Even More Malwares!

Well, my malware project at themalwares.com hit the 6 million mark sometime last week.. the scrapers and such are continuing to add new samples all the time.

On top of that the site should be fairly HA now between Heroku, a MongoDB replica set and Amazon S3 hosting the samples; given its a personal project I suppose that could be a bit of overkill however.

If you're interested in supporting the project, trading samples or something else please reach out... I'm always open to new things.

perf-tools for RHEL 6

I've forked Brendan Gregg's excellent perf-tools repository in order to put in various fixes to ensure compatibility with RHEL/CentOS 6. The fixes shouldn't cause any issues with other non-RHEL 6 releases however they haven't been fully tested.

Get it here: https://github.com/dcmorton/perf-tools

Chinese BitTorrent DDoS Mitigation

Here lately there's been lots of talk about the Great Firewall of China DNS posioning and inadvertently (?) DDoS'ing a servers all over..

The typical requests look similar to this:

125.77.141.10 - - [17/Jan/2015:04:51:21 +0000] "GET /announce.php?info_hash=%D6%BA%3E%2B%BC%86%5D%16%EED%D7%ADSFi%A5%13b%14%82&peer_id=%2DSD0100%2D%C6%D5%87%2F%0C%C1y%3E%F6%F5%14%1E&ip=192.168.1.104&port=13423&uploaded=820039352&downloaded=820039352&left=712758596&numwant=200&key=2204&compact=1 HTTP/1.0" 403 214 "tracker.thepiratebay.org"  
211.100.51.150 - - [17/Jan/2015:04:51:21 +0000] "GET /474x/0c/3c/1a/0c3c1ab61ea01f0ed7ddcab06daf4cd9.jpg HTTP/1.1" 403 252 "media-cache-ec0.pinimg.com"  
182.38.2.198 - - [17/Jan/2015:04:51:21 +0000] "GET /announce?info_hash=%BD%F4%CC%EC%A2%21L%B7X%E9%99%CA%22%DCE%7D%C1%92%2D%C9&peer_id=%2DSD0100%2D%EB%A4%D5%40%0C%FE%E1%9571%0F%CC&ip=192.168.1.101&port=8571&uploaded=776994816&downloaded=776994816&left=1800404992&numwant=200&key=3921&compact=1 HTTP/1.0" 403 210 "a.tracker.thepiratebay.org"  
183.12.184.251 - - [17/Jan/2015:04:51:21 +0000] "GET /announce?info_hash=%D8%21Vd%B5%B8d%D4%17%D4%D7g%F6i%3B%B6%2D%E7lN&peer_id=%2DSD0100%2Da%20%91l%F2B%EF%BD%8C%D3%7B%B1&ip=192.168.0.112&port=10141&uploaded=3291119737&downloaded=3291119737&left=235912704&numwant=200&key=32232&compact=1 HTTP/1.0" 403 210 "vip.tracker.thepiratebay.org"  
223.104.5.155 - - [17/Jan/2015:04:51:21 +0000] "GET /searchbox/alba.js HTTP/1.1" 403 219 "api.popin.cc"  
183.224.92.81 - - [17/Jan/2015:04:51:21 +0000] "GET /crossdomain.xml HTTP/1.1" 403 217 "livepassdl.conviva.com"  
113.57.186.42 - - [17/Jan/2015:04:51:21 +0000] "GET /announce.php?info_hash=%7F6%E9%12%E3%13%AEk%3C%03%15I%9A%028%E1%81%88%1D%11&peer_id=%2DSD0100%2DX%23%CFW%A7%9A%FF%14%91%F7%15%3E&ip=182.83.160.218&port=28388&uploaded=883389509&downloaded=883389509&left=330836393&numwant=200&key=15941&compact=1 HTTP/1.0" 403 214 "vip.tracker.thepiratebay.org"  
122.90.95.227 - - [17/Jan/2015:04:51:21 +0000] "GET /banners/108499/livedealer_ca_sc_300x250%20short.gif HTTP/1.1" 403 251 "static.exoclick.com"  
183.252.230.114 - - [17/Jan/2015:04:51:21 +0000] "GET /announce?info_hash=z%21%1A%89%DAn%BFU2%81%23O%A5%00cf%3Fw%9BY&peer_id=%2DSD0100%2D%0DH%1F%87%EB%D7%9F%E5%10%0C%A70&ip=183.252.230.114&port=12021&uploaded=319029248&downloaded=319029248&left=524288&numwant=200&key=13387&compact=1 HTTP/1.0" 403 210 "vip.tracker.thepiratebay.org"  
106.112.224.119 - - [17/Jan/2015:04:51:21 +0000] "GET /crossdomain.xml HTTP/1.1" 403 217 "livepassdl.conviva.com"  

I whipped up the following IPtables rules to drop the BitTorrent announce traffic so it never hits Apache/nginix/etc...

iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /announce.php?info_hash=' -j DROP  
iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /announce?info_hash=' -j DROP  
iptables -I INPUT -m state --state INVALID -j DROP  

themalwares.com

Been quite a long time coming, but I've finally got a site put together that allows you to search my malware samples. Visit it at the link below:

themalwares.com

New Malware Script

Just commited the new script to submit malware samples to VirusTotal and save the results in MongoDB; find it here.

Also have cleaned up the README on the MalwareTools repo to make things a bit prettier.

Please grab the script and give it a run!

Ugly one-liner for gzip'ed gzip files

Had to rig up this one-liner to un-screw a situation were logrotate was configured to rotate and compress all files in a directory, including ones that had already been rotated and compressed; this sort of configuration lead to gzip'ed gzip files like this:

error_log-20141109.gz-20141111.gz-20141113.gz-20141115.gz-20141117.gz-20141119.gz-20141121.gz-20141123.gz-20141125.gz-20141127.gz-20141129.gz-20141201.gz-20141203.gz-20141205.gz-20141207.gz-20141209.gz-20141211.gz-20141213.gz-20141215.gz  

The one-liner I put together to loop through and gunzip the many gzip'ed layers is:

for i in $(ls *.gz*); do loops=$(echo $i | awk 'END{print _}{_+=NF-3}' FS=".gz"); filename=$(echo $i | cut -d '-' -f 1,2); zcat $i > $filename; for a in $(seq $loops); do gunzip -c $filename > $filename-tmp; mv -f $filename-tmp $filename; done; rm -f $i; done  

Very ugly but you do end up with all the files in your directory named and working the way they should.