< Presentation on Client-Side Honeypots | The SOCKS Diaries >

Collecting Malware via Botnet Tracking

I blogged about collecting malware via botnet tracking earlier in January this year. The whole system is now ready: when we track a botnet with botspy and find a URL, we download that URL and submit it to CWSandbox. The analysis report is then fed back into botspy, so we can also follow botnets that change the C&C server or install other kinds of remote control software. In total, we have collected 441 unique binaries that way during the last few weeks.

These binaries are typically some kind of bot or keylogger. The detection rate of common AV-software is typically not really good, presumably since they do not yet have a sample. The following report is for ClamAV:
----------- SCAN SUMMARY -----------
Known viruses: 113987
Engine version: 0.90.1
Scanned directories: 1
Scanned files: 441
Infected files: 153
Data scanned: 222.17 MB
Time: 73.564 sec (1 m 13 s)

Detected malware:
288: OK
17: Exploit.DCOM.Gen
14: Trojan.Mybot-1445
6: Trojan.Spybot.gen-2
4: Trojan.SdBot-4179
4: Trojan.IRCBot-798
3: W32.Parite.B
3: Trojan.IRC.Flood.AQ
3: Trojan.Ioffer
This entry was posted by Thorsten Holz on Friday, May 4. 2007 at 08:31. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.