Shulou(Shulou.com)06/01 Report--

Ph0neutria is a tool that collects malware samples directly from the wild. And all the collected contents will be stored in Viper for easy access and management.

The project was inspired by Ragpicker, a malware crawler. In contrast, the advantages of ph0neutria are mainly reflected in the following points:

Limit the scope of crawling to only frequently updated and reliable sources.

Maximize the effectiveness of individual indicators.

Provide a single, reliable and well-organized storage mechanism.

Don't do what Viper can do.

So why is the tool named ph0neutria? If you know anything about Brazilian spiders, you must have heard of a Brazilian wandering spider called "Phoneutria nigriventer" (foreign name Brazillian Wandering Spider). This spider was hailed as the most poisonous animal in the world in the Guinness Book of World Records in 2007. They crawl extremely fast, their legs are strong and sharp, and they have distinctive red chelates that show them when they are angry. For details, see: https://en.wikipedia.org/wiki/Brazilian_wandering_spider

Source

URL feeds:

Malc0de

Malshare

VX Vault

OSINT . If necessary, passive DNS will be used to generate the latest IP list of a domain and to find the latest URL related to IP through VirusTotal. Note that you can only query one source at a time and do not exceed the request limit of VirusTotal API. The URL list obtained from each source will be filtered by evenshtein distance (Levenstein distance) to reduce the number of similar items and process them in their own threads.

AlienVault OTX

CyberCrime Tracker

DNS-BH

Payload Security (Hybrid Analysis)

Shodan

ThreatExpert

Screenshot

Version description

0.6.0: the Tor agent requires pysocks (pip install pysocks) and at least version 2.10.0 of python requests to support SOCKS

Li.

0.9.0: OSINT functionality extracted from Phage Malware Tracker (private project)-requires a VirusTotal API key. More powerful ability to retrieve field documents. Local URL and hash cache (to reduce API load).

0.9.1: updated to use V3 Viper API, no longer compatible with V2.

Installation

The following script will install ph0neutria,Viper and Tor for us:

Wget https://raw.githubusercontent.com/phage-nz/ph0neutria/master/install.shchmod + x install.shsudo. / install.sh optional

Configure additional ClamAV signatures:

Cd / tmpgit clone https://github.com/extremeshok/clamav-unofficial-sigscd clamav-unofficial-sigscp clamav-unofficial-sigs.sh / usr/local/binchmod 755 / usr/local/bin/clamav-unofficial-sigs.shmkdir / etc/clamav-unofficial-sigscp config/ / etc/clamav-unofficial-sigscd / etc/clamav-unofficial-sigs*

Rename os..conf to os.conf:

Mv os.ubuntu.conf os.conf

Modify the configuration file:

Master.conf: search for "Enabled Databases" and enable / disable the desired source.

User.conf: uncomment the lines required by the enabled source. User.conf overrides master.conf. After completing the setting of the following command, you must uncomment user_configuration_complete= "yes" for the configuration to take effect.

For more configuration information, see: https://github.com/extremeshok/clamav-unofficial-sigs

Mkdir / var/log/clamav-unofficial-sigsclamav-unofficial-sigs.sh-- install-cronclamav-unofficial-sigs.sh-- install-logrotateclamav-unofficial-sigs.sh-- install-manclamav-unofficial-sigs.shcd / tmp/clamav-unofficial-sigscp systemd/* / etc/systemdcd.. rm-rf clamav-unofficial-sigs

This process may take some time to wait-during which time ClamAV may not be available.

Use

In the process of use, you must do your own protection work:

Do not disable Tor when no other anonymous VPN is available.

Runs on isolated networks and dedicated hardware.

Execute the sample in the appropriate sandbox (see: https://github.com/phage-nz/malware-hunting/tree/master/sandbox).

Monitor your API key for misuse.

Ensure that Tor is started:

Service tor restart

Launch the Viper API and Web interfaces:

Cd / opt/vipersudo-H-u spider python viper-web

Make a note of the administrator password that was created when Viper started. Use this command format to log in to http://:/admin (default: http://127.0.0.1:8080/admin) and retrieve API token from the Tokens page.

Viper web interface address: http://: (default: http://127.0.0.1:8080).

The complete configuration file is at: / opt/ph0neutria/config/settings.conf

Start ph0neutria:

Cd / opt/ph0neutriasudo-H-u spider python run.py

You can press Ctrl+C to stop running at any time, or you can start it at any time.

If you want to run it every day, you can create the following script in / etc/cron.daily:

#! / bin/bashcd / opt/ph0neutria & & sudo-H-u spider python run.py

Known problem

Viper tags are forced to lowercase (via Viper). If you're not used to it, you can delete all occurrences of .lower () in viper/viper/core/database.py.

Referenc

Http://malshare.com/doc.php-MalShare API document

Http://viper-framework.readthedocs.io/en/latest/usage/web.html-Viper API document

Https://developers.virustotal.com/v2.0/reference-VirusTotal API document

Https://www.hybrid-analysis.com/apikeys/info-Payload Security API document

Https://otx.alienvault.com/api-AlienVault OTX API document

This article is reproduced from: FreeBuf.COM, and the original text is compiled by FB editor secist

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.