Community Malware Collection

[Cowpipe]

I just had this idea which seems a little crazy but it might just work, lots of people come to this forum and many others looking for help removing viruses and infections from their computer, but few of us get a chance to analyse these samples.

So I was thinking, what if there were an automated tool that an infected user would run, that would collect data from the log files, like AdwCleaner, HitmanPro or whatever else, zip those malicious files (before they were removed) into an encrypted, password protected archive (so the user would not have a chance to be infected by accidentally opening the archive), and the archive could be uploaded to some server, where the samples could be distributed to anyone interested in researching. Of course it would be opt-in, so they wouldn't have to if they didn't want etc.

It's sort of like a community honeypot, only instead of automated services, it's real users, clicking on things they shouldn't and getting one infection after another, often viruses and trojans that you don't see turning up in Honeypots.

Just an idea anyway, any thoughts?

 

[Malware1]

That sounds great I'll see if I can make something similar.

 

[Dubseven]

If you want, I can do that, it's not a problem, just in 5 min.
But i need an example of the log?
Did the analyst will make the log or it will be based on ZHP/other log?

 

[Malware1]

I was thinking about a program that will be able to recognise suspicious files on a computer (without MBAM/HitmanPro) and upload them for analysis

 

[Dubseven]

I was thinking about a program that will be able to recognise suspicious files on a computer (without MBAM/HitmanPro) and upload them for analysis

It's a great idea, but a hard also.
We can find so much suspicious files depend of computer. And uploading all of them on a malware scanner or a web host, will take so much averange of time and storage on the server or will block the access of the scanner.

 

[Cowpipe]

Yeah, was thinking of making this myself too, so a team of three of us so far interested is good news

@Dubseven - We would need to extract the scanned file paths (of infected files) from each type of log (eg: AdwCleaner, HitmanPro etc), so simple string parsing should do the trick, maybe it's faster to use RegEx, depends on the language I guess (I use basic string operations in my AntiVir log parser). Not sure if either of these programs include the detection name in the logs, but if not we can grab that from hashing the included files later anyway, so not a problem

@Malware1 - Good idea if you can pull it off

 

[Dubseven]

Okay, i will put here an example in a few minutes.
Can you provide me an example of AdwCleaner/HitmanPro logs?

 

[Cowpipe]

Okay, i will put here an example in a few minutes.
Can you provide me an example of AdwCleaner/HitmanPro logs?

Here's a recent AdwCleaner log from a user who has run the program but not removed any of the infections:

http://malwaretips.com/attachments/adwcleaner-r2-txt.13397/

So where it says 'Folder Found' we'd probably want to get the contents of that folder as all are likely to be suspect. As for browser extensions and such, again we could trace back the files etc.

I'll have a look around see if I can find any Hitman pro logs where files haven't been deleted, or if I can't, I'll make one myself

 

[Malware1]

For AdwCleaner, if the user already removed detected adware, is enough to upload these folders %systemdrive%\AdwCleaner\Backup and %systemdrive%\AdwCleaner\Quarantine

or better %systemdrive%\AdwCleaner, so the pack will include log files which can be useful

 

[Cowpipe]

For AdwCleaner, if the user already removed detected adware, is enough to upload these folders %systemdrive%\AdwCleaner\Backup and %systemdrive%\AdwCleaner\Quarantine

or better %systemdrive%\AdwCleaner, so the pack will include log files which can be useful

Now that makes life so much easier Thanks for the tip, I'll see if I can come up with a proof of concept program and post it up tonight (with the source-code)

 

[Dubseven]

Sorry to be late, I was a little busy with the cloud of Tiranium.
I have made this little tool for example.

http://wt783zet6r.1fichier.com/

You can insert any folder you want or any .log.

Example:
C:\myfolder
C:\this my folder
C:\omg\its\a\file.exe

 

[Malware1]

There's a bug - the tool can't pack any files if there's a space in the filename.

 

[Dubseven]

There's a bug - the tool can't pack any files if there's a space in the filename.

Can you write here the url please?

 

[Malware1]

Can you write here the url please?

URL? I assume you mean the file path...

But I tested it again, it can't pack any files, even if there's no space...

 

[Dubseven]

Url, yes file path.

Did you run it as Administrator?
Did you extracted everything in same folder?
What did you typed?

 

[Malware1]

Never mind. The program is frozen while packing and it's very slow, but it seems to work

 

[Cowpipe]

Here's my attempt, very very basic, put together in about 3 mins. If it finds the AdwCleaner folder at C:\Adwcleaner it zips it to the current directory ready for uploading.

I'll work on a version later this evening (when I have some more time) that will detect where the logs and quarantine files are for multiple programs and zip it all in one neat package. But you get the idea, proof of concept stuff

 

[Malware1]

@Dubseven @Cowpipe
Good work guys

How are HitmanPro quarantined files stored? As normal files or they are compressed in some way? I can't get files from Malwarebytes' quarantine from the folder in C:\ProgramData for example, I have to use the option in the program.

 

[Cowpipe]

@Dubseven @Cowpipe
Good work guys

How are HitmanPro quarantined files stored? As normal files or they are compressed in some way? I can't get files from Malwarebytes' quarantine from the folder in C:\ProgramData for example, I have to use the option in the program.

I'll have a look into it. One of the annoying things about Malwarebytes is with the new version 2, they've dropped the command line support, so you can't say run a scan, get the files from the log and then remove them from code, you have to do it all from the GUI. If I don't post it up tonight it will be tomorrow morning anyway, and I'll post up the source (I didn't think 15 lines was worth posting above)

 

[Mateotis]

Great idea @Cowpipe, nice progress already! Really sounds like a plan. Let's see how I can contribute...

How are HitmanPro quarantined files stored? As normal files or they are compressed in some way? I can't get files from Malwarebytes' quarantine from the folder in C:\ProgramData for example, I have to use the option in the program.

HitmanPro stores the quarantined files in the same way as Malwarebytes, in C:\ProgramData\HitmanPro\Quarantine. It also has a folder for logs in the same HitmanPro directory. The file names are randomly generated and their extension is lost. Not sure if they are still accessible.