Security Incidents mailing list archives
Re: Malware IRC/DNS Network Activity
From: "Matteo Cantoni" <matteo.cantoni () nothink org>
Date: Fri, 9 May 2008 09:42:32 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matteo Cantoni wrote:Hi list, with my adsl + soekris + openbsd + honeypot + perl I made a simple pages about "Malware IRC/DNS Network Activity". http://www.nothink.org/malware/report/hash-a.html These pages will be update automatically every day. You can also download a "TOTAL CSV FILE" with these informations: md5,file size, anubis results, dns query, irc server, irc server asn, irc server asn_org, irc server geo, irc nickname, irc username, irc password, irc channel, irc topic. http://www.nothink.org/malware/report/hash.csv For this moment have been identified around 900 distinct binaries. I think that you have already this informations but maybe it could be useful for your works. Ciao, Matteo CantoniHi Matteo, Two questions: How do arrive at 'distinct binaries'? More specifically, how do you determine that they are not simply repacked copies of common malware? THANKS! Jon Kibler
You are right. I have only 'distinct md5' for this moment. I could add : - some checks to verify the sandbox's results; - anti virus test; I'm waiting for new hardware :) Thanks, Matteo
Current thread:
- Malware IRC/DNS Network Activity Matteo Cantoni (May 08)
- Re: Malware IRC/DNS Network Activity Jon Kibler (May 08)
- Re: Malware IRC/DNS Network Activity Matteo Cantoni (May 09)
- Re: Malware IRC/DNS Network Activity Jon Kibler (May 08)