Since my release of the ThreatExpert.com Perl script to aid in the batch processing of Malware binaries and automating the submission of these binaries for analysis I have written two more. One for the CWSandbox and one for Anubis. If you haven't used either of these sandboxes for a quick analysis I would really recommend them as they can provide a very fast and detailed report for suspected Malware binaries using a combination of automated static analysis and behavioral analysis techniques. One of the major advantages in utilizing them is you won't have to set up your own lab/sandnet to analysis suspicious binaries, and there is no risk of infecting your network during the analysis. Most of these sandboxes have established relationships with Antivirus companies to aid in the development of antivirus signatures through the sharing of submitted Malware binaries, so again I would encourage all of you to utilize them for the "greater good".

With that being said, I tend to favor the CWSandbox due to the wealth of information they provide in their reports. They provide options to down load a pcap file of network activity during the execution of the binary, a cab file of the analysis, an xml report, or just browse the results in their easy to navigate web interface. The pcap files can be downloaded and used to aid in writing snort signatures to feed your IDS solution, which would then aid in identifying other computers on your network that could possibly be infected with the same Malware. The detailed report of system modifications can also be used to search out possible computers infected with this Malware without an IDS solution in place.

Well enough rambling, so here you go two more scripts that I hope you can find useful: cwsandbox_submit_pl and anubis_submit.pl.

As always I do not warranty these scripts in any shape or fashion and you assume all risk in running them. Although if you have any questions, bug reports, or comments feel free to shoot me an email at: jeremy [at] sudosecure [dot] net.

Looks like the Strom Worm authors are at it again, but this time with a repeating theme much like the valentines day theme we saw a few months ago. This time their is no automated downloads, nor is there any Javascript. The page is actually very simple take a look for yourself:

I guess with no major holidays on the horizon and the success rate the Storm Worm authors saw with the "love" theme they decided to revisit it. Here is a snapshot of the current page source:

So as you can see there are now only two binaries being advertised "love.exe" and "withlove.exe". I submitted "withlove.exe" to VirusTotal for analysis and well only 2/32 AntiVirus applications were able to even call the file suspicious. Here is a link to my results: VirusTotal Results. My Storm Worm Binary tracker first caught the change at 13:33 central standard time, so I guess the lack of detection can be expected. I also sacrificed one of my lab machines to see if anything had changed. Looks like the "aromis.exe" and "aromis.config" files are still being stuck into the C:\windows directory, so nothing new there. I was able to obtain a list of 907 IPs in the peer list. Here is a copy of the list: Storm Worm Peer List (Temporarily removed as I think I messed something up here during my analysis). Well as always if you have any questions regarding this posting or anything else feel free to contact me at jeremy [at] sudosecure [dot] net. Have a great weekend!

UPDATE:
Sorry for the confusion with the Peer List. My script that parses the Storm Worm config file had an error in it... OPPS Anyways I have since fixed the error and ran it again on a newly infected box in my lab. I only got 710 IPs this time, but hey at least it worked this time. Here is the list I have now: Storm Worm withlove Peer List. I do not guarentee this information as 100% accurate and if your IP is listed and you would like it removed feel free to contact me at jeremy [at] sudosecure [dot] net. I may post the Perl script I use to parse the file at a later date, once I clean it up and make it a little more user freindly... No promises though!

Over the weekend I was working on some long over due tasks that desperately needed my attention on my honeypot, and wrote a short Perl script to allow me to submit files to the ThreatExpert sandnet for analysis. It is a fairly simple script that will accept wildcards to submit several files or a specific file name to submit individual files. With a wrapper script or some simple modifications it could easily be modified to run via a cron job or in a never ending while loop to submit new files as they are seen by your honeypot. My version does this, but I didn't want to realase that code just in case someone used it to cause a DOS attack on ThreatExpert by submiting hundreds of files without realizing what they were doing.

I can't guarantee this script will run tomorrow, because if ThreatExpert decides to modify there web form submission structure this script will begin to fail. I don't really see them doing this as they offer a free Windows GUI to do this same task and a modification would break that application as well.

Anyways you can get the script here: ThreatExpert Submit Script, just change the extension from ".txt" to ".pl". Here are a few examples of how to run it:

submit the three specified files to ThreatExpert.com and receive an email report at my.email@notta.com
./threatExpert_submit.pl -e my.email@notta.com -f badFile1 badFile2 badFile3

submit the entire directory /malware to ThreatExpert and receive an email report at my.email@notta.com
./threatExpert_submit.pl -e my.email@notta.com -f /malware/*

submit all files that start with "bad" to ThreatExpert and receive an email at my.email@notta.com
./threatExpert_submit.pl -e my.email@notta.com -f bad*

If you have any issues running it or just have questions feel free to contact me at jeremy [at] sudosecure [dot] net anytime.