Incidents
Malware IRC/DNS Network Activity May 08 2008 09:02AM
Matteo Cantoni (matteo cantoni nothink org) (1 replies)
Re: Malware IRC/DNS Network Activity May 08 2008 07:15PM
Jon Kibler (Jon Kibler aset com) (1 replies)
Re: Malware IRC/DNS Network Activity May 09 2008 07:42AM
Matteo Cantoni (matteo cantoni nothink org)
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matteo Cantoni wrote:
>> Hi list,
>>
>> with my adsl + soekris + openbsd + honeypot + perl I made a simple pages
>> about "Malware IRC/DNS Network Activity".
>>
>> http://www.nothink.org/malware/report/hash-a.html
>>
>> These pages will be update automatically every day.
>> You can also download a "TOTAL CSV FILE" with these informations:
>>
>> md5,file size, anubis results, dns query, irc server, irc server asn,
>> irc
>> server asn_org, irc server geo, irc nickname, irc username, irc
>> password,
>> irc channel, irc topic.
>>
>> http://www.nothink.org/malware/report/hash.csv
>>
>> For this moment have been identified around 900 distinct binaries.
>> I think that you have already this informations but maybe it could be
>> useful for your works.
>>
>> Ciao,
>> Matteo Cantoni
>
> Hi Matteo,
>
> Two questions:
>
> How do arrive at 'distinct binaries'?
>
> More specifically, how do you determine that they are not simply
> repacked copies of common malware?
>
> THANKS!
> Jon Kibler

You are right. I have only 'distinct md5' for this moment. I could add :

- some checks to verify the sandbox's results;
- anti virus test;

I'm waiting for new hardware :)

Thanks,
Matteo

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus