Skip navigation.
Home

sorting the collection

|

Which tool do you prefer to use for sorting your collection?

I found some tools at vxnetlux.org, but I'm just curious which you use. And why.

The tools at vxnetlux are all *.exe, but I prefer to use one of my Linux-machines (Ubuntu, Debian, BackTrack) for sorten the collection, therefore I'm mostly interested in apps for Linux.
But , if neccesary, I have a Windows XP-comp also.

Thanks,
Chato Flores

VS2000 GUI is the answer

The best tool to sort a virus/malware collection is VS2000 GUI.

If you had spend some time looking at the forum I invited you, you would know it. ;-)

I'm in the process of

I'm in the process of creating my own system called "Pasture". I wanted a few different things:

a web based solution (I wanted something portable, and accessible remotely)
The ability to make my collection look pretty to impress non technical people
making trades easy
Automating as much as possible
gathering statistics
and complex searches.

You can look at some information on it and a demo for single user mode (it has both single user and multiple user modes with various permissions that are required to do things) at http://pasture.sourceforge.net . If you're really interested in trying it out, I could get my butt in gear and work on the installer (which doesn't do anything too fancy, if you can run mysql commands and edit a few files you could install it without the installer present the installer would just make things simpler). It sounds like it might be a good fit for your situation too.

I havent been working on it much the past couple of weeks as I've been busy with my actual job haha. I'll get back around to it when things slow down. Also if you're interested in looking at an ongoing discussion about it (though at this point it's mostly just me... ) , here is one of those http://www.cpplc.net/forum/index.php/topic,2359.0.html

How is done when you must

How is done when you must sort, let´s say, 10000 samples?

I'm writing a tool in C++

I'm writing a tool in C++ (it will be cross platform code, that can be compiled for different platforms) which will be able to parse a log file (or possibly even run a command line scanner and use data directly from that)and get information on malware type (virus, worm, etc), name, operating system etc and then upload the malware file and the information from the scanner log to whatever server Pasture is running on. So uploading and sorting 10,000 samples into Pasture really won't be a big deal. It will be pretty much just pointing the configured tool at a log file, and running it while you get a cup of coffee and wait. I figure a tool like this would be great when doing cleanups of my friends machines, and also when adding large archives of malicious files to my collection.

Right now this tool pretty much connects to Pasture and prepares for an upload, I need to get some scanner logs so I know how to parse them correctly to get various pieces of information from them. I'd appreciate help in this area, as all i have access to is avg logs.

Finding the entries once they are in the Pasture is easy if you have information on it, because of advanced search capabilities.

Parsing log files is indeed

Parsing log files is indeed the way of processing large amounts of samples.

I suggest you support the log from every popular antivirus: NAI, Kaspersky, Norton, AVG, Antivir, Avast, Nod, Bitdefender, ...

You will find a problem if you pretend getting malware type information from antivirus logs. For one antivirus a sample may be a worm but for other antivirus could be a backdoor and for other antivirus may be a troyan.

That will be a hard problem to solve because, what´s the right information? Impossible to know if you process things automatically.

For each malware you must allow adding and storing the identification given by every antivirus. That way you can generate a cross-refence antivirus naming database like VGrep:

http://www.virusbtn.com/resources/vgrep/index

The work around for the

The work around for the problem would currently be by manually going in and running sql to rename all backdoors to trojans or something. I like your idea better though, with having the name from each av that picks it up. A little bit of changing and it would definitely be do-able.

The biggest problem with supporting multiple antivirus is simply getting samples of log files that show the presence of malware. You'd be surprised how hard they are to find, unless im just looking in the wrong places. Do you have any I could use to work on the parser?

Actually the best place to

Actually the best place to get malwares is Offensive Computing.

I'd just like log files from

I'd just like log files from different scanners at this point. I could install them all and run them on a collection, but it seems to me log files should be easier to find than they are :-/

You will not find log files.

You will not find log files. You will have to make them yourself.