Monday, May 6, 2013

Library of Malware Traffic Patterns


Img: ''Harry Potter and the Sorcerer's Stone (movie)''Update May 6, 2013 We added ability to download corresponding samples and pcaps (when available). Same password scheme as contagio. Email Mila if needed.

Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and POST requests for different malware families with information from open sources. We decided others might find it useful too.


This list is not meant to be the only way to identify malware families - it is an aid resource and reference. We will be adding data from our own research and online publications. (hint: please send us links to add)

The references column is a good source of links for malware analysis or resources for different families. The second tab "EZ Lookup" offers a more condensed view, which allows easier sorting. The Links tab gives resource list, and TBD tab shows entries for malware for which we don't have common/public names. The list features all types of malware: cybercrime, APT and hacktivism

VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS" SPREADSHEET 


To download (you might miss updates if you decide to use a static copy), click on File - Download As in the spreadsheet view. To sort any columns, click on View - List. Your sorting will not affect other visitors.  


If you think you can and wish to contribute, or have any comments or corrections please email Andre' or Mila

14 comments:

  1. This is exceptionally valuable to the community. Thanks for doing this.

    ReplyDelete
  2. Perfect idea!

    Do you have the intend to publish a kind of mailing list that inform us when your database is added?

    How you do when requests are crypted or GET/POST on other port than 80 ?

    Thanks

    ReplyDelete
    Replies
    1. HI there, no we plan it to be low maintenance - see pattern = add. Need to reference = visit the link. People have enough spam in their mailboxes and no easy way for us to deal with the mailings.
      Some of these are on port 443 and other.
      We might add port column but also see the links with publications - they show and explain much more than the table, which is just a lookup reference. thank you

      Delete
  3. Absolutely Spectacular!

    ReplyDelete
  4. Awesome stuff, seriously! Mila and Andre' - keep up the fantastic work!!!

    ReplyDelete
  5. Good stuff. Keep up the great work!!

    ReplyDelete
  6. Thank you for the good feedback!

    ReplyDelete
  7. The fact is that Malsubjects will continue to cause havoc in cyberspace using everything they have in their power. It is time that we all realize that we are fighting a cyberwar where in many cases the malsubjects are winning many of these battles. It’s about time we defend ourselves with ALL we’ve got!

    ReplyDelete
  8. I may have over looked it, but is the password for the newly downloadable pcaps posted anywhere?


    Thanks,

    ReplyDelete
    Replies
    1. you don't need a pass to download the spreadsheet itself - go to File - Save AS (might need to use gmail acct, not sure) but for the malware and pcap downloads - it is the same scheme as on Contagiodump.blogspot.com - please email Mila for the pass scheme (click on the name above in the post and replace (at) with @

      Delete
  9. Very useful, it's rare to find resources this good on APT

    ReplyDelete
  10. it's best pleasure to share the malware-pcap files for public. i have emailed you for the password. wish remail soon. thank you very much. thos pcap files will help me to get further study on the APT research.

    ReplyDelete
  11. Amazing resource! Thank you so much.

    ReplyDelete