Skip to content

Instantly share code, notes, and snippets.

@felmoltor
Created August 14, 2014 16:10
Show Gist options
  • Save felmoltor/01e732dd1375f96114ed to your computer and use it in GitHub Desktop.
Save felmoltor/01e732dd1375f96114ed to your computer and use it in GitHub Desktop.
Automatic malware download from malwaredomainlists.com and upload to virustotal.com and totalhash.com
# With this two lines of bash you will donwload the last malware samples extracted from the public lists of www.malwaredomainlist.com
# and you'll submit automatically the alive samples (check if the response was an executable or not) to totalhash.com (contribute to
# the community) and obtain the detection rate of the sample # from Virus Total (virustotal.com).
# As a result you'll get a bunch of executable files and their detection rate in the log "output.virustotal.txt"
# Download all the samples detected and listed in the public CSV of mdl.com
$ curl -s http://www.malwaredomainlist.com/mdlcsv.php | awk 'BEGIN {FS="\",\""} {print $2}' | strings -n 3 | grep -E "\.exe$|\.so$|\.bin$|\.src$|\.pdf$|\.docx$|\.vb$|\.sh$" | xargs -I% bash -c 'echo "Downloading: %" && curl -s -O %' | tee $(date +%Y%m%d_%H%M)_malware_download.log
# Upload the downloaded samples to totalhash.com and query virustotal.com with it MD5 checksum to obtain the detection ratio
$ ls *_malware_download.log -ltr | tail -n1 | cat $(awk '{print $9}') | awk 'BEGIN {FS="/"} {print $(NF)}' | xargs -I% file % --mime-type | grep "application" | cut -f1 -d: | xargs -I% bash -c 'echo -n "%:" && curl -s -T % http://totalhash.com/upload.php' | xargs -I% bash -c 'echo -n "%:" && curl -o %.virustotal.html -s --location --data "query=$(echo % | cut -f2 -d:)" https://www.virustotal.com/es/search/ && grep -A3 -E "Archivo no encontrado|Detecciones:" %.virustotal.html | grep -E "Archivo no encontrado| / " ' | tee $(date +%Y%m%d_%H%M)_output.virustotal.txt
# Delete the HTML responses (error and default pages) from the servers where the sample were not present
$ ls *_malware_download.log -ltr | tail -n1 | cat $(awk '{print $9}') | awk 'BEGIN {FS="/"} {print $(NF)}' | xargs -I% file % --mime-type | grep "text/html" | cut -f1 -d: | xargs -I% rm %
# ---------------------------------#
# Sample output will be like this: #
#----------------------------------#
$ curl -s http://www.malwaredomainlist.com/mdlcsv.php | awk 'BEGIN {FS="\",\""} {print $2}' | strings -n 3 | grep -E "\.exe$|\.so$|\.bin$|\.src$|\.pdf$|\.docx$|\.vb$|\.sh$" | xargs -I% bash -c 'echo "Downloading: %" && curl -s -O %' | tee $(date +%Y%m%d_%H%M)_malware_download.log
Downloading: img001.com/business/qiji.exe
Downloading: root.mcs-katwijk.nl/ws/amd.exe
Downloading: root.mcs-katwijk.nl/ws/nvm.exe
Downloading: root.mcs-katwijk.nl/ws/cpu.exe
Downloading: root.mcs-katwijk.nl/ws/ws.exe
Downloading: root.mcs-katwijk.nl/ws/kl.exe
Downloading: oprahsearch.com/scripts/net19.exe
Downloading: oprahsearch.com/scripts/brez251.exe
Downloading: www.doctor-alex.com/files/SetupDrAlex.exe
Downloading: appline.ieguide.co.kr/e1guide/popguide/E1PopGuide_20080619_Update.exe
Downloading: appline.ieguide.co.kr/e1guide/lineguide/e1lineguide_20080619_update2.exe
Downloading: afa15.com.ne.kr/media/videoxxx.avi.exe
Downloading: fgawegwr.chez.com/images/1273471091.exe
Downloading: update.onescan.co.kr/setupa/onescansetup.exe
[...]
$ ls *_malware_download.log -ltr | tail -n1 | cat $(awk '{print $9}') | awk 'BEGIN {FS="/"} {print $(NF)}' | xargs -I% file % --mime-type | grep "application" | cut -f1 -d: | xargs -I% bash -c 'echo -n "%:" && curl -s -T % http://totalhash.com/upload.php' | xargs -I% bash -c 'echo -n "%:" && curl -o %.virustotal.html -s --location --data "query=$(echo % | cut -f2 -d:)" https://www.virustotal.com/es/search/ && grep -A3 -E "Archivo no encontrado|Detecciones:" %.virustotal.html | grep -E "Archivo no encontrado| / " ' | tee $(date +%Y%m%d_%H%M)_output.virustotal.txt
qiji.exe:8c4144589bd542046aca7229dded3e99: 5 / 54
amd.exe:0c1b2bb3a808301c87f02970dfdf828f: 30 / 53
nvm.exe:7b438e71aac0224766f4e6e9d04147e3: 27 / 54
cpu.exe:24799bae20df7850e81bb36adf13cef1: 39 / 54
ws.exe:5fae317760cf61c9b40201c790decd33: 34 / 53
kl.exe:851a3d758e2aa621fbab184e802e2d38: 38 / 54
SetupDrAlex.exe:7b1e81bfd59e2d74f0477df2e24aaf2a: 6 / 53
videoxxx.avi.exe:d063231de7971de04f2e77c337eaee7a: 46 / 54
1273471091.exe:b38b466361fda8b62122cab856fba490: 49 / 53
onescansetup.exe:3354003da992fcc19cd60322ed2b612f: 31 / 54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment