diff --git a/Rebuild_CSV.sh b/Rebuild_CSV.sh index a8e90fd..45a174a 100644 --- a/Rebuild_CSV.sh +++ b/Rebuild_CSV.sh @@ -8,22 +8,22 @@ red_min='\e[01;31m[-]\e[00m' # This file rebuilds the index.csv file based on the local index.log file in each folder. # Backup previous -mv index.csv Index.Backup.csv +mv conf/index.csv conf/Index.Backup.csv # finds all index.log files: find `pwd` -name 'index.log' > /tmp/indexrebuild.tmp -touch index.csv +touch conf/index.csv i=1 cat /tmp/indexrebuild.tmp | while read file ; do let string="$i" string="$string,`echo "$file"`,`cat "$file"`," echo -e "$green_plus $i was added successfully" - echo "$string" >> index.csv + echo "$string" >> conf/index.csv let i=i+1 done -linesofdb=`wc -l < index.csv` +linesofdb=`wc -l < conf/index.csv` if [ $linesofdb = 0 ]; then echo "" diff --git a/conf/db.ver b/conf/db.ver new file mode 100644 index 0000000..3622f93 --- /dev/null +++ b/conf/db.ver @@ -0,0 +1 @@ +140120141400 \ No newline at end of file diff --git a/conf/eula_run.conf b/conf/eula_run.conf new file mode 100644 index 0000000..d2bb323 --- /dev/null +++ b/conf/eula_run.conf @@ -0,0 +1 @@ +YES \ No newline at end of file diff --git a/conf/index.csv b/conf/index.csv new file mode 100644 index 0000000..eae91aa --- /dev/null +++ b/conf/index.csv @@ -0,0 +1,28 @@ +1,Source/Original/Dokan - Dec 2008/index.log,__,Dokan,unknown,unknown,c,12/2008, +2,Source/Original/NBot - July 2008/index.log,botnet,NBot,unknown,unknown,cpp,07/2008, +3,Source/Original/ShadowBot v3 - March 2007/index.log,botnet,ShadowBot,3,unknown,cpp,03/2007, +4,Source/Original/rBot 0.3.3 - May 2004/index.log,botnet,rBot,0.3.3,unknown,cpp,05/2004, +5,Source/Original/ZeuS 2.0.8.9 - Feb 2013/index.log,botnet,ZeuS,2.0.8.9,unknown,c,02/2013, +6,Source/Original/X0R-USB - Virus Version - Jan 2009/index.log,virus,X0R-USB-Virus,unknown,unknown,c,01/2009, +7,Source/Original/LoexBot1.3 - Sep 2008/index.log,botnet,LoexBot,1.3,unknown,cpp,09/2008, +8,Source/Original/ZunkerBot 1.4.5 - Sep 2007/index.log,botnet,ZunkerBot,1.4.5,unknown,php,09/2007, +9,Source/Original/DopeBot v0.22 UnCrippled- Feb 2007/index.log,botnet,DopeBot-UnCrippled,0.22,unknown,cpp,02/2007, +10,Source/Original/vbBot - Jan 2007/index.log,botnet,vbBot,unknown,unknown,vb,01/2007, +11,Source/Original/xTBot 0.0.2 - 2 Feb 2002/index.log,botnet,xTBot,0.0.2,unknown,cpp,02/2002, +12,Source/Original/VBS.Win32.Vabian - Unknown/index.log,VBS-Worm,VBS.Win32.Vabian,unknown,unknown,vb,unknown, +13,Source/Original/DopeBot v0.22 Crippled- Feb 2007/index.log,botnet,DopeBot-Crippled,0.22,unknown,cpp,02/2007, +14,Source/Original/Win32.MiniPig - Nov 2006/index.log,Worm,Win32.MiniPig,unknown,unknown,c,11/2006, +15,Source/Original/HellBot v3.0 - 10 June 2005/index.log,botnet,Hellbot,3.0,unknown,cpp,06/2005, +16,Source/Original/Win32.ogw0rm - Nov 2008/index.log,Worm,Win32.ogwOrm,unknown,unknown,cpp,11/2008, +17,Source/Original/DopeBot.B - Dec 2004/index.log,botnet,DopeBot.B,unknown,unknown,cpp,12/2004, +18,Source/Original/LiquidBot - May 2005/index.log,botnet,LiquidBot,unknown,unknown,cpp,05/2005, +19,Source/Original/SpazBot 2.12 - June 2007/index.log,botnet,SpazBot,2.12,unknown,vb,06/2007, +20,Source/Original/DBot v3.1 - March 2007/index.log,botnet,DBot,3.1,unknown,c,03/2007, +21,Source/Original/CyberBot v2.2 - October 2006/index.log,botnet,CyberBot,2.2,unknown,cpp,10/2006, +22,Source/Original/DopeBot.A - Dec 2004/index.log,botnet,DopeBot.A,unknown,unknown,cpp,12/2004, +23,Source/Original/MyDoom.A - Jan 2004/index.log,__,MyDoom.A,unknown,unknown,c,01/2004, +24,Source/Original/ShadowBot - Sep 2008/index.log,botnet,ShadowBot,unknown,unknown,cpp,09/2008, +25,Binaries/CryptoLocker Ransomware 20th Nov 2013/index.log,3,ransomeware,CryptoLocker,Unknown,Unknown,bin,20/12/2013, +26,Binaries/CryptoLocker Ransomware 10th Sep 2013/index.log,2,ransomeware,CryptoLocker,Unknown,Unknown,bin,10/12/2013, +27,Binaries/IllusionBot - May 2007/index.log,4,botnet,Illusion Bot,Unknown,Unknown,bin,00/05/2007, +28,Binaries/AndroRat - 6 Dec 2013/index.log,1,botnet,AndroRat,Unknown,Unknown,java,06/12/2013, diff --git a/malware-db.py b/malware-db.py index 34f64bd..1cebd99 100644 --- a/malware-db.py +++ b/malware-db.py @@ -16,179 +16,241 @@ #You should have received a copy of the GNU General Public License #along with this program. If not, see . -__version__ = "0.1 Alpha" +__version__ = "0.2 Beta" __appname__ = "Malware DB" -__authors__ = ["Yuval Nativ","Lahad Ludar","5fingers"] +__authors__ = ["Yuval Nativ", "Lahad Ludar", "5fingers"] __licensev__ = "GPL v3.0" -__maintainer = "Yuval Nativ" +__maintainer__ = "Yuval Nativ" __status__ = "Development" - import sys import getopt -import os -import inspect import subprocess import csv +import urllib2 +# import git +#import os +#import inspect + def main(): - - # Set general variables. - version='0.1 Alpha' - appname="Malware DB" - authors="Yuval Nativ, Lahad Ludar, 5fingers" - licensev="GPL v3.0" - fulllicense = appname + " Copyright (C) 2014 " + authors + "\n" - fulllicense += "This program comes with ABSOLUTELY NO WARRANTY; for details type '" + sys.argv[0] +" -w'.\n" - fulllicense += "This is free software, and you are welcome to redistribute it." - - useage='\nUsage: ' + sys.argv[0] + ' -s search_query -t trojan -p vb\n\n' - useage+='The search engine can search by regular search or using specified arguments:\n\nOPTIONS:\n -h --help\t\tShow this message\n -t --type\t\tMalware type, can be virus/trojan/botnet/spyware/ransomeware.\n -p --language\tProgramming language, can be c/cpp/vb/asm/bin/java.\n -u --update\t\tUpdate malware index. Rebuilds main CSV file. \n -s --search\t\tSearch query for name or anything. \n -v --version\tPrint the version information.\n -w\t\t\tPrint GNU license.\n' - - column_for_pl=6 - column_for_type=2 - column_for_location=1 - colomn_for_time=7 - column_for_version=4 - column_for_name=3 - column_for_uid=0 - column_for_arch=8 - column_for_plat=9 - eula_file='eula_run.conf' - - def print_license(): - print "" - print fulllicense - print "" - - def check_eula_file(): - try: - with open(eula_file): - return 1 - except IOError: - return 0 - - def versionbanner(): - print "" - print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" - print "\t\t " + appname + ' v' + version - print "Built by:\t\t" + authors - print "Is licensed under:\t" + licensev - print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" - print fulllicense - print useage - - def checkresults(array): - if len(array) == 0: - print "No results found\n\n" - sys.exit(1) - - def checkargs(): - print "Type: " + type_of_mal - print "Lang: " + pl - print "Search: " + search - - def filter_array(array,colum,value): - ret_array = [row for row in array if value in row[colum]] - return ret_array - - def res_banner(): - # A function to print banner header - print "\nUID\tName\t\tVersion\t\tLocation\t\tTime" - print "---\t----\t\t-------\t\t--------\t\t----" - - def print_results(array): - # print_results will suprisingly print the results... - answer = array[column_for_uid] + "\t" + array[column_for_name]+ "\t" + array[column_for_version] + "\t\t" - answer += array[column_for_location] + "\t\t" + array[colomn_for_time] - print answer - - options, remainder = getopt.getopt(sys.argv[1:], 'hwuvs:p:t:', ['type=', 'language=', 'search=', 'help', 'update', 'version' ]) - - # Zeroing everything - type_of_mal = "" - pl = "" - search = "" - new ="" - update=0 - m=[]; - a=0 - eula_answer='no' - - # Checking for EULA Agreement - a = check_eula_file() - if a == 0: - print appname + ' v' + version - print 'This program contain live and dangerous malware files' - print 'This program is intended to be used only for malware analysis and research' - print 'and by agreeing the EULA you agree to only use it for legal purposes and ' - print 'studying malware.' - print 'You understand that these file are dangerous and should only be run on VMs' - print 'you can control and know how to handle. Running them on a live system will' - print 'infect you machines will live and dangerous malwares!.' - print '' - eula_answer = raw_input('Type YES in captial letters to accept this EULA.\n') - if eula_answer == 'YES': - print 'you types YES' - new = open(eula_file, 'a') - new.write(eula_answer) - else: - print 'You need to accept the EULA.\nExiting the program.' - sys.exit(1) - - # Get arguments - for opt, arg in options: - if opt in ('-h','--help'): - print fulllicense - print useage - sys.exit(1) - elif opt in ('-u', '--update'): - update=1 - elif opt in ('-v', '--version'): - versionbanner() - sys.exit(1) - elif opt in ('-w'): - print_license() - sys.exit(1) - elif opt in ('-t', '--type'): - type_of_mal = arg - elif opt in ('-p', '--language'): - pl = arg - elif opt in ('-s', '--search'): - search = arg - - # Rebuild CSV - if update == 1: - subprocess.call("./Rebuild_CSV.sh", shell=True) - sys.exit(1) - - # Take index.csv and convert into array m - csvReader = csv.reader(open('index.csv', 'rb'), delimiter=','); - for row in csvReader: - m.append(row); - - # Filter by type - if len(type_of_mal) > 0: - m = filter_array(m,column_for_type,type_of_mal) - - # Filter by programming language - if len(pl) > 0: - m = filter_array(m,column_for_pl,pl) - - # Free search handler - if len(search) > 0: - res_banner() - matching = [y for y in m if search in y] - for line in matching: - checkresults(matching) - print_results(line) - - if len(search) <= 0: - res_banner() - for line in m: - print_results(line) + # Set general variables. + version = __version__ + appname = __appname__ + licensev = __licensev__ + authors = "Yuval Nativ, Lahad Ludar, 5fingers" + fulllicense = appname + " Copyright (C) 2014 " + authors + "\n" + fulllicense += "This program comes with ABSOLUTELY NO WARRANTY; for details type '" + sys.argv[0] +" -w'.\n" + fulllicense += "This is free software, and you are welcome to redistribute it." + + useage='\nUsage: ' + sys.argv[0] + ' -s search_query -t trojan -p vb\n\n' + useage += 'The search engine can search by regular search or using specified arguments:\n\nOPTIONS:\n -h --help\t\tShow this message\n -t --type\t\tMalware type, can be virus/trojan/botnet/spyware/ransomeware.\n -p --language\tProgramming language, can be c/cpp/vb/asm/bin/java.\n -u --update\t\tUpdate malware index. Rebuilds main CSV file. \n -s --search\t\tSearch query for name or anything. \n -v --version\tPrint the version information.\n -w\t\t\tPrint GNU license.\n' + + column_for_pl = 6 + column_for_type = 2 + column_for_location = 1 + colomn_for_time = 7 + column_for_version = 4 + column_for_name = 3 + column_for_uid = 0 + column_for_arch = 8 + column_for_plat = 9 + conf_folder = 'conf' + eula_file = conf_folder + '/eula_run.conf' + maldb_ver_file = conf_folder + '/db.ver' + main_csv_file = conf_folder + '/index.csv' + giturl = 'https://raw.github.com/ytisf/theZoo/master/' + + # Function to print license of malware-db + def print_license(): + print "" + print fulllicense + print "" + + # Check if EULA file has been created + def check_eula_file(): + try: + with open(eula_file): + return 1 + except IOError: + return 0 + + def get_maldb_ver(): + try: + with file(maldb_ver_file) as f: + return f.read() + except IOError: + print("No malware DB version file found.\nPlease try to git clone the repository again.\n") + return 0 + + def update_db(): + curr_maldb_ver = get_maldb_ver() + response = urllib2.urlopen(giturl+maldb_ver_file) + new_maldb_ver = response.read() + if new_maldb_ver == curr_maldb_ver: + print "No need for an update.\nYou are at " + new_maldb_ver + " which is the latest version." + sys.exit(1) + + # Write the new DB version into the file + f = open(maldb_ver_file, 'w') + f.write(new_maldb_ver) + f.close() + + # Get the new CSV and update it + csvurl = giturl + main_csv_file + u = urllib2.urlopen(csvurl) + f = open(main_csv_file, 'wb') + meta = u.info() + file_size = int(meta.getheaders("Content-Length")[0]) + print "Downloading: %s Bytes: %s" % (main_csv_file, file_size) + file_size_dl = 0 + block_sz = 8192 + while True: + buffer = u.read(block_sz) + if not buffer: + break + file_size_dl += len(buffer) + f.write(buffer) + status = r"%10d [%3.2f%%]" % (file_size_dl, file_size_dl * 100. / file_size) + status = status + chr(8)*(len(status)+1) + print status, + f.close() + + # prints version banner on screen + def versionbanner(): + print "" + print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" + print "\t\t " + appname + ' v' + version + print "Built by:\t\t" + authors + print "Is licensed under:\t" + licensev + print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" + print fulllicense + print useage + + # Check if maybe no results have been found + def checkresults(array): + if len(array) == 0: + print "No results found\n\n" + sys.exit(1) + + # Check to needed arguments - left for debugging + def checkargs(): + print "Type: " + type_of_mal + print "Lang: " + pl + print "Search: " + search + + # Sort arrays + def filter_array(array,colum,value): + ret_array = [row for row in array if value in row[colum]] + return ret_array + + # A function to print banner header + def res_banner(): + print "\nUID\tName\t\tVersion\t\tLocation\t\tTime" + print "---\t----\t\t-------\t\t--------\t\t----" + + # print_results will surprisingly print the results... + def print_results(array): + answer = array[column_for_uid] + "\t" + array[column_for_name]+ "\t" + array[column_for_version] + "\t\t" + answer += array[column_for_location] + "\t\t" + array[colomn_for_time] + print answer + + options, remainder = getopt.getopt(sys.argv[1:], 'hwuvs:p:t:', ['type=', 'language=', 'search=', 'help', 'update', 'version', 'dbv']) + + # Zeroing everything + type_of_mal = "" + pl = "" + search = "" + new = "" + update = 0 + m=[]; + a = 0 + eula_answer = 'no' + f = "" + + # Checking for EULA Agreement + a = check_eula_file() + if a == 0: + print appname + ' v' + version + print 'This program contain live and dangerous malware files' + print 'This program is intended to be used only for malware analysis and research' + print 'and by agreeing the EULA you agree to only use it for legal purposes and ' + print 'studying malware.' + print 'You understand that these file are dangerous and should only be run on VMs' + print 'you can control and know how to handle. Running them on a live system will' + print 'infect you machines will live and dangerous malwares!.' + print '' + eula_answer = raw_input('Type YES in capital letters to accept this EULA.\n') + if eula_answer == 'YES': + print 'you types YES' + new = open(eula_file, 'a') + new.write(eula_answer) + else: + print 'You need to accept the EULA.\nExiting the program.' + sys.exit(1) + + # Get arguments + for opt, arg in options: + if opt in ('-h', '--help'): + print fulllicense + print useage + sys.exit(1) + elif opt in ('-u', '--update'): + update = 1 + update_db() + elif opt in ('-v', '--version'): + versionbanner() + sys.exit(1) + elif opt in '-w': + print_license() + sys.exit(1) + elif opt in ('-t', '--type'): + type_of_mal = arg + elif opt in ('-p', '--language'): + pl = arg + elif opt in ('-s', '--search'): + search = arg + elif opt in '--dbv': + # Getting version of malware-DB's database + a = get_maldb_ver() + if a == 0: + sys.exit(0) + elif len(a) > 0: + print '' + print "Malware-DB Database's version is: " + a + sys.exit() + + # Rebuild CSV + if update == 1: + subprocess.call("./Rebuild_CSV.sh", shell=True) + sys.exit(1) + + # Take index.csv and convert into array m + csvReader = csv.reader(open(main_csv_file, 'rb'), delimiter=','); + for row in csvReader: + m.append(row) + + # Filter by type + if len(type_of_mal) > 0: + m = filter_array(m,column_for_type,type_of_mal) + + # Filter by programming language + if len(pl) > 0: + m = filter_array(m,column_for_pl,pl) + + # Free search handler + if len(search) > 0: + res_banner() + matching = [y for y in m if search in y] + for line in matching: + checkresults(matching) + print_results(line) + + if len(search) <= 0: + res_banner() + for line in m: + print_results(line) if __name__ == "__main__": - main() - + main() \ No newline at end of file