Submitting Samples

We are in need of malware samples. Any kind, any type, just send it in to samples@sandnet.emergingthreats.net.

These samples will be ingested by an automated system that'll unzip anything that's zipped (please use passwords "infected" or "virus", otherwise it'll be shunted out to a human). These are then brought into the sandnet's incoming queue after some normalization and deduplication.

Samples are analyzed by our sandnet and the results fed to our volunteer analysts. These analysts check that appropriate snort and suricata signatures hit for the infection and CnC? activity of each sample. If the sample was undetected we get the rules written and out to the ruleset asap!!

If you run Nepenthes ( http://nepenthes.mwcollect.org/ ) you can setup to automatically submit those captured samples to us. Normally Nepenthes will drop all of your captured binaries in a directory. Here's a simple script to zip and pass protect those and send them on to us for analysis:


#!/usr/bin/perl
use MIME::Lite;

$fromAddr = 'me@mydomain.com';
$toAddr = 'samples@sandnet.emergingthreats.net';
$ccAddr = 'me@mydomain.com';
$smtpServer = 'localhost';
$nepbinpath = "/usr/local/var/binaries/";

if ( ! -e $nepbinpath ) {
        die $nepbinpath . " does not exist!\n";
}

while (defined($next = <$nepbinpath/*>)) {
        $samples = 1;
}

if($samples eq 1) {
        #Zip and pass protect the sample
        system "/usr/local/bin/zip -q -P \"infected\" /tmp/samples.zip $nepbinpath/*";
        my $msg = MIME::Lite->new(
           From    => $fromAddr,
           To      => $toAddr,
           Cc      => $ccAddr,
           Subject => "Nepenthes Samples from $fromAddr",
           Type    => 'multipart/mixed',
        ) or die "Error creating multipart container: $!\n";

         $msg->attach (
           Type => 'BINARY',
           Path =>  "/tmp/samples.zip",
           Filename => "$fromAddr-samples.zip",
           Disposition => 'attachment'
         ) or die "Error attaching /tmp/samples.zip: $!\n";

         MIME::Lite->send('smtp',$smtpServer,Timeout=>60);
          $msg->send;

        system "rm /tmp/samples.zip $nepbinpath/*";
}



NOTE: This will email then delete those binaries. If you need to save them alter the rm line to do what you'd like. But at the least move them from that directory so they aren't re-submitted.

If you'd like to be an analyst please contact threats@emergingthreats.net. All volunteer, and we only ask for the time you have available, no commitments or minimum requirements.

Topic revision: r2 - 2014-02-06 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats