diff --git a/Binaries/CryptoLocker Ransomware 10th Sep 2013/CryptoLocker_9-10-2013.pass b/Binaries/CryptoLocker Ransomware 10th Sep 2013/CryptoLocker_9-10-2013.pass new file mode 100644 index 0000000..ba701bf --- /dev/null +++ b/Binaries/CryptoLocker Ransomware 10th Sep 2013/CryptoLocker_9-10-2013.pass @@ -0,0 +1 @@ +infected diff --git a/Binaries/CryptoLocker Ransomware 10th Sep 2013/CryptoLocker_9-10-2013.sha256 b/Binaries/CryptoLocker Ransomware 10th Sep 2013/CryptoLocker_9-10-2013.sha256 new file mode 100644 index 0000000..1c1e64f --- /dev/null +++ b/Binaries/CryptoLocker Ransomware 10th Sep 2013/CryptoLocker_9-10-2013.sha256 @@ -0,0 +1 @@ +d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9 diff --git a/Binaries/CryptoLocker Ransomware 10th Sep 2013/CryptoLocker_9-10-2013.zip b/Binaries/CryptoLocker Ransomware 10th Sep 2013/CryptoLocker_9-10-2013.zip new file mode 100644 index 0000000..7ccd397 Binary files /dev/null and b/Binaries/CryptoLocker Ransomware 10th Sep 2013/CryptoLocker_9-10-2013.zip differ diff --git a/Binaries/CryptoLocker Ransomware 20th Nov 2013/CryptoLocker_11-20-2013.pass b/Binaries/CryptoLocker Ransomware 20th Nov 2013/CryptoLocker_11-20-2013.pass new file mode 100644 index 0000000..ba701bf --- /dev/null +++ b/Binaries/CryptoLocker Ransomware 20th Nov 2013/CryptoLocker_11-20-2013.pass @@ -0,0 +1 @@ +infected diff --git a/Binaries/CryptoLocker Ransomware 20th Nov 2013/CryptoLocker_11-20-2013.sha256 b/Binaries/CryptoLocker Ransomware 20th Nov 2013/CryptoLocker_11-20-2013.sha256 new file mode 100644 index 0000000..a071063 --- /dev/null +++ b/Binaries/CryptoLocker Ransomware 20th Nov 2013/CryptoLocker_11-20-2013.sha256 @@ -0,0 +1 @@ +c7dc529d8aae76b4e797e4e9e3ea7cd69669e6c3bb3f94d80f1974d1b9f69378 diff --git a/Binaries/CryptoLocker Ransomware 20th Nov 2013/CryptoLocker_11-20-2013.zip b/Binaries/CryptoLocker Ransomware 20th Nov 2013/CryptoLocker_11-20-2013.zip new file mode 100644 index 0000000..ad47884 Binary files /dev/null and b/Binaries/CryptoLocker Ransomware 20th Nov 2013/CryptoLocker_11-20-2013.zip differ diff --git a/Binaries/IllusionBot - May 2007/IllusionBot - May 2007.md5 b/Binaries/IllusionBot - May 2007/IllusionBot - May 2007.md5 new file mode 100644 index 0000000..a4b49c4 --- /dev/null +++ b/Binaries/IllusionBot - May 2007/IllusionBot - May 2007.md5 @@ -0,0 +1 @@ +86a310b96adbf79040f3a25c198674aa \ No newline at end of file diff --git a/Binaries/IllusionBot - May 2007/IllusionBot - May 2007.pass b/Binaries/IllusionBot - May 2007/IllusionBot - May 2007.pass new file mode 100644 index 0000000..ba701bf --- /dev/null +++ b/Binaries/IllusionBot - May 2007/IllusionBot - May 2007.pass @@ -0,0 +1 @@ +infected diff --git a/Binaries/IllusionBot - May 2007/IllusionBot - May 2007.rar b/Binaries/IllusionBot - May 2007/IllusionBot - May 2007.rar new file mode 100644 index 0000000..cc47811 Binary files /dev/null and b/Binaries/IllusionBot - May 2007/IllusionBot - May 2007.rar differ diff --git a/Binaries/Zeus Banking Version 26 Nov 2013/Zeus_Zbot_Rootkit_Banking_Trojan.pass b/Binaries/Zeus Banking Version 26 Nov 2013/Zeus_Zbot_Rootkit_Banking_Trojan.pass new file mode 100644 index 0000000..ba701bf --- /dev/null +++ b/Binaries/Zeus Banking Version 26 Nov 2013/Zeus_Zbot_Rootkit_Banking_Trojan.pass @@ -0,0 +1 @@ +infected diff --git a/Binaries/Zeus Banking Version 26 Nov 2013/Zeus_Zbot_Rootkit_Banking_Trojan.sha256 b/Binaries/Zeus Banking Version 26 Nov 2013/Zeus_Zbot_Rootkit_Banking_Trojan.sha256 new file mode 100644 index 0000000..789ce29 --- /dev/null +++ b/Binaries/Zeus Banking Version 26 Nov 2013/Zeus_Zbot_Rootkit_Banking_Trojan.sha256 @@ -0,0 +1 @@ +69e966e730557fde8fd84317cdef1ece00a8bb3470c0b58f3231e170168af169 diff --git a/Binaries/Zeus Banking Version 26 Nov 2013/Zeus_Zbot_Rootkit_Banking_Trojan.zip b/Binaries/Zeus Banking Version 26 Nov 2013/Zeus_Zbot_Rootkit_Banking_Trojan.zip new file mode 100644 index 0000000..6ffc5f9 Binary files /dev/null and b/Binaries/Zeus Banking Version 26 Nov 2013/Zeus_Zbot_Rootkit_Banking_Trojan.zip differ diff --git a/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.pass b/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.pass new file mode 100644 index 0000000..cb023ac --- /dev/null +++ b/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.pass @@ -0,0 +1 @@ +crypted diff --git a/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.rar b/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.rar new file mode 100644 index 0000000..77aecc6 Binary files /dev/null and b/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.rar differ diff --git a/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.sha256 b/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.sha256 new file mode 100644 index 0000000..2a4c682 --- /dev/null +++ b/Binaries/njRAT-v0.6.4/njRAT-v0.6.4.sha256 @@ -0,0 +1 @@ +a58b71b98182bbb2eb6a3ae42f3f2056b1673c11355dee59afc904df510c2f09 diff --git a/PackFiles.sh b/PackFiles.sh new file mode 100644 index 0000000..39f0d9c --- /dev/null +++ b/PackFiles.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +bold=`tput bold` +normal=`tput sgr0` +green_plus='\e[00;32m[+]\e[00m' + +if [ $# -ne 1 ] ; then + echo "No directory choosen." + echo "Using `pwd`" + current_dir=`pwd` +fi + +find $pwd -maxdepth 1 -type d | while read folder; do + mkdir -p "Compressed/$folder" + zip -r --password infected "Compressed/$folder/$folder.zip" "$folder" > /dev/null + sha256sum "Compressed/$folder/$folder.zip" > "Compressed/$folder/$folder.sha256" + md5sum "Compressed/$folder/$folder.zip" > "Compressed/$folder/$folder.md5" + echo "infected" > "Compressed/$folder/$folder.pass" + echo -e "$green_plus $folder compressed. " + echo -e "$green_plus Remember that you still need to create index.log :) " +done diff --git a/Rebuild_CSV.sh b/Rebuild_CSV.sh new file mode 100644 index 0000000..a8e90fd --- /dev/null +++ b/Rebuild_CSV.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +bold=`tput bold` +normal=`tput sgr0` +green_plus='\e[00;32m[+]\e[00m' +red_min='\e[01;31m[-]\e[00m' + +# This file rebuilds the index.csv file based on the local index.log file in each folder. + +# Backup previous +mv index.csv Index.Backup.csv + +# finds all index.log files: + +find `pwd` -name 'index.log' > /tmp/indexrebuild.tmp +touch index.csv +i=1 +cat /tmp/indexrebuild.tmp | while read file ; do + let string="$i" + string="$string,`echo "$file"`,`cat "$file"`," + echo -e "$green_plus $i was added successfully" + echo "$string" >> index.csv + let i=i+1 +done + +linesofdb=`wc -l < index.csv` + +if [ $linesofdb = 0 ]; then + echo "" + echo -e "$red_min No index files were detected!" + echo "" + exit 0 +fi +if [ $linesofdb > 0 ]; then + echo "" + echo -e "$green_plus Rebuilt index with $linesofdb malwares. Be safe." + echo " Go and have some fun :)" + echo "" + exit 1 +fi + diff --git a/index.csv b/index.csv new file mode 100644 index 0000000..55ede6e --- /dev/null +++ b/index.csv @@ -0,0 +1,28 @@ +1,Source/Original/Dokan - Dec 2008/index.log,__,Dokan,Unknow,Unknow,C,12/2008, +2,Source/Original/NBot - July 2008/index.log,Botnet,NBot,Unknow,Unknow,C++,07/2008, +3,Source/Original/ShadowBot v3 - March 2007/index.log,Botnet,ShadowBot,3,Unknow,C++,03/2007, +4,Source/Original/rBot 0.3.3 - May 2004/index.log,Botnet,rBot,0.3.3,Unknow,C++,05/2004, +5,Source/Original/ZeuS 2.0.8.9 - Feb 2013/index.log,botnet,ZeuS,2.0.8.9,Unknow,C,02/2013, +6,Source/Original/X0R-USB - Virus Version - Jan 2009/index.log,Virus,X0R-USB-Virus,Unknow,Unknow,C,01/2009, +7,Source/Original/LoexBot1.3 - Sep 2008/index.log,Botnet,LoexBot,1.3,Unknow,C++,09/2008, +8,Source/Original/ZunkerBot 1.4.5 - Sep 2007/index.log,Botnet,ZunkerBot,1.4.5,Unknow,SQL,09/2007, +9,Source/Original/DopeBot v0.22 UnCrippled- Feb 2007/index.log,Botnet,DopeBot-UnCrippled,0.22,Unknow,C++,02/2007, +10,Source/Original/vbBot - Jan 2007/index.log,Botnet,vbBot,Unknow,Unknow,VB,01/2007, +11,Source/Original/xTBot 0.0.2 - 2 Feb 2002/index.log,Botnet,xTBot,0.0.2,Unknow,C/C++,02/2002, +12,Source/Original/VBS.Win32.Vabian - Unknown/index.log,VBS-Worm,VBS.Win32.Vabian,Unknow,Unknow,VBS,Unknow, +13,Source/Original/DopeBot v0.22 Crippled- Feb 2007/index.log,Botnet,DopeBot-Crippled,0.22,Unknow,C++,02/2007, +14,Source/Original/Win32.MiniPig - Nov 2006/index.log,Worm,Win32.MiniPig,Unknow,Unknow,C,11/2006, +15,Source/Original/HellBot v3.0 - 10 June 2005/index.log,Botnet,Hellbot,3.0,Unknow,C++,06/2005, +16,Source/Original/Win32.ogw0rm - Nov 2008/index.log,Worm,Win32.ogwOrm,Unknow,Unknow,C++,11/2008, +17,Source/Original/DopeBot.B - Dec 2004/index.log,Botnet,DopeBot.B,Unknow,Unknow,C++,12/2004, +18,Source/Original/LiquidBot - May 2005/index.log,Botnet,LiquidBot,Unknow,Unknow,C++,05/2005, +19,Source/Original/SpazBot 2.12 - June 2007/index.log,Botnet,SpazBot,2.12,Unknow,VB,06/2007, +20,Source/Original/DBot v3.1 - March 2007/index.log,Botnet,DBot,3.1,Unknow,C,03/2007, +21,Source/Original/CyberBot v2.2 - October 2006/index.log,Botnet,CyberBot,2.2,Unknow,C++,10/2006, +22,Source/Original/DopeBot.A - Dec 2004/index.log,Botnet,DopeBot.A,Unknow,Unknow,C++,12/2004, +23,Source/Original/MyDoom.A - Jan 2004/index.log,__,MyDoom.A,Unknow,Unknow,C,01/2004, +24,Source/Original/ShadowBot - Sep 2008/index.log,Botnet,ShadowBot,Unknow,Unknow,C++,09/2008, +25,Binaries/CryptoLocker Ransomware 20th Nov 2013/index.log,3,ransomeware,CryptoLocker,Unknown,Unknown,bin,20/12/2013, +26,Binaries/CryptoLocker Ransomware 10th Sep 2013/index.log,2,ransomeware,CryptoLocker,Unknown,Unknown,bin,10/12/2013, +27,Binaries/IllusionBot - May 2007/index.log,4,botnet,Illusion Bot,Unknown,Unknown,bin,00/05/2007, +28,Binaries/AndroRat - 6 Dec 2013/index.log,1,botnet,AndroRat,Unknown,Unknown,java,06/12/2013, diff --git a/malware-db.py b/malware-db.py new file mode 100644 index 0000000..cb13a55 --- /dev/null +++ b/malware-db.py @@ -0,0 +1,152 @@ +#!/usr/bin/env python + + #Malware DB - the most awesome free malware database on the air + #Copyright (C) 2014, Yuval Nativ, Lahad Ludar, 5fingers + + #This program is free software: you can redistribute it and/or modify + #it under the terms of the GNU General Public License as published by + #the Free Software Foundation, either version 3 of the License, or + #(at your option) any later version. + + #This program is distributed in the hope that it will be useful, + #but WITHOUT ANY WARRANTY; without even the implied warranty of + #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + #GNU General Public License for more details. + + #You should have received a copy of the GNU General Public License + #along with this program. If not, see . + +import sys +import getopt +import inspect +import subprocess +import csv + +def main(): + + # Set general variables. + version=0.1 + appname="Malware DB" + authors="Yuval Nativ, Lahad Ludar, 5fingers" + licensev="GPL v3.0" + fulllicense = appname + " Copyright (C) 2014 " + authors + "\n" + fulllicense += "This program comes with ABSOLUTELY NO WARRANTY; for details type '" + sys.argv[0] +" -w'.\n" + fulllicense += "This is free software, and you are welcome to redistribute it." + + useage='\nUsage: ' + sys.argv[0] + ' -s search_query -t trojan -p vb\n\n' + useage+='The search engine can search by regular search or using specified arguments:\n\nOPTIONS:\n -h --help\t\tShow this message\n -t --type\t\tMalware type, can be virus/trojan/botnet/spyware/ransomeware.\n -p --language\tProgramming language, can be c/cpp/vb/asm/bin/java.\n -u --update\t\tUpdate malware index. Rebuilds main CSV file. \n -s --search\t\tSearch query for name or anything. \n -v --version\tPrint the version information.\n -w\t\t\tPrint GNU license.\n' + + column_for_pl=6 + column_for_type=2 + column_for_location=1 + colomn_for_time=7 + column_for_version=4 + column_for_name=3 + column_for_uid=0 + + def print_license(): + print "" + print fulllicense + print "" + + def versionbanner(): + print "" + print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" + print "\t\t " + appname + print "Built by:\t\t" + authors + print "Is licensed under:\t" + licensev + print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" + print fulllicense + print useage + + def checkresults(array): + if len(array) == 0: + print "No results found\n\n" + sys.exit(1) + + def checkargs(): + print "Type: " + type_of_mal + print "Lang: " + pl + print "Search: " + search + + def filter_array(array,colum,value): + ret_array = [row for row in array if value in row[colum]] + return ret_array + + def res_banner(): + # A function to print banner header + print "\nUID\tName\t\tVersion\t\tLocation\t\tTime" + print "---\t----\t\t-------\t\t--------\t\t----" + + def print_results(array): + # print_results will suprisingly print the results... + answer = array[column_for_uid] + "\t" + array[column_for_name]+ "\t" + array[column_for_version] + "\t\t" + answer += array[column_for_location] + "\t\t" + array[colomn_for_time] + print answer + + options, remainder = getopt.getopt(sys.argv[1:], 'hwuvs:p:t:', ['type=', 'language=', 'search=', 'help', 'update', 'version' ]) + + # Zeroing everything + type_of_mal = "" + pl = "" + search = "" + new ="" + update=0 + m=[]; + + # Get arguments + for opt, arg in options: + if opt in ('-h','--help'): + print fulllicense + print useage + sys.exit(1) + elif opt in ('-u', '--update'): + update=1 + elif opt in ('-v', '--version'): + versionbanner() + sys.exit(1) + elif opt in ('-w'): + print_license() + sys.exit(1) + elif opt in ('-t', '--type'): + type_of_mal = arg + elif opt in ('-p', '--language'): + pl = arg + elif opt in ('-s', '--search'): + search = arg + + # Rebuild CSV + if update == 1: + subprocess.call("./Rebuild_CSV.sh", shell=True) + sys.exit(1) + + # Take index.csv and convert into array m + csvReader = csv.reader(open('index.csv', 'rb'), delimiter=','); + for row in csvReader: + m.append(row); + + # Filter by type + if len(type_of_mal) > 0: + m = filter_array(m,column_for_type,type_of_mal) + + # Filter by programming language + if len(pl) > 0: + m = filter_array(m,column_for_pl,pl) + + # Free search handler + if len(search) > 0: + res_banner() + matching = [y for y in m if search in y] + for line in matching: + checkresults(matching) + print_results(line) + + if len(search) <= 0: + res_banner() + for line in m: + print_results(line) + + +if __name__ == "__main__": + main() +