Created
August 14, 2014 16:10
-
-
Save felmoltor/01e732dd1375f96114ed to your computer and use it in GitHub Desktop.
Automatic malware download from malwaredomainlists.com and upload to virustotal.com and totalhash.com
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # With this two lines of bash you will donwload the last malware samples extracted from the public lists of www.malwaredomainlist.com | |
| # and you'll submit automatically the alive samples (check if the response was an executable or not) to totalhash.com (contribute to | |
| # the community) and obtain the detection rate of the sample # from Virus Total (virustotal.com). | |
| # As a result you'll get a bunch of executable files and their detection rate in the log "output.virustotal.txt" | |
| # Download all the samples detected and listed in the public CSV of mdl.com | |
| $ curl -s http://www.malwaredomainlist.com/mdlcsv.php | awk 'BEGIN {FS="\",\""} {print $2}' | strings -n 3 | grep -E "\.exe$|\.so$|\.bin$|\.src$|\.pdf$|\.docx$|\.vb$|\.sh$" | xargs -I% bash -c 'echo "Downloading: %" && curl -s -O %' | tee $(date +%Y%m%d_%H%M)_malware_download.log | |
| # Upload the downloaded samples to totalhash.com and query virustotal.com with it MD5 checksum to obtain the detection ratio | |
| $ ls *_malware_download.log -ltr | tail -n1 | cat $(awk '{print $9}') | awk 'BEGIN {FS="/"} {print $(NF)}' | xargs -I% file % --mime-type | grep "application" | cut -f1 -d: | xargs -I% bash -c 'echo -n "%:" && curl -s -T % http://totalhash.com/upload.php' | xargs -I% bash -c 'echo -n "%:" && curl -o %.virustotal.html -s --location --data "query=$(echo % | cut -f2 -d:)" https://www.virustotal.com/es/search/ && grep -A3 -E "Archivo no encontrado|Detecciones:" %.virustotal.html | grep -E "Archivo no encontrado| / " ' | tee $(date +%Y%m%d_%H%M)_output.virustotal.txt | |
| # Delete the HTML responses (error and default pages) from the servers where the sample were not present | |
| $ ls *_malware_download.log -ltr | tail -n1 | cat $(awk '{print $9}') | awk 'BEGIN {FS="/"} {print $(NF)}' | xargs -I% file % --mime-type | grep "text/html" | cut -f1 -d: | xargs -I% rm % | |
| # ---------------------------------# | |
| # Sample output will be like this: # | |
| #----------------------------------# | |
| $ curl -s http://www.malwaredomainlist.com/mdlcsv.php | awk 'BEGIN {FS="\",\""} {print $2}' | strings -n 3 | grep -E "\.exe$|\.so$|\.bin$|\.src$|\.pdf$|\.docx$|\.vb$|\.sh$" | xargs -I% bash -c 'echo "Downloading: %" && curl -s -O %' | tee $(date +%Y%m%d_%H%M)_malware_download.log | |
| Downloading: img001.com/business/qiji.exe | |
| Downloading: root.mcs-katwijk.nl/ws/amd.exe | |
| Downloading: root.mcs-katwijk.nl/ws/nvm.exe | |
| Downloading: root.mcs-katwijk.nl/ws/cpu.exe | |
| Downloading: root.mcs-katwijk.nl/ws/ws.exe | |
| Downloading: root.mcs-katwijk.nl/ws/kl.exe | |
| Downloading: oprahsearch.com/scripts/net19.exe | |
| Downloading: oprahsearch.com/scripts/brez251.exe | |
| Downloading: www.doctor-alex.com/files/SetupDrAlex.exe | |
| Downloading: appline.ieguide.co.kr/e1guide/popguide/E1PopGuide_20080619_Update.exe | |
| Downloading: appline.ieguide.co.kr/e1guide/lineguide/e1lineguide_20080619_update2.exe | |
| Downloading: afa15.com.ne.kr/media/videoxxx.avi.exe | |
| Downloading: fgawegwr.chez.com/images/1273471091.exe | |
| Downloading: update.onescan.co.kr/setupa/onescansetup.exe | |
| [...] | |
| $ ls *_malware_download.log -ltr | tail -n1 | cat $(awk '{print $9}') | awk 'BEGIN {FS="/"} {print $(NF)}' | xargs -I% file % --mime-type | grep "application" | cut -f1 -d: | xargs -I% bash -c 'echo -n "%:" && curl -s -T % http://totalhash.com/upload.php' | xargs -I% bash -c 'echo -n "%:" && curl -o %.virustotal.html -s --location --data "query=$(echo % | cut -f2 -d:)" https://www.virustotal.com/es/search/ && grep -A3 -E "Archivo no encontrado|Detecciones:" %.virustotal.html | grep -E "Archivo no encontrado| / " ' | tee $(date +%Y%m%d_%H%M)_output.virustotal.txt | |
| qiji.exe:8c4144589bd542046aca7229dded3e99: 5 / 54 | |
| amd.exe:0c1b2bb3a808301c87f02970dfdf828f: 30 / 53 | |
| nvm.exe:7b438e71aac0224766f4e6e9d04147e3: 27 / 54 | |
| cpu.exe:24799bae20df7850e81bb36adf13cef1: 39 / 54 | |
| ws.exe:5fae317760cf61c9b40201c790decd33: 34 / 53 | |
| kl.exe:851a3d758e2aa621fbab184e802e2d38: 38 / 54 | |
| SetupDrAlex.exe:7b1e81bfd59e2d74f0477df2e24aaf2a: 6 / 53 | |
| videoxxx.avi.exe:d063231de7971de04f2e77c337eaee7a: 46 / 54 | |
| 1273471091.exe:b38b466361fda8b62122cab856fba490: 49 / 53 | |
| onescansetup.exe:3354003da992fcc19cd60322ed2b612f: 31 / 54 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment