How do you organize your malware collection?

[tjs]

Hey all..

I know that there are quite a few malware collectors lurking around, so I have some questions that will hopefully encourage some discussion around a generally undiscussed topic: organizing malware collections.

* What are your favorite malware collection tools for organizing your local collections?
* How do you organize your collections?
   * Do you rename files to their hash?
   * Do you use a specific vendors name?
* Do you have any automation in place to do any of this?
..etc

PS: I'm not interested in corporate solutions... just wondering how folks do this at home.

TJS

[tjs]

I'll start..

I sort my collection by family name, and then I have subdirectories for specific variants

I have any notes/analysis/etc in that directory, and then a directory called 'malware' that contains the actual malware. All malware files are renamed (adding a '_' after the last extention char)


Backdoor.Win32.Rbot/Backdoor.Win32.Rbot.dvh/notes.txt
Backdoor.Win32.Rbot/Backdoor.Win32.Rbot.dvh/malware/malbin.exe_

If i do my own analysis, sometimes i'll include an 'unpacked' directory that will contain memory dumps, unpacked bins, and so on.

As far as automation goes, I have a homebrew crawler that i use to gather malware (I either give it a URL, or it "finds" them via various sources).. This causes the system to download the file, record a bunch of data about it (url, http headers, md5, file type, pe data, etc etc), scan it with my favorite scanner(s) and put it in the right folder structure within my collection. Undetected stuff goes into a different 'undetected' bucket which I then manually rename or rescan at a later date.

Finding stuff is a major pain.. Specially if I only remember some random string or have only an MD5. I have to do a full text search on the root dir, which has been getting slow as my collection has been getting large. I've been tempted to throw everything into a database-- but I don't have the desire to rewrite all my automation and stuff.... Also when at work I have all sorts of other resources that make my home collection look very stupid (so i havent been maintaining it well. blah. )..

TJS

[bobby]

I've pretty much lost the interest in organizing my collection.

Couple of years ago, I was full with enthusiasm, but with a lack of knowledge, and without a clear idea of what I want to do (still do not have a clear idea).
My collection reached 200.000 different malware recognized by KAV in two years.
I was just like a kid - happy to see that the collection is growing (collecting stickers...), nothing else.
One day, I wanted to help someone to find some relatives of an emerging infection, and I became aware that I can't find the samples (but I was sure I do have them).
Why?
Because I didn't trace where some file came from, which files were dropped together etc.
My mistake was that I didn't want any redundant data (200mb legit app coming with 10kb adware), so I have unpacked all that I could, pick up just the files recognized by KAV, and the rest was dropped to a partition where neither the HAL9000 can find what is what.
I have realized that this was a mistake, but too late...
A lot of droppers or downloaders won't work without belonging configuration files, trojans too.
Now, no one can bring the files together anymore.

Renaming to MD5? Yes, I did that. 10% of downloaders are  not working anymore because DLLs needed to start are also renamed to MD5 if these were detected as malware.
Failed to start because gr65.dll not found - that kind of messages I see now when I try o run them in a VM (when I get some free time to play in a VM).

So, as the thing is already damned, I continue to rename to MD5. Folders are organized like this (virus, adware, backdoor...), and subfolders are named according to installers/archives that I can't unpack (no_archive, Instyler, Tarma, NSIS...)
I use LogAnalyzer, by own tool that sort malware according to the reports of AV you use. I wrote some 30 log parsers for different AV programs.
LA can sort in a lot of ways, can make folder structure according to malware family, archive types, packers/protectors etc. etc.
LA was available for download (Win32 and Lin versions) on www.mc-antivirus-test.org, but the domain expired recently.
A couple more tools made by me were available there too (some unpacker for exotic archive types, ADS scanner with copy option, a file-creation watchdog that did copy to a folder all new files - I was running this in a VM to catch dropped files).
I also have somewhere a hook I wrote to disable file deleting - I did use this in a VM to prevent the droppers deleting intermediate files.

[tjs]

I know lots of people that rename all their files to it's md5/sha1. Your points about dependencies by filename makes sense-- I never experienced it because I never did this, and I'm really glad I didn't. At least other people will be able to learn from this.

Note: Don't rename files in your collections to md5.

Thanks for sharing your insights here.. Who's next?

[CM_MWR]

All by md5+date+machine#+pcap+txt file below

filename: c:\duped\01C8E2D9136C84DE_1[1]_exe.PE
filename: c:\duped\01C8E2D9137F97AE_svchost_exe.PE
size....: 40960
md5.....: f09382e2187a804ff34c29eee45313fd
sha1....: cac14b727316791ea82e6415f5ef8d93f6a98e42
sha256..: 7f34f025478629e4cab60e4749072159595f9f2a6330875b1289bf4e408315ca

pe info.: ( base data )
entrypointaddress.: 0x401b88
timedatestamp.....: 0x48136b9e (Sat Apr 26 17:51:26 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name        viradd    virsiz   rawdsiz  ntrpy  md5
.text       0x1000    0xa000    0x1000   5.55  c2d8ebceeb3f9c37b02d8734ec7f9e8a
.data       0xb000    0x9000    0x8200   7.65  7a83a140c32e045de98adec6323342a4
.idata     0x14000    0x1000     0xa00   4.36  f50154f0a26828455738ac8cdfe004fe

( 4 imports ) 
> KERNEL32.dll: EnumDateFormatsExA, DeviceIoControl, ReplaceFileA, SetComputerNameA, GetLastError, GetEnvironmentVariableA, VirtualProtect, SetConsoleOS2OemFormat, TlsSetValue, GetVDMCurrentDirectories, MoveFileWithProgressW, SetProcessAffinityMask, GetProcessAffinityMask
> USER32.dll: SetCursor, GetMonitorInfoW, SetKeyboardState, ChangeDisplaySettingsExW, OemToCharA, VkKeyScanExA, GetInternalWindowPos, DdeSetUserHandle, TileChildWindows, DlgDirListW, DdeReconnect, CharToOemBuffA, WINNLSEnableIME, GetClientRect, VkKeyScanExW, UnpackDDElParam, UserClientDllInitialize, GetCursorFrameInfo
> GDI32.dll: GetTextFaceA, EngComputeGlyphSet, FONTOBJ_pQueryGlyphAttrs, FlattenPath, PolyPatBlt, GetViewportExtEx, SetMiterLimit, EngDeletePalette, STROBJ_vEnumStart, CreateCompatibleDC, GdiGetLocalFont, SelectClipRgn, GetLogColorSpaceW, GetKerningPairsW, GetGlyphOutlineA, WidenPath, GdiGetCharDimensions, GetTextMetricsA, PolyTextOutA, CreateHalftonePalette, GetRasterizerCaps, SetWorldTransform, GetDeviceCaps, GdiIsMetaPrintDC, CreateBitmap, GetBkColor, TranslateCharsetInfo, GetDCPenColor, EnumFontFamiliesW, SetLayoutWidth, SetDIBitsToDevice, OffsetClipRgn, GdiConvertBrush
> COMDLG32.dll: GetSaveFileNameA, FindTextA, PrintDlgW, LoadAlterBitmap, WantArrows, ReplaceTextW, ChooseColorW, ChooseFontW

( 0 exports )

[Orac]

I dont collect malware as such, i just seem to get a lot of it lol.

Its organised either using the link and file path, or in the case of botnets, IRCserver and channel(s). I also keep the md5 of any new scripts.

[tjs]

My sister collects malware in memory.

[CM_MWR]

Dont they call those ex-husbands