diff --git a/README.md b/README.md index 3375d26..5f31ead 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ About theZoo is a project created to make the possibility of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis we have decided to gather all of them for you in an available and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev. +**theZoo is open and welcoming visitors!** Disclaimer ========== theZoo's purpose is to allow the study of malware and enable people who are interested in malware analysis or maybe even as a part of their job to have access to live malware, analyse the ways they operate and maybe even enable advanced and savvy people to block specific malwares within their own environment. @@ -35,20 +36,20 @@ Documentation and Notes ======================== ## Background: -The idea behind theZoo is to allow it to be modular and let you add malware of your own. Each malware should have a directory of it's own. +theZoo's objective is to offer a fast and easy way of retrieving malware samples and source code in an organized fashion in hopes of promoting malware research. ## Root Files: -Since version 0.42 theZoo have been going dramatic changes. It now runs in both CLI and ARGVS mode. You can call the program with the same command line arguments as before. -The current default state of theZoo runtime is the CLI which is inspired by MSF. The following files and directories are responsible for the application's behaviour. +Since version 0.42 theZoo have been going dramatic changes. It now runs both CLI and ARGVS modes. You can call the program with the same command line arguments as before. +The current default state of theZoo runtime is the CLI. The following files and directories are responsible for the application's behaviour. ### /conf The conf folder holds files relevant to the particular running of the program but are not part of the application. You can find the EULA file in the conf and more. ### /imports Contains .py and .pyc import files used by the rest of the application -### /malwares -The actual malwares - be careful! -### /mdbv0.2 -Since mdbv0.2 is stable for the command line arguments (where as of 0.42 we are not yet completely sure) and since the size is relativly small we have left out the beta version for those who are interested in it or got used to it. In next version we will confirm arguments as should be. +### /malwares/Binaries +The actual malwares samples - be careful! +### /malware/Source +Malware source code :) ## Directory Structure: @@ -64,7 +65,7 @@ Each directory is composed of 4 files: maldb.db is the DB which theZoo is acting upon to find malwares indexed on your drive. The structure is as follows: - uid,location,type,name,version,author,language,date + uid,location,type,name,version,author,language,date,architecture,platform,comments,tags - UID - Determined based on the indexing process. - Location The location on the drive of the malware you have searched for. @@ -81,8 +82,7 @@ The structure is as follows: An example line will look as follow: - 4,Source/Original/rBot0.3.3_May2004/rBot0.3.3_May2004,botnet,rBot,0.3.3,unknown,cpp,00/05/2004,x86,win32 - + 104,Source/Original/Dexter,trojan,Dexter,2,unknown,c,00/05/2013,x86,win32,NULL,Source Bugs and Reports ================ @@ -123,8 +123,8 @@ The repository holding all files is currently ## Predicted Change Log for v1.0 - [X] Fix auto-complete for malware frameworks. (thanks to 5fingers) -- [ ] Better UI features. - [X] Consider changing DB to XML or SQLite3. (Sheksa - done :)) - +- [ ] Move malwares to another repo. +- [ ] Better UI features. If you have any suggestions or malware that you have indexed as in the documentations please send it to us to yuval[]morirt [dot]com so we can add it for every one's enjoyment. diff --git a/conf/maldb.db b/conf/maldb.db index 15b451e..4072a3c 100644 Binary files a/conf/maldb.db and b/conf/maldb.db differ diff --git a/imports/db_handler.py b/imports/db_handler.py index a6522a4..de11d8f 100644 --- a/imports/db_handler.py +++ b/imports/db_handler.py @@ -19,6 +19,9 @@ class DBHandler: def get_partial_details(self): return self.cur.execute("SELECT ID, TYPE, LANGUAGE, ARCHITECTURE, PLATFORM, NAME FROM Malwares").fetchall() + def get_mal_list(self): + return self.cur.execute("SELECT ID, NAME, TYPE From Malwares").fetchall() + def get_mal_names(self): # Sqlite3 returns a tuple even if a single value is returned diff --git a/imports/globals.py b/imports/globals.py index d07c6fa..539257b 100644 --- a/imports/globals.py +++ b/imports/globals.py @@ -85,17 +85,6 @@ class vars: # :todo: add filter usage - column_for_pl = 6 - column_for_type = 2 - column_for_location = 1 - colomn_for_time = 7 - column_for_version = 4 - column_for_name = 3 - column_for_uid = 0 - column_for_arch = 8 - column_for_plat = 9 - column_for_vip = 10 - opts = [ ("type", ("virus", "worm", "ransomware", "botnet", "apt", "rootkit", "trojan", "exploitkit", "dropper")), ("architecture", ("x86", "x64", "arm", "web")), diff --git a/imports/manysearches.py b/imports/manysearches.py index 81c9d28..6bacf21 100644 --- a/imports/manysearches.py +++ b/imports/manysearches.py @@ -61,7 +61,6 @@ class MuchSearch(object): return "and".join(qlist) def print_payloads(self, m, fields=["#", "Type", "Language", "Architecture", "Platform", "Name"]): - table = PrettyTable(fields) table.align = "l" for malware in m: diff --git a/imports/terminal_handler.py b/imports/terminal_handler.py index 4d9a122..f3f37d9 100644 --- a/imports/terminal_handler.py +++ b/imports/terminal_handler.py @@ -29,7 +29,7 @@ class Controller: ("help", "Displays this help..."), ("exit", "Exits...")] - self.commandsWithoutDescription = {'search': '', 'list all': '', 'use': '', + self.commandsWithoutDescription = {'search': '', 'list all': '', 'use': '', 'info': '', 'get': '', 'report-mal': '', 'update-db': '', 'help': '', 'exit': ''} self.searchmeth = [("arch", "which architecture etc; x86, x64, arm7 so on..."), @@ -52,8 +52,7 @@ class Controller: while (True): # Dont hate, affiliate try: if self.currentmodule is not None: - g = self.currentmodule - 1 - just_print = self.modules[g][int(globals.vars.column_for_name)] + just_print = self.db.query("SELECT NAME FROM Malwares WHERE ID=?", self.currentmodule)[0][0] cmd = raw_input( bold(green('mdb ')) + bold(blue(just_print)) + green('#> ')).strip() else: @@ -156,18 +155,8 @@ class Controller: if cmd == 'list all': print "\nAvailable Payloads:" - array = self.modules - i = 0 - print "ID\tName\tType" - print '-----------------' - for element in array: - answer = str(array[i][globals.vars.column_for_uid]) - answer += '\t%s' % ( - '{0: <12}'.format(array[i][globals.vars.column_for_name])) - answer += '\t%s' % ( - '{0: <12}'.format(array[i][globals.vars.column_for_type])) - print answer - i = i + 1 + manySearch = manysearches.MuchSearch() + manySearch.print_payloads(self.db.get_mal_list(), ["%", "Name", "Type"]) return if cmd == 'info': diff --git a/malwares/Source/Original/PowerLoader/PowerLoader.md5 b/malwares/Source/Original/PowerLoader/PowerLoader.md5 new file mode 100644 index 0000000..9842943 --- /dev/null +++ b/malwares/Source/Original/PowerLoader/PowerLoader.md5 @@ -0,0 +1 @@ +27e8f7324a0d777bce287c65afff066e PowerLoader.zip diff --git a/malwares/Source/Original/PowerLoader/PowerLoader.pass b/malwares/Source/Original/PowerLoader/PowerLoader.pass new file mode 100644 index 0000000..58737a9 --- /dev/null +++ b/malwares/Source/Original/PowerLoader/PowerLoader.pass @@ -0,0 +1 @@ +infected \ No newline at end of file diff --git a/malwares/Source/Original/PowerLoader/PowerLoader.sha256 b/malwares/Source/Original/PowerLoader/PowerLoader.sha256 new file mode 100644 index 0000000..9e45991 --- /dev/null +++ b/malwares/Source/Original/PowerLoader/PowerLoader.sha256 @@ -0,0 +1 @@ +7701f6ac684c4b921ee2ef624a690fe6d1dd1d629b18b9464a5eb4827d0a7d10 PowerLoader.zip diff --git a/malwares/Source/Original/PowerLoader/PowerLoader.zip b/malwares/Source/Original/PowerLoader/PowerLoader.zip new file mode 100644 index 0000000..07cc3d8 Binary files /dev/null and b/malwares/Source/Original/PowerLoader/PowerLoader.zip differ diff --git a/mdbv0.2/maldb_0.2.py b/mdbv0.2/maldb_0.2.py deleted file mode 100644 index e85c6eb..0000000 --- a/mdbv0.2/maldb_0.2.py +++ /dev/null @@ -1,255 +0,0 @@ -#!/usr/bin/env python - - #Malware DB - the most awesome free malware database on the air - #Copyright (C) 2014, Yuval Nativ, Lahad Ludar, 5fingers - - #This program is free software: you can redistribute it and/or modify - #it under the terms of the GNU General Public License as published by - #the Free Software Foundation, either version 3 of the License, or - #(at your option) any later version. - - #This program is distributed in the hope that it will be useful, - #but WITHOUT ANY WARRANTY; without even the implied warranty of - #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - #GNU General Public License for more details. - - #You should have received a copy of the GNU General Public License - #along with this program. If not, see . - -__version__ = "0.2 Beta" -__appname__ = "Malware DB" -__authors__ = ["Yuval Nativ","Lahad Ludar","5fingers"] -__licensev__ = "GPL v3.0" -__maintainer__ = "Yuval Nativ" -__status__ = "Development" - -import sys -import getopt -import subprocess -import csv -import urllib2 -# import git -#import os -#import inspect - - -def main(): - - # Set general variables. - version = __version__ - appname = __appname__ - licensev = __licensev__ - authors = "Yuval Nativ, Lahad Ludar, 5fingers" - fulllicense = appname + " Copyright (C) 2014 " + authors + "\n" - fulllicense += "This program comes with ABSOLUTELY NO WARRANTY; for details type '" + sys.argv[0] +" -w'.\n" - fulllicense += "This is free software, and you are welcome to redistribute it." - - useage='\nUsage: ' + sys.argv[0] + ' -s search_query -t trojan -p vb\n\n' - useage += 'The search engine can search by regular search or using specified arguments:\n\nOPTIONS:\n -h --help\t\tShow this message\n -t --type\t\tMalware type, can be virus/trojan/botnet/spyware/ransomeware.\n -p --language\tProgramming language, can be c/cpp/vb/asm/bin/java.\n -u --update\t\tUpdate malware index. Rebuilds main CSV file. \n -s --search\t\tSearch query for name or anything. \n -v --version\tPrint the version information.\n -w\t\t\tPrint GNU license.\n' - - column_for_pl = 6 - column_for_type = 2 - column_for_location = 1 - colomn_for_time = 7 - column_for_version = 4 - column_for_name = 3 - column_for_uid = 0 - column_for_arch = 8 - column_for_plat = 9 - conf_folder = 'conf' - eula_file = conf_folder + '/eula_run.conf' - maldb_ver_file = conf_folder + '/db.ver' - main_csv_file = conf_folder + '/index.csv' - giturl = 'https://raw.github.com/ytisf/theZoo/master/' - - # Function to print license of malware-db - def print_license(): - print "" - print fulllicense - print "" - - # Check if EULA file has been created - def check_eula_file(): - try: - with open(eula_file): - return 1 - except IOError: - return 0 - - def get_maldb_ver(): - try: - with file(maldb_ver_file) as f: - return f.read() - except IOError: - print("No malware DB version file found.\nPlease try to git clone the repository again.\n") - return 0 - - def update_db(): - curr_maldb_ver = get_maldb_ver() - response = urllib2.urlopen(giturl+maldb_ver_file) - new_maldb_ver = response.read() - if new_maldb_ver == curr_maldb_ver: - print "No need for an update.\nYou are at " + new_maldb_ver + " which is the latest version." - sys.exit(1) - # Write the new DB version into the file - f = open(maldb_ver_file, 'w') - f.write(new_maldb_ver) - f.close() - - # Get the new CSV and update it - csvurl = giturl + main_csv_file - u = urllib2.urlopen(csvurl) - f = open(main_csv_file, 'wb') - meta = u.info() - file_size = int(meta.getheaders("Content-Length")[0]) - print "Downloading: %s Bytes: %s" % (main_csv_file, file_size) - file_size_dl = 0 - block_sz = 8192 - while True: - buffer = u.read(block_sz) - if not buffer: - break - file_size_dl += len(buffer) - f.write(buffer) - status = r"%10d [%3.2f%%]" % (file_size_dl, file_size_dl * 100. / file_size) - status = status + chr(8)*(len(status)+1) - print status, - f.close() - - # prints version banner on screen - def versionbanner(): - print "" - print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" - print "\t\t " + appname + ' v' + version - print "Built by:\t\t" + authors - print "Is licensed under:\t" + licensev - print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" - print fulllicense - print useage - - # Check if maybe no results have been found - def checkresults(array): - if len(array) == 0: - print "No results found\n\n" - sys.exit(1) - - # Check to needed arguments - left for debugging - def checkargs(): - print "Type: " + type_of_mal - print "Lang: " + pl - print "Search: " + search - - # Sort arrays - def filter_array(array,colum,value): - ret_array = [row for row in array if value in row[colum]] - return ret_array - - # A function to print banner header - def res_banner(): - print "\nUID\tName\t\tVersion\t\tLocation\t\tTime" - print "---\t----\t\t-------\t\t--------\t\t----" - - # print_results will surprisingly print the results... - def print_results(array): - answer = array[column_for_uid] + "\t" + array[column_for_name]+ "\t" + array[column_for_version] + "\t\t" - answer += array[column_for_location] + "\t\t" + array[colomn_for_time] - print answer - - options, remainder = getopt.getopt(sys.argv[1:], 'hwuvs:p:t:', ['type=', 'language=', 'search=', 'help', 'update', 'version', 'dbv' ]) - - # Zeroing everything - type_of_mal = "" - pl = "" - search = "" - new ="" - update=0 - m=[]; - a=0 - eula_answer='no' - f = "" - - # Checking for EULA Agreement - a = check_eula_file() - if a == 0: - print appname + ' v' + version - print 'This program contain live and dangerous malware files' - print 'This program is intended to be used only for malware analysis and research' - print 'and by agreeing the EULA you agree to only use it for legal purposes and ' - print 'studying malware.' - print 'You understand that these file are dangerous and should only be run on VMs' - print 'you can control and know how to handle. Running them on a live system will' - print 'infect you machines will live and dangerous malwares!.' - print '' - eula_answer = raw_input('Type YES in captial letters to accept this EULA.\n') - if eula_answer == 'YES': - print 'you types YES' - new = open(eula_file, 'a') - new.write(eula_answer) - else: - print 'You need to accept the EULA.\nExiting the program.' - sys.exit(1) - - # Get arguments - for opt, arg in options: - if opt in ('-h', '--help'): - print fulllicense - print useage - sys.exit(1) - elif opt in ('-u', '--update'): - update=1 - update_db() - elif opt in ('-v', '--version'): - versionbanner() - sys.exit(1) - elif opt in '-w': - print_license() - sys.exit(1) - elif opt in ('-t', '--type'): - type_of_mal = arg - elif opt in ('-p', '--language'): - pl = arg - elif opt in ('-s', '--search'): - search = arg - elif opt in '--dbv': - # Getting version of malware-DB's database - a = get_maldb_ver() - if a == 0: - sys.exit(0) - elif len(a) > 0: - print '' - print "Malware-DB Database's version is: " + a - sys.exit() - - # Rebuild CSV - if update == 1: - subprocess.call("./Rebuild_CSV.sh", shell=True) - sys.exit(1) - - # Take index.csv and convert into array m - csvReader = csv.reader(open(main_csv_file, 'rb'), delimiter=','); - for row in csvReader: - m.append(row) - - # Filter by type - if len(type_of_mal) > 0: - m = filter_array(m,column_for_type,type_of_mal) - - # Filter by programming language - if len(pl) > 0: - m = filter_array(m,column_for_pl,pl) - - # Free search handler - if len(search) > 0: - res_banner() - matching = [y for y in m if search in y] - for line in matching: - checkresults(matching) - print_results(line) - - if len(search) <= 0: - res_banner() - for line in m: - print_results(line) - -if __name__ == "__main__": - main() \ No newline at end of file