|

Malware IRC/DNS Network Activity

View: New views

3 Messages — Rating Filter: Alert me

	Malware IRC/DNS Network Activity by Matteo Cantoni :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi list, with my adsl + soekris + openbsd + honeypot + perl I made a simple pages about "Malware IRC/DNS Network Activity". http://www.nothink.org/malware/report/hash-a.html These pages will be update automatically every day. You can also download a "TOTAL CSV FILE" with these informations: md5,file size, anubis results, dns query, irc server, irc server asn, irc server asn_org, irc server geo, irc nickname, irc username, irc password, irc channel, irc topic. http://www.nothink.org/malware/report/hash.csv For this moment have been identified around 900 distinct binaries. I think that you have already this informations but maybe it could be useful for your works. Ciao, Matteo Cantoni
	Re: Malware IRC/DNS Network Activity by Jon Kibler-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matteo Cantoni wrote: > Hi list, > > with my adsl + soekris + openbsd + honeypot + perl I made a simple pages > about "Malware IRC/DNS Network Activity". > > http://www.nothink.org/malware/report/hash-a.html > > These pages will be update automatically every day. > You can also download a "TOTAL CSV FILE" with these informations: > > md5,file size, anubis results, dns query, irc server, irc server asn, irc > server asn_org, irc server geo, irc nickname, irc username, irc password, > irc channel, irc topic. > > http://www.nothink.org/malware/report/hash.csv > > For this moment have been identified around 900 distinct binaries. > I think that you have already this informations but maybe it could be > useful for your works. > > Ciao, > Matteo Cantoni Hi Matteo, Two questions: How do arrive at 'distinct binaries'? More specifically, how do you determine that they are not simply repacked copies of common malware? THANKS! Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgjUUUACgkQUVxQRc85QlNrqQCgh3GtpUryV5J0Ynl/G3RVMaDj QDUAnjjdPYBRQEaAePWQ0Omat0Vh8C9y =WUip -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
	Re: Malware IRC/DNS Network Activity by Matteo Cantoni :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Matteo Cantoni wrote: >> Hi list, >> >> with my adsl + soekris + openbsd + honeypot + perl I made a simple pages >> about "Malware IRC/DNS Network Activity". >> >> http://www.nothink.org/malware/report/hash-a.html >> >> These pages will be update automatically every day. >> You can also download a "TOTAL CSV FILE" with these informations: >> >> md5,file size, anubis results, dns query, irc server, irc server asn, >> irc >> server asn_org, irc server geo, irc nickname, irc username, irc >> password, >> irc channel, irc topic. >> >> http://www.nothink.org/malware/report/hash.csv >> >> For this moment have been identified around 900 distinct binaries. >> I think that you have already this informations but maybe it could be >> useful for your works. >> >> Ciao, >> Matteo Cantoni > > Hi Matteo, > > Two questions: > > How do arrive at 'distinct binaries'? > > More specifically, how do you determine that they are not simply > repacked copies of common malware? > > THANKS! > Jon Kibler You are right. I have only 'distinct md5' for this moment. I could add : - some checks to verify the sandbox's results; - anti virus test; I'm waiting for new hardware :) Thanks, Matteo