def add_text(self, text, context=[]):
added = []
for t in text:
elt = None
if t.strip() != "":
if is_ip(t):
elt = Ip(is_ip(t), [])
elif is_url(t):
elt = Url(is_url(t), [])
elif is_hostname(t):
elt = Hostname(is_hostname(t), [])
if elt:
added.append(self.save_element(elt, context))
if len(added) == 1:
return added[0]
else:
return added
def analyze(self, dict):
# We create an Evil object. Evil objects are what Malcom uses
# to store anything it considers evil. Malware, spam sources, etc.
# Remember that you can create your own datatypes, if need be.
evil = Evil()
# We start populating the Evil() object's attributes with
# information from the dict we parsed earlier
evil['feed'] = "ZeusTrackerBinaries"
evil['url'] = toolbox.find_urls(dict['description'])[0]
# description
evil['description'] = dict['link'] + " " + dict['description']
# status
if dict['description'].find("offline") != -1:
evil['status'] = "offline"
else:
evil['status'] = "online"
# md5
md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",
dict['description'])
if md5 != None:
evil['md5'] = md5.group('md5')
else:
evil['md5'] = "No MD5"
# linkback
evil['source'] = dict['guid']
# type
evil['type'] = 'evil'
# context
evil['context'] += ['zeus', 'malware', 'ZeusTrackerBinaries']
# date_retreived
evil['date_retreived'] = datetime.datetime.utcnow()
# This is important. Values have to be unique, since it's this way that
# Malcom will identify them in the database.
# This is probably not the best way, but it will do for now.
evil['value'] = "ZeuS bot"
if md5:
evil['value'] += " (MD5: %s)" % evil['md5']
else:
evil['value'] += " (URL: %s)" % evil['url']
# Save elements to DB. The status field will contain information on
# whether this element already existed in the DB.
evil, status = self.analytics.save_element(evil, with_status=True)
if status['updatedExisting'] == False:
self.elements_fetched += 1
# Create an URL element
url = Url(evil['url'], ['evil', 'ZeusTrackerBinaries'])
# Save it to the DB.
url, status = self.analytics.save_element(url, with_status=True)
if status['updatedExisting'] == False:
self.elements_fetched += 1
# Connect the URL element to the Evil element
self.analytics.data.connect(url, evil, ['hosting'])
def analytics(self, analytics):
self.elements_fetched = 0
for entry in self.parsed:
# Evil object
evil = Evil()
evil['feed'] = "ZeusTrackerBinaries"
evil['url'] = toolbox.find_urls(entry['description'])[0]
# description
evil['description'] = entry['link'] + " " + entry['description']
# status
if entry['description'].find("offline") != -1:
evil['status'] = "offline"
else:
evil['status'] = "online"
# md5
md5 = re.search("MD5 hash: (?P<md5>[0-9a-f]{32,32})",entry['description'])
if md5 != None:
evil['md5'] = md5.group('md5')
else:
evil['md5'] = "No MD5"
# linkback
evil['source'] = entry['guid']
# type
evil['type'] = 'evil'
# context
evil['context'] += ['zeus', 'malware']
# date_retreived
evil['date_retreived'] = datetime.datetime.utcnow()
evil['value'] = "ZeuS bot"
if md5:
evil['value'] += " (MD5: %s)" % evil['md5']
else:
evil['value'] += " (URL: %s)" % evil['url']
# commit to db
evil = analytics.save_element(evil, ['ZeusTrackerBinaries'])
# URL object
url = Url(evil['url'], ['evil', 'ZeusTrackerBinaries'])
# commit to db
url = analytics.save_element(url)
# connect url with malware
analytics.data.connect(url, evil, ['hosting'])
if evil.is_recent():
self.elements_fetched += 1
if url.is_recent():
self.elements_fetched += 1
analytics.process()