Backchannel Tracking
by dave on Jul.03, 2011, under Analytics, Malware, Minotaur
Minotaur has added several new features of the last couple weeks. Most of these features have to do with backchannels. Backchannels are network communications that malware uses to “call home”. These communications can be anything from retrieving new commands and configurations to simple lookups of public information from public sources. Minotaur keeps track of all communications that take place during the execution of malware in the sandbox. It then correlates all of these communications with each other and produces a list of the top destinations of this traffic. Minotaur also produces a map of all communications that take place during the execution of the sample. Below is an example of such a map.
These capabilities are very much still a work in progress. We hope to soon provide much more information about each IP address and each communication. In the meantime we are building a database of all known back channels that Minotaur observes. The first fruits of this database can be seen in the link below.
If a picture is worth a thousand words, then…
by dave on Jun.22, 2011, under Analytics, Malware, Minotaur
…what’s 15,000 pictures worth?
Yup, minotaur now saves a video of each (relevant) sample processed via it’s cuckoo VMs.
What does it look like? WHy not check out a few samples with videos:
And for some old school mayhem:
Joke.Program
The system is automatically recording new samples as they come in as well as back-filling samples as it has time.
KIS 2012 vs NIS 2012 Beta (Video)
by dave on Jun.20, 2011, under Malware
Languy99 has published a video comparison of malware detection capabilities or Kaspersky 2012 vs. Norton 2012 Beta
A picture is worth a thousand words
by dave on Jun.19, 2011, under Analytics, Minotaur
If it’s true a picture is worth a thousand words, then things just got a lot more interesting here…
That’s right… Minotaur now has screenshots taken at intervals during the execution of the malware in one of our sandbox systems (cuckoo)
Not all samples have screenshots. For some examples, try:
- 149c6c045b0b50dd158f160af75ded60
- a1707abae656968dc069a483ec848bd6
- 58d1c30452243b2a0682a7f5ff9d1fd8
- 918db0dbacb499775f12fa89cae0f0a9
- c2854eec4e766ec33c223bbae3a43819
- ce9787ed7a281f28c57b2f7fabd7d7c3
Once we catch up on the backlog, the system should add these screenshots as each sample is analyzed (exe only for now, PDF next).
Because cuckoo can run these dynamic analysis routines faster than the other sandbox environments we’ve built, it is becoming an integral part of the Minotaur platform. We are just working on scaling it up to what minotaur needs now.
Big changes to Minotaur
by dave on Jun.18, 2011, under Analytics, Minotaur
Minotaur now presents all stats on every malware family we track here.
The list page presents little maps of the average location of our detections of each malware family. While still in the very early stages of developing these tools, I have noticed the vast majority of these maps center in on europe. At this time, I believe this is due to that region being the intersection of all the points from otherwise very diverse geographic locations, and is not indicative of raised activity in europe.
Clicking on a family name will take you to our detailed statistics for that malware family, including a map of the most recently observed distribution servers. There is also a list of the actual samples here. Clicking on a sample will bring you to our detailed report on that particular sample.
This page will show you everything we know about a particular sample, including filetype probabilities, vendor concurrence, detections by all vendor engines, and links to outside information. In the near future, upgrades will allow you to pull the raw data reports from our tools for each sample.
We’ve also been busy integrating our different toolsets. For instance, in the detailed malware sample reports, near the bottom we have integrated our anti-malware DNS system’s known info for the originating site’s domain:
And very importantly, we are working on integrating a discussion engine into every page for every family, every sample, every category, everything. Feel free to leave a comment on any object you want, as it builds our community and could help out the malware research community as a whole by sharing what we know with each other.
Search Capability Arrives
by dave on Jun.10, 2011, under Analytics, Minotaur
Minotaur now has the ability to let users search for hashes of samples we may have analyzed, and has integrated the same reporting system into the CML. Click the ID number of the sample in the CML for a full report on what we know. You can search for any sample you want, using either the form on the homepage, or by clicking here.
Anit-Malware DNS Tool is Back Online
by dave on May.08, 2011, under Minotaur, Tools
Our Anti-Malware DNS Service Query Tool is back online. Add during testing, we found a flaw in the way the return data from ClearCloud DNS was being parsed. It appears they have added redirect servers we were not aware of, so we have added those to the system, which should yield better metrics in their favor. When the tool started, ClearCloud was the leader by a longshot in blocking access to domains hosting malicious content, but soon fell into the background. This may explain that slide.
If you have not yet used the tool, please check it out here: http://minotauranalysis.com/tools/dnscheck.aspx
Minotaur Update 110507
by dave on May.08, 2011, under Analytics, Malware, Minotaur
Updates
by dave on May.07, 2011, under Minotaur
There are many new updates behind the scenes at Minotaur. For starters, as you can tell, we have a new look. Actually, this is an old look for anyone who has seen our internal servers, but we wanted to bring a consistent look and feel to the public side as well.
We have moved around a lot of our databases and are hoping to provide new stats and the ability to search for a sample soon. The database changes are the reason the collection system has been offline for a few days, but fear not, it is running full-steam now, and we should be getting some brand new samples from the crawls.
The anti-malware DNS resolver appears to be down. We are looking into this.
Minotaur now has ssh honeypots based on kippo installed and recording data.
Long-time friend of Minotaur, dyslexicjedi, has started a blog at http://www.dyslexicjedi.com/.
Lots of fixes going on behind the scenes.
If you find this system useful, please drop us a line at info@novcon.net. We’d love to hear from you.
Week-in-Malware Review
by dave on Apr.12, 2011, under Malware
- Monthly update from Sophos: help get rid of IE6, avoid tsunami scams, check out Pwn2own, be surprised at RSA, and groan at Epsilon
- Team Cymru: Episode 98
- The Hacker News Network:
- Languy99′s Emsisoft Antimalware 5.1 Review:
- Languy99′s K7 Total Security Review:
- Matt Rizos on Using the Norton Bootable Removal Tool:
- XP/Vista/Win 7 Anti-Virus/Anti-Spyware/Home/Total/Internet Security 2011 Removal Guide by RogueAmp:
- Avast! Free Antivirus 6.0 Review and Malware Test by Cudgelwap1:
- Activation Ransom Trojan – by F-Secure
