I was recently introduced to UploadMalware.com, which is a site made up of several security professional volunteers. They actively accept your Malware binary submissions and submit them to several Antivirus companies to help in speeding up the process of identifying, classifying, and the development of Malware signatures, which may I say benefits everyone. You can find a list of vendors they work with here: Vendors. In support of what these volunteers are attempting to do I have created a small Perl script that will allow anyone to submit suspicious binaries to their site without having to use the web interface. I have included all of the options available to you via their web form. All options except for the binary file are optional when submitting binaries to them, but I would encourage you to provide as much information as possible. They also offer an IRC channel where many of these professionals can be found hanging out willing to talk with you about your submissions or anything else Malware and/or Security related. You can find their channel "#uploadmalware" on the WyldRyde IRC Network, or use their instant chat web client located on their website.

If you have a honeypot or harvest Malware, may I suggest using this script to automatically submit binaries by creating a cron job or writing a small wrapper script. Just a suggestion.

Here is a link to the script I created: uploadmalware_submit_pl. As always if you have any issues with this script or find any bugs feel free to contact me anytime.

After talking it over with a few colleagues and friends I have decided to release the script I utilize to extract the peer IP addresses and ports from the Storm Worm ini/config file, as I think it may benefit others. The current configuration file for the Storm Worm is "aromis.config" and it holds the IPs for bot peers the infected computer can communicate with. This will not be the entire list of IPs infected with the Storm Worm, as the Storm Worm breaks it's bot networks up into small sub-network like structures. This is why it has been so hard for Security Professionals to combat the worm, and gather an accurate number of hosts infected with this worm.

Something to consider before using script is I can not guarantee it to work on new configuration files, as the authors of the Storm Worm could change this file at any given time. If they do decide to modify the configuration file structure I may or may not decide to update the script to reflect these changes. I think once you see how simple it is, you may just want to update it yourself. I am not a professional programmer nor a Perl guru, so if you find anything insane in the code I welcome your fixes and/or improvements.

With all that being said run it at your own risk as I provide no warranty! Well here you go: storm_config_decoder_pl. The output from this script is very simple "ip address:port" for example "192.168.0.1:1234" with the last line of output telling you exactly how many unique ip addresses it was able to identify. Oh, I almost forgot to mention it can parse multiple files just use the "*" as a wildcard character or specify the files with a space between them. This option has been very useful to me in combining the configuration files from several different infections over a period of time such as the last 24 hours. Try it as you may get some intresting results

As always if you have any questions or comments regarding this post or script feel free to contact me at anytime at jeremy [at] sudosecure [dot] net. Enjoy!

Since my release of the ThreatExpert.com Perl script to aid in the batch processing of Malware binaries and automating the submission of these binaries for analysis I have written two more. One for the CWSandbox and one for Anubis. If you haven't used either of these sandboxes for a quick analysis I would really recommend them as they can provide a very fast and detailed report for suspected Malware binaries using a combination of automated static analysis and behavioral analysis techniques. One of the major advantages in utilizing them is you won't have to set up your own lab/sandnet to analysis suspicious binaries, and there is no risk of infecting your network during the analysis. Most of these sandboxes have established relationships with Antivirus companies to aid in the development of antivirus signatures through the sharing of submitted Malware binaries, so again I would encourage all of you to utilize them for the "greater good".

With that being said, I tend to favor the CWSandbox due to the wealth of information they provide in their reports. They provide options to down load a pcap file of network activity during the execution of the binary, a cab file of the analysis, an xml report, or just browse the results in their easy to navigate web interface. The pcap files can be downloaded and used to aid in writing snort signatures to feed your IDS solution, which would then aid in identifying other computers on your network that could possibly be infected with the same Malware. The detailed report of system modifications can also be used to search out possible computers infected with this Malware without an IDS solution in place.

Well enough rambling, so here you go two more scripts that I hope you can find useful: cwsandbox_submit_pl and anubis_submit.pl.

As always I do not warranty these scripts in any shape or fashion and you assume all risk in running them. Although if you have any questions, bug reports, or comments feel free to shoot me an email at: jeremy [at] sudosecure [dot] net.

Over the weekend I was working on some long over due tasks that desperately needed my attention on my honeypot, and wrote a short Perl script to allow me to submit files to the ThreatExpert sandnet for analysis. It is a fairly simple script that will accept wildcards to submit several files or a specific file name to submit individual files. With a wrapper script or some simple modifications it could easily be modified to run via a cron job or in a never ending while loop to submit new files as they are seen by your honeypot. My version does this, but I didn't want to realase that code just in case someone used it to cause a DOS attack on ThreatExpert by submiting hundreds of files without realizing what they were doing.

I can't guarantee this script will run tomorrow, because if ThreatExpert decides to modify there web form submission structure this script will begin to fail. I don't really see them doing this as they offer a free Windows GUI to do this same task and a modification would break that application as well.

Anyways you can get the script here: ThreatExpert Submit Script, just change the extension from ".txt" to ".pl". Here are a few examples of how to run it:

submit the three specified files to ThreatExpert.com and receive an email report at my.email@notta.com
./threatExpert_submit.pl -e my.email@notta.com -f badFile1 badFile2 badFile3

submit the entire directory /malware to ThreatExpert and receive an email report at my.email@notta.com
./threatExpert_submit.pl -e my.email@notta.com -f /malware/*

submit all files that start with "bad" to ThreatExpert and receive an email at my.email@notta.com
./threatExpert_submit.pl -e my.email@notta.com -f bad*

If you have any issues running it or just have questions feel free to contact me at jeremy [at] sudosecure [dot] net anytime.