Exemplo n.º 1
0
	def analytics(self):
		debug_output("(url analytics for %s)" % self['value'])

		new = []
		#link with hostname
		# host = toolbox.url_get_host(self['value'])
		# if host == None:
		# 	self['hostname'] = "No hostname"
		# else:
		# 	self['hostname'] = host

		# find path
		path, scheme, hostname = toolbox.split_url(self['value'])
		self['path'] = path
		self['scheme'] = scheme
		self['hostname'] = hostname

		if toolbox.is_ip(self['hostname']):
			new.append(('host', Ip(toolbox.is_ip(self['hostname']))))
		elif toolbox.is_hostname(self['hostname']):
			new.append(('host', Hostname(toolbox.is_hostname(self['hostname']))))
		else:
			debug_output("No hostname found for %s" % self['value'], type='error')
			return []

		self['last_analysis'] = datetime.datetime.utcnow()

		# this information is constant and does not change through time
		# we'll have to change this when we check for URL availability
		self['next_analysis'] = None

		return new
Exemplo n.º 2
0
	def analytics(self):
		debug_output("(url analytics for %s)" % self['value'])

		new = []
		#link with hostname
		# host = toolbox.url_get_host(self['value'])
		# if host == None:
		# 	self['hostname'] = "No hostname"
		# else:
		# 	self['hostname'] = host

		# find path
		path, scheme, hostname = toolbox.split_url(self['value'])
		self['path'] = path
		self['scheme'] = scheme
		self['hostname'] = hostname

		if toolbox.is_ip(self['hostname']):
			new.append(('host', Ip(toolbox.is_ip(self['hostname']))))
		elif toolbox.is_hostname(self['hostname']):
			new.append(('host', Hostname(toolbox.is_hostname(self['hostname']))))
		else:
			debug_output("No hostname found for %s" % self['value'], type='error')
			return

		self['last_analysis'] = datetime.datetime.utcnow()
		
		
		return new
Exemplo n.º 3
0
	def analyze(self, dict):

		evil = Evil()

		# description
		evil['description'] = dict['description'] 

		host = re.search("Host: (?P<host>\S+),", dict['description'])
		if host:
			if toolbox.is_ip(host.group('host')):
				host = Ip(toolbox.is_ip(host.group('host')))
			elif toolbox.is_hostname(host.group('host')):
				host = Hostname(toolbox.is_hostname(host.group('host')))
			else:
				return None, None

		version = re.search("Version: (?P<version>[ABCD])", dict['description'])
		if version != None:
			evil['version'] = version.group('version')
		else:
			evil['version'] = 'N/A'

		# linkback
		evil['link'] = dict['link']

		# tags
		evil['tags'] += ['feodo', 'cridex', 'malware', 'exe']

		evil['value'] = "Feodo C2 ({})".format(host['value'])

		return host, evil
Exemplo n.º 4
0
    def analyze(self, dict):

        evil = Evil()

        # description
        evil['description'] = dict['description']

        host = re.search("Host: (?P<host>\S+),", dict['description'])
        if host:
            if toolbox.is_ip(host.group('host')):
                host = Ip(toolbox.is_ip(host.group('host')))
            elif toolbox.is_hostname(host.group('host')):
                host = Hostname(toolbox.is_hostname(host.group('host')))
            else:
                return None, None

        version = re.search("Version: (?P<version>[ABCD])",
                            dict['description'])
        if version != None:
            evil['version'] = version.group('version')
        else:
            evil['version'] = 'N/A'

        # linkback
        evil['link'] = dict['link']

        # tags
        evil['tags'] += ['feodo', 'cridex', 'malware', 'exe']

        evil['value'] = "Feodo C2 ({})".format(host['value'])

        return host, evil
Exemplo n.º 5
0
	def __init__(self, hostname="", tags=[]):
		super(Hostname, self).__init__()
		if toolbox.is_hostname(hostname) == hostname:
			self['tags'] = tags
			self['value'] = toolbox.is_hostname(hostname)
			if self['value'][-1:] == ".":
				self['value'] = self['value'][:-1]
			self['type'] = 'hostname'
		else:
			return None
Exemplo n.º 6
0
    def __init__(self, hostname="", tags=[]):
        super(Hostname, self).__init__()
        if toolbox.is_hostname(hostname) == hostname:
            self['tags'] = tags
            self['value'] = toolbox.is_hostname(hostname)
            if self['value'][-1:] == ".":
                self['value'] = self['value'][:-1]
            self['type'] = 'hostname'

            # refresh domains every 6 hours
            self['refresh_period'] = Hostname.default_refresh_period
        else:
            return None
Exemplo n.º 7
0
	def __init__(self, hostname="", tags=[]):
		super(Hostname, self).__init__()
		if toolbox.is_hostname(hostname) == hostname:
			self['tags'] = tags
			self['value'] = toolbox.is_hostname(hostname)
			if self['value'][-1:] == ".":
				self['value'] = self['value'][:-1]
			self['type'] = 'hostname'

			# refresh domains every 6 hours
			self['refresh_period'] = Hostname.default_refresh_period
		else:
			return None
Exemplo n.º 8
0
class FeodoTracker(Feed):

    descriptions = {
        'A':
        "Hosted on compromised webservers running an nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.",
        'B':
        "Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.",
        'C':
        "Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo.",
        'D': "Successor of Cridex. This version is also known as Dridex",
    }

    variants = {
        'A': "Feodo",
        'B': "Feodo",
        'C': "Geodo",
        'D': "Dridex",
    }

    def __init__(self, name):
        super(FeodoTracker, self).__init__(name)
        self.name = "FeodoTracker"
        self.source = "https://feodotracker.abuse.ch/feodotracker.rss"
        self.description = "Feodo Tracker RSS Feed. This feed shows the latest twenty Feodo C2 servers which Feodo Tracker has identified."

    def update(self):
        for dict in self.update_xml('item',
                                    ["title", "link", "description", "guid"]):
            self.analyze(dict)

    def analyze(self, dict):
        evil = dict

        date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)",
                                dict['title']).group('datetime')
        try:
            evil['date_added'] = datetime.datetime.strptime(
                date_string, "%Y-%m-%d %H:%M:%S")
        except ValueError, e:
            pass

        g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)',
                     dict['description'])
        g = g.groupdict()
        evil['host'] = g['host']
        evil['version'] = g['version']
        evil['description'] = FeodoTracker.descriptions[g['version']]
        evil['id'] = md5.new(dict['description']).hexdigest()
        evil['source'] = self.name
        del evil['title']

        if toolbox.is_ip(evil['host']):
            elt = Ip(ip=evil['host'],
                     tags=[FeodoTracker.variants[g['version']]])
        elif toolbox.is_hostname(evil['host']):
            elt = Hostname(hostname=evil['host'],
                           tags=[FeodoTracker.variants[g['version']]])

        elt.add_evil(evil)
        self.commit_to_db(elt)
Exemplo n.º 9
0
    def analyze(self, dict):
        evil = dict

        date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)",
                                dict['title']).group('datetime')
        try:
            evil['date_added'] = datetime.datetime.strptime(
                date_string, "%Y-%m-%d %H:%M:%S")
        except ValueError:
            pass

        g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)',
                     dict['description'])
        g = g.groupdict()
        evil['host'] = g['host']
        evil['version'] = g['version']
        evil['description'] = FeodoTracker.descriptions[g['version']]
        evil['id'] = md5.new(dict['description']).hexdigest()
        evil['source'] = self.name
        del evil['title']

        if toolbox.is_ip(evil['host']):
            elt = Ip(ip=evil['host'],
                     tags=[FeodoTracker.variants[g['version']]])
        elif toolbox.is_hostname(evil['host']):
            elt = Hostname(hostname=evil['host'],
                           tags=[FeodoTracker.variants[g['version']]])

        elt.seen(first=evil['date_added'])
        elt.add_evil(evil)
        self.commit_to_db(elt)
Exemplo n.º 10
0
    def analyze(self, dict):
        evil = dict

        date_string = re.search(r"\((?P<datetime>[\d\- :]+)\)", dict['title']).group('datetime')
        try:
            evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d %H:%M:%S")
        except ValueError:
            pass

        g = re.match(r'^Host: (?P<host>.+), Version: (?P<version>\w)', dict['description'])
        g = g.groupdict()
        evil['host'] = g['host']
        evil['version'] = g['version']
        evil['description'] = FeodoTracker.descriptions[g['version']]
        evil['id'] = md5.new(dict['description']).hexdigest()
        evil['source'] = self.name
        del evil['title']

        if toolbox.is_ip(evil['host']):
            elt = Ip(ip=evil['host'], tags=[FeodoTracker.variants[g['version']]])
        elif toolbox.is_hostname(evil['host']):
            elt = Hostname(hostname=evil['host'], tags=[FeodoTracker.variants[g['version']]])

        elt.seen(first=evil['date_added'])
        elt.add_evil(evil)
        self.commit_to_db(elt)
Exemplo n.º 11
0
class MalwareTrafficAnalysis(Feed):
    """
	This is a feed that will fetch data from a URL and process it
	"""
    def __init__(self, name):
        super(MalwareTrafficAnalysis, self).__init__(name, run_every="12h")

        self.name = "MalwareTrafficAnalysis"
        self.source = "http://www.malware-traffic-analysis.net/suspicious-ip-addresses-and-domains.txt"
        self.description = "Collects results from malware-traffic-analysis.net"

    def update(self):
        feed = urllib2.urlopen(self.source).read().split('\n')
        for line in feed:
            self.analyze(line)

    def analyze(self, line):
        if line.startswith("#") or line.startswith("IP address"):
            return
        try:
            ip, port, domains, traffic_info, description, date_string = line.split(
                ',')
        except ValueError, e:
            print "Malformed line, skipping"
            return

        evil = {}
        evil['ip'] = ip
        port = re.search('[\d]+', port)
        if port:
            evil['port'] = port.group()
        evil['domains'] = domains
        evil['description'] = "{}".format(description)
        if traffic_info:
            evil['description'] += " ({})".format(traffic_info)

        evil['date_added'] = datetime.datetime.strptime(
            date_string, "%Y-%m-%d")

        evil['id'] = md5.new(evil['description'] + evil['ip'] +
                             date_string).hexdigest()
        evil['source'] = self.name

        ip = Ip(ip=ip)
        domains = [
            d.strip() for d in domains.split('/')
            if toolbox.is_hostname(d.strip())
        ]

        ip.seen(first=evil['date_added'])
        ip.add_evil(evil)
        i = self.commit_to_db(ip)

        for d in domains:
            h = Hostname(hostname=d)
            h.seen(first=evil['date_added'])
            h.add_evil(evil)
            h = self.commit_to_db(h)
            self.model.connect(h, i)
Exemplo n.º 12
0
	def analytics(self):
		debug_output( "(ip analytics for %s)" % self['value'])
		new = []

		# get reverse hostname
		hostname = toolbox.reverse_dns(self['value'])
		if hostname:
			if toolbox.is_hostname(hostname):
				new.append(('reverse', Hostname(hostname)))

		self['last_analysis'] = datetime.datetime.utcnow()
		self['next_analysis'] = self['last_analysis'] + datetime.timedelta(seconds=self['refresh_period'])

		return new
Exemplo n.º 13
0
    def analyze(self, dict):
        evil = dict

        try:
            evil['date_added'] = datetime.datetime.strptime(dict['first_seen'], "%Y-%m-%d %H:%M:%S")
        except ValueError:
            pass

        evil['host'] = dict['dst_ip']
        evil['version'] = dict['malware']
        evil['description'] = FeodoTracker.descriptions[dict['malware']]
        evil['id'] = md5.new(evil['host'] + evil['description']).hexdigest()
        evil['source'] = self.name

        if toolbox.is_ip(evil['host']):
            elt = Ip(ip=evil['host'], tags=[dict['malware']])
        elif toolbox.is_hostname(evil['host']):
            elt = Hostname(hostname=evil['host'], tags=[dict['malware']])

        elt.seen(first=evil['date_added'])
        elt.add_evil(evil)
        self.commit_to_db(elt)
Exemplo n.º 14
0
    def analyze(self, line):
        if line.startswith("#") or line.startswith("IP address"):
            return
        try:
            ip, port, domains, traffic_info, description, date_string = line.split(',')
        except ValueError:
            # Malformed line, skipping
            return

        evil = {}
        evil['ip'] = ip
        port = re.search('[\d]+', port)
        if port:
            evil['port'] = port.group()
        evil['domains'] = domains
        evil['description'] = "{}".format(description)
        if traffic_info:
            evil['description'] += " ({})".format(traffic_info)

        evil['date_added'] = datetime.datetime.strptime(date_string, "%Y-%m-%d")

        evil['id'] = md5.new(evil['description']+evil['ip']+date_string).hexdigest()
        evil['source'] = self.name

        ip = Ip(ip=ip)
        domains = [d.strip() for d in domains.split('/') if toolbox.is_hostname(d.strip())]

        ip.seen(first=evil['date_added'])
        ip.add_evil(evil)
        i = self.commit_to_db(ip)

        for d in domains:
            h = Hostname(hostname=d)
            h.seen(first=evil['date_added'])
            h.add_evil(evil)
            h = self.commit_to_db(h)
            self.model.connect(h, i)