The library of malware traffic patterns have been popular. We found it very useful as well ourselves and we encourage you to send your contributions. I know at some point the spreadsheet will become unwieldy but I personally find it the most easy way (easy sort, search etc)
Currently, most of the samples described have the corresponding samples and pcaps available for download (email Mila @contagio for the password)
such as you see in the links below
Email us at mila [a t ] Deependresearch.org or adimino [a t] deependresearch.org
The current list of malware described (as of Aug. 9, 2013)
| # | APT | CRIME and HACKTIVISM |
|---|---|---|
| 1 | 9002 | Adware Hotbar |
| 2 | 9002 POST | Andromeda |
| 3 | Banechant 1 | ArcomRat / Dokstormac |
| 4 | Banechant payload dl 2 | Ardamax keylogger |
| 5 | Beebus | Asprox Checkin |
| 6 | Beebus C2 checkin | AsproxGET list of C2s |
| 7 | Beebus data send | AsproxGETs spam template |
| 8 | Comfoo / Vinself / Mspub | Avatar Rootkit |
| 9 | Cookies /Cookiebag / Dalbot | Beebone downloader |
| 10 | Coswid | Bitcoinminer |
| 11 | CVE-2012-0754 SWF in DOC | Blackhole 2 |
| 12 | CVE-2012-0779 | Blackhole v2 |
| 13 | Depyot | Blazebot |
| 14 | Destory Rat / Sogu / Thoper | Carberp |
| 15 | Disttrack / Shamoon | Citadel |
| 16 | DNSWatch / Protux | Cutwail / Pushdo |
| 17 | Downloader BMP | Darkmegi |
| 18 | Einstein | Darkness DDos v8g |
| 19 | Einstein data send | DirtJumper DDoS |
| 20 | Enfal / Lurid | DNSChanger |
| 21 | Favorites | EK - Blackhole 2 landing |
| 22 | Foxy | EK Blackhole 1 |
| 23 | Foxy Checkin | EK Neutrino |
| 24 | Gh0st | EK Phoenix |
| 25 | Gh0st ASP ver | FakeAV var (via Kuluoz - Asprox botnet) |
| 26 | Gh0st PHP ver | Flashback OSX |
| 27 | Gh0st v2000 var | GameThief |
| 28 | Gh0st var | Gapz C&C request |
| 29 | Glasses | Guntior - CN bootkit |
| 30 | GoogleAdC2 | Gypthoy |
| 31 | GoogleAdC2 2nd stage | Hiloti |
| 32 | Googles | HOIC DDoS |
| 33 | Greencat | Horst Proxy |
| 34 | Gtalk | Imaut |
| 35 | Hangover Smackdown Minapro | IRCbot |
| 36 | Hupigon / Graybird | JBOSS worm |
| 37 | icon.js - system info send | Karagany Loader |
| 38 | IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRAT | Kuluoz.B downloader |
| 39 | IXESHE | Matsnu - MBR wiping ransomware |
| 40 | IXESHE AES | Medfos |
| 41 | KoreanBanker DL | Money loader |
| 42 | Letsgo / TabMsgSQL | Mutopy Downloader |
| 43 | Letsgo / TabMsgSQL downloader | Mutopy Downloader initial callback |
| 44 | Likseput | PassAlert |
| 45 | Lingbo (?) | Pony loader |
| 46 | Luckycat - WIMMIE | PowerLoader |
| 47 | LURK | Ranbyus / Triton (Spy, Banking, smart cards) |
| 48 | Mediana Proxy | Reedum |
| 49 | MiniASP | Shiz / Rohimafo DDoS |
| 50 | Miniduke | Srizbi |
| 51 | Miniflame | Stabuniq |
| 52 | Mirage | Sweet Orange EK |
| 53 | Mirage - later var | Symmi Remote File Injector |
| 54 | Mongal | Tbot tor |
| 55 | MSWab /Yayih | Tinba aka Zusy |
| 56 | Murcy | Urausy (Ransomware) |
| 57 | Netravler | USteal.D |
| 58 | NfLog | Vobfus |
| 59 | NTESSESS | Xpaj |
| 60 | Pitty Tiger | ZeroAccess / Sirefef |
| 61 | Plugx | ZeroAccess / Sirefef - Counter site checkin |
| 62 | PNG trojan | ZeroAccess / Sirefef ppc fraud - redirect |
| 63 | Poison Ivy | Zeus |
| 64 | Quarian | Zeus Gameover |
| 65 | RedOctober AuthInfo | |
| 66 | RedOctober Sysinfo | |
| 67 | RegSubDat | |
| 68 | RssFeeder | |
| 69 | Sanny / Win32.Daws | |
| 70 | Seasalt | |
| 71 | Sofacy | |
| 72 | Surtr 2nd Stage DL | |
| 73 | Surtr Initial GET | |
| 74 | Swami | |
| 75 | Sykipot / Wyksol | |
| 76 | Taidoor | |
| 77 | Taleret | |
| 78 | Tapaoux | |
| 79 | Tarsip Eclipse | |
| 80 | Tarsip Moon | |
| 81 | Variant Letsgo / TabMsgSQL downloader (comment crew) | |
| 82 | Vinself | |
| 83 | WEBC2_RAVE | |
| 84 | WEBC2-Bolid | |
| 85 | WEBC2-Clover | |
| 86 | WEBC2-CSON | |
| 87 | WEBC2-CSON Response to commands | |
| 88 | WEBC2-HEAD | |
| 89 | WEBC2-Table | |
| 90 | Xtreme Rat |
Thanks again Mila!
ReplyDelete