Storing your Collection of Malware Samples with Malwarehouse
Scott Roberts released a simple yet easy to use Python script to store and query your collection of malware samples into a SQLite database. The process is simple; it allows storage (indexing basic sample metadata) and retrieval of your samples. The database allows for query by filename, MD5 and SHA256 hashes. The malwarehouse package can be downloaded here.
I changed my database location from the malwarehouse.py script option_base_dir = os.path.expanduser("~/Desktop/malwarehouse/") to option_base_dir = os.path.expanduser("~/malwarehouse/") because this server doesn't have X-Windows running.
- First a simple menu:
- Entering a malware sample into the SQLite database:
guy@seeker:~/malwarehouse$ ./malwarehouse.py -s zz87lhfda88.com -t PWS-LegMir.dll -n "Low detection" 1.exe
- Result when malware sample 1.exe is processed:
guy@seeker:~/malwarehouse$ ./malwarehouse.py -s zz87lhfda88.com -t PWS-LegMir.dll -n "Low detection" 1.exe
Parsing Malware
Analysis complete. Loading.
Sample 1.exe loaded...
Loading Malware 1.exe
Creating /home/guy/malwarehouse/41f5e475e086c991873a35c58234213fc01331d655f3f39a2f1a6d2f0e0ed6b8
- Reviewing the last record with the 3 available methods:
guy@seeker:~/malwarehouse$ ./malwarehouse.py -f 41f5e475e086c991873a35c58234213fc01331d655f3f39a2f1a6d2f0e0ed6b8
guy@seeker:~/malwarehouse$ ./malwarehouse.py -f 4f871a6b9f17c0923963e7dfc73efa58
guy@seeker:~/malwarehouse$ ./malwarehouse.py -f 1.exe
- Reviewing the last 3 recorded inserted into the malwarehouse database:
If you are looking for a simple and yet effective way of tracking your malware samples, malwarehouse is probably for you. I'm sure Scott Robert is open to suggestions to improve this project . His contact information is listed on the Github download page.
[1] blog.thevigilant.com
[2] https://github.com/sroberts/malwarehouse
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 (2755801)
Microsoft released Security Advisory 2755801 that addresses vulnerabilities in Adobe Flash Player in Internet Explorer 10 on Windows 8. The bulletin is available here.
[1] http://technet.microsoft.com/en-us/security/advisory/2755801
[2] http://blogs.technet.com/b/msrc/archive/2012/09/21/security-advisory-2755801-addresses-adobe-flash-player-issues.aspx
[3] http://www.adobe.com/support/security/bulletins/apsb12-19.html
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
IE Cumulative Updates MS12-063 - KB2744842
This is a list of links of where each patches can be downloaded that addresses the vulnerability discussed in Microsoft Security Bulletin MS12-063 and reported in diary IE Fixes Available yesterday.
Cumulative Security Update for Internet Explorer 7 for Windows XP (KB2744842)
[1] http://www.microsoft.com/en-us/download/details.aspx?id=34723&WT.mc_id=rss_allproducts_ie
Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2744842)
[2] http://www.microsoft.com/en-us/download/details.aspx?id=34731&WT.mc_id=rss_allproducts_ie
Cumulative Security Update for Internet Explorer 8 in Windows Vista (KB2744842)
[3] http://www.microsoft.com/en-us/download/details.aspx?id=34718&WT.mc_id=rss_allproducts_ie
Cumulative Security Update for Internet Explorer 9 in Windows Vista (KB2744842)
[4] http://www.microsoft.com/en-us/download/details.aspx?id=34732
Cumulative Security Update for Internet Explorer 8 in Windows 7 (KB2744842)
[5] http://www.microsoft.com/en-us/download/details.aspx?id=34736&WT.mc_id=rss_allproducts_ie
Cumulative Security Update for Internet Explorer 9 in Windows 7 (KB2744842)
[6] http://www.microsoft.com/en-au/download/details.aspx?id=34713
Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB2744842)
[7] http://www.microsoft.com/en-us/download/details.aspx?id=34725&WT.mc_id=rss_allproducts_ie
Update 1: The patch is now available via Windows Update.
Update 2: Microsoft has released Microsoft Security Bulletin MS12-063 rated Critical available here. This bulleting address one publicly disclosed and four privately reported vulnerabilities in Internet Explorer.
[8] http://technet.microsoft.com/en-us/security/bulletin/ms12-063
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
iOS 6 Security Roundup
With the release of iOS 6 earlier this week, a couple of iOS security related features changed in how they behaved. These come in addition to the long list of security fixes that Apple released in iOS 6. [1]
Siri: Siri gained additional capabilities, including the ability to Tweet and update Facebook. This feature is available even on a locked iPhone. To disable this feature, make sure Siri is disabled when the phone is locked.
Password less updates: Updating Apps no longer requires that you enter your password. I haven't found a method yet to turn this off (but actually like it, as my iTunes password is quite complex)
Social Media Integration: Adding a Facebook account to your iOS device will sync your contact settings with Facebook (there is a clear warning that this will happen). Facebook recently changed the default address of all accounts to @facebook.com and e-mail addresses in your contact list may be updated with the @facebook.com address as a result.
A bug found at this week's pwn20wn contest at the EuSecWest conference apparently leaks personal information like contacts and pictures to malicious websites. The bug was demonstrated in iOS 5.1.1, but has not been fixed yet in iOS 6 as it was just reported to Apple this week. [2]]
[1] http://prod.lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
[2] http://www.techspot.com/news/50232-galaxy-s3-and-iphone-4s-exploited-at-pwn2own-competition.html
Any other security related issues you noticed?
Update: Link to patches added per the comment below.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago