Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Malware IRC/DNS Network Activity
From: "Matteo Cantoni" <matteo.cantoni () nothink org>
Date: Fri, 9 May 2008 09:42:32 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matteo Cantoni wrote:

Hi list,

with my adsl + soekris + openbsd + honeypot + perl I made a simple pages
about "Malware IRC/DNS Network Activity".

http://www.nothink.org/malware/report/hash-a.html

These pages will be update automatically every day.
You can also download a "TOTAL CSV FILE" with these informations:

md5,file size, anubis results, dns query, irc server, irc server asn,
irc
server asn_org, irc server geo, irc nickname, irc username, irc
password,
irc channel, irc topic.

http://www.nothink.org/malware/report/hash.csv

For this moment have been identified around 900 distinct binaries.
I think that you have already this informations but maybe it could be
useful for your works.

Ciao,
Matteo Cantoni


Hi Matteo,

Two questions:

How do arrive at 'distinct binaries'?

More specifically, how do you determine that they are not simply
repacked copies of common malware?

THANKS!
Jon Kibler


You are right. I have only 'distinct md5' for this moment. I could add :

- some checks to verify the sandbox's results;
- anti virus test;

I'm waiting for new hardware :)

Thanks,
Matteo

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]