Collecting Malware via Botnet Tracking
Friday, May 4. 2007
I blogged about collecting malware via botnet tracking earlier in January this year. The whole system is now ready: when we track a botnet with botspy and find a URL, we download that URL and submit it to CWSandbox. The analysis report is then fed back into botspy, so we can also follow botnets that change the C&C server or install other kinds of remote control software. In total, we have collected 441 unique binaries that way during the last few weeks.
These binaries are typically some kind of bot or keylogger. The detection rate of common AV-software is typically not really good, presumably since they do not yet have a sample. The following report is for ClamAV:
Detected malware:
These binaries are typically some kind of bot or keylogger. The detection rate of common AV-software is typically not really good, presumably since they do not yet have a sample. The following report is for ClamAV:
----------- SCAN SUMMARY -----------
Known viruses: 113987
Engine version: 0.90.1
Scanned directories: 1
Scanned files: 441
Infected files: 153
Data scanned: 222.17 MB
Time: 73.564 sec (1 m 13 s)
Detected malware:
288: OK
17: Exploit.DCOM.Gen
14: Trojan.Mybot-1445
6: Trojan.Spybot.gen-2
4: Trojan.SdBot-4179
4: Trojan.IRCBot-798
3: W32.Parite.B
3: Trojan.IRC.Flood.AQ
3: Trojan.Ioffer
".
