EditAttachPrintable
r1 - 23 Sep 2008 - 18:04:42 - MattJonkmanYou are here: TWiki >  Main Web > SubmitSamples

Submitting Samples

We are in need of malware samples. Any kind, any type, just send it in to samples@emergingthreats.net.

These samples will be ingested by an automated system that'll unzip anything that's zipped (please use passwords "infected" or "virus", otherwise it'll be shunted out to a human). These are then brought into the sandnet's incoming queue after some normalization and deduplication.

Samples are analyzed by our sandnet and the results fed to our volunteer analysts. These analysts check that apropriate snort signatures hit for the infection and CnC? activity of each sample. If the sample was undetected we get the rules written and out to the ruleset asap!!

If you run Nepenthes ( http://nepenthes.mwcollect.org/ ) you can setup to automatically submit those captured samples to us. Normally Nepenthes will drop all of your captured binaries in a directory. Here's a simple script to zip and pass protect those and send them on to us for analysis: 


#!/usr/bin/perl
use MIME::Lite;

$fromAddr = 'me@mydomain.com';
$toAddr = 'samples@emergingthreats.net';
$ccAddr = 'me@mydomain.com';
$smtpServer = 'localhost';
$nepbinpath = "/usr/local/var/binaries/";

if ( ! -e $nepbinpath ) {
        die $nepbinpath . " does not exist!\n";
}

while (defined($next = <$nepbinpath/*>)) {
        $samples = 1;
}

if($samples eq 1) {
        #Zip and pass protect the sample
        system "/usr/local/bin/zip -q -P \"infected\" /tmp/samples.zip $nepbinpath/*";
        my $msg = MIME::Lite->new(
           From    => $fromAddr,
           To      => $toAddr,
           Cc      => $ccAddr,
           Subject => "Nepenthes Samples from $fromAddr",
           Type    => 'multipart/mixed',
        ) or die "Error creating multipart container: $!\n";

         $msg->attach (
           Type => 'BINARY',
           Path =>  "/tmp/samples.zip",
           Filename => "$fromAddr-samples.zip",
           Disposition => 'attachment'
         ) or die "Error attaching /tmp/samples.zip: $!\n";

         MIME::Lite->send('smtp',$smtpServer,Timeout=>60);
          $msg->send;

        system "rm /tmp/samples.zip $nepbinpath/*";
}

NOTE: This will email then delete those binaries. If you need to save them alter the rm line to do what you'd like. But at the least move them from that directory so they aren't re-submitted.

If you'd like to be an analyst please contact threats@emergingthreats.net. All volunteer, and we only ask for the time you have available, no commitments or minimum requirements.

-- MattJonkman - 23 Sep 2008

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r1 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback