FeodoTracker.variants[g['version']]])
        elif toolbox.is_hostname(evil['host']):
            elt = Hostname(hostname=evil['host'],
                           tags=[FeodoTracker.variants[g['version']]])

        elt.add_evil(evil)
        self.commit_to_db(elt)
Exemple #6
0
    def analyze(self, dict):
        evil = dict

        date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)",
                                dict['title']).group('datetime')
        try:
            evil['date_added'] = datetime.datetime.strptime(
                date_string, "%Y-%m-%d %H:%M:%S")
        except ValueError:
            pass

        g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)',
                     dict['description'])
        g = g.groupdict()
        evil['host'] = g['host']
        evil['version'] = g['version']
        evil['description'] = FeodoTracker.descriptions[g['version']]
        evil['id'] = md5.new(dict['description']).hexdigest()
        evil['source'] = self.name
        del evil['title']

        if toolbox.is_ip(evil['host']):
            elt = Ip(ip=evil['host'],
                     tags=[FeodoTracker.variants[g['version']]])
        elif toolbox.is_hostname(evil['host']):
            elt = Hostname(hostname=evil['host'],
                           tags=[FeodoTracker.variants[g['version']]])

        elt.seen(first=evil['date_added'])
        elt.add_evil(evil)
        self.commit_to_db(elt)
Exemple #7
0
    def analyze(self, dict):
        evil = dict

        date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)", dict['title']).group('datetime')
        try:
            evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d %H:%M:%S")
        except ValueError:
            pass

        g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)', dict['description'])
        g = g.groupdict()
        evil['host'] = g['host']
        evil['version'] = g['version']
        evil['description'] = FeodoTracker.descriptions[g['version']]
        evil['id'] = md5.new(dict['description']).hexdigest()
        evil['source'] = self.name
        del evil['title']

        if toolbox.is_ip(evil['host']):
            elt = Ip(ip=evil['host'], tags=[FeodoTracker.variants[g['version']]])
        elif toolbox.is_hostname(evil['host']):
            elt = Hostname(hostname=evil['host'], tags=[FeodoTracker.variants[g['version']]])

        elt.seen(first=evil['date_added'])
        elt.add_evil(evil)
        self.commit_to_db(elt)
Exemple #8
0
    def analyze(self, dict):
        evil = dict

        try:
            evil['date_added'] = datetime.datetime.strptime(dict['first_seen'], "%Y-%m-%d %H:%M:%S")
        except ValueError:
            pass

        evil['host'] = dict['dst_ip']
        evil['version'] = dict['malware']
        evil['description'] = FeodoTracker.descriptions[dict['malware']]
        evil['id'] = md5.new(evil['host'] + evil['description']).hexdigest()
        evil['source'] = self.name

        if toolbox.is_ip(evil['host']):
            elt = Ip(ip=evil['host'], tags=[dict['malware']])
        elif toolbox.is_hostname(evil['host']):
            elt = Hostname(hostname=evil['host'], tags=[dict['malware']])

        elt.seen(first=evil['date_added'])
        elt.add_evil(evil)
        self.commit_to_db(elt)