Jeff Larson thejefflarson

## gist:4983514
~/Downloads/Digital Appendices/Appendix G (Digital) - IOCs $ cat fabdf553-b3ed-4bc9-9ac6-13d6bd174dad.ioc
<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="fabdf553-b3ed-4bc9-9ac6-13d6bd174dad" last-modified="2013-02-10T13:00:00" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description>WEBC2-YAHOO (FAMILY)</short_description>
  <description>The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.  The WEBC2-YAHOO variant enters a loop where every ten minutes it attempts to download a web page that may contain an encoded URL.  The encoded URL will be found in the pages returned inside an attribute named 'sb' or 'ex' within a tag named 'yahoo'.  The embedded link can direct the malware to download and execute files.</description>
  <autho

## mbox_extractor.rb
require 'rubygems'
require 'mail'

Dir["./**/*.mbox"].each do |file|
  puts "processing #{file}"
  dir = File.basename file
  puts "placing into #{dir}"
  messages = File.read(file).split(/^From .*$/).reject{|m| m.blank? }.map {|m| Mail.read_from_string m }
  puts "found #{messages.length} messages"
  messages.each_with_index do |m, i|

## backgroundcompaction.rb
module Daybreak
  class BackgroundCompaction
    def initialize(file, options = {})
      @db = Daybreak::DB.new(file)
      @thread = Thread.new(&method(:run))
      @options = options
    end

    def stop
      @stop = true

## advanced.rb
require 'thread'
require 'csv'
require 'net/http'
require 'json'

id = 0
max_id = 30

class Atomic
  def initialize(val)

## cairo-gotos.c

    return CAIRO_STATUS_SUCCESS;

 fail4:
    free (cff_subset->widths);
 fail3:
    free (cff_subset->ps_name);
 fail2:
    _cairo_type2_charstrings_fini (&type2_subset);
 fail1:

## sim-hash.rb
  def ngrams(n)
    tokenize.each_with_index.map {|_, i| toks.slice(i, n).join ' ' }
  end

  def sim_hash!
    gramz = Set.new(ngrams(9))

    ordered = gramz.map {|g| g.hash }.sort

    return if ordered.length < 10

## slim-json.rb
def as_json(opts = {})
  ret = super(opts)
  ret.reduce({}) do |memo, kv|
    memo[kv.first] = kv.last if kv.last
    memo
  end
end

## jruby_flock.rb
f = File.open 't', 'w'
require 'fcntl'
f.flock(File::LOCK_EX)
t = File.open 't', 'w'
t.flock(File::LOCK_EX)
# on jruby returns false.

## c.rb
require 'fcntl'
require 'thread'
class ConcurrentFile
  def initialize
    @out = File.open 't', 'w'
    @mutex = Mutex.new
  end

  def lock
    @out.flock(File::LOCK_EX)

## gist:4511894
With queue optimizations (1.9.3):

benchmarks  1	10	100	1000	10000
bench_inserting_keys	 0.000032	 0.000026	 0.000122	 0.001285	 0.059764
bench_keys_with_sync	 0.000255	 0.000853	 0.006070	 0.060688	 0.663408
bench_reading_keys	 0.000026	 0.000044	 0.000223	 0.001935	 0.022019

Without:

benchmarks  1	10	100	1000	10000
	~/Downloads/Digital Appendices/Appendix G (Digital) - IOCs $ cat fabdf553-b3ed-4bc9-9ac6-13d6bd174dad.ioc
	<?xml version="1.0" encoding="us-ascii"?>
	<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="fabdf553-b3ed-4bc9-9ac6-13d6bd174dad" last-modified="2013-02-10T13:00:00" xmlns="http://schemas.mandiant.com/2010/ioc">
	<short_description>WEBC2-YAHOO (FAMILY)</short_description>
	<description>The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-YAHOO variant enters a loop where every ten minutes it attempts to download a web page that may contain an encoded URL. The encoded URL will be found in the pages returned inside an attribute named 'sb' or 'ex' within a tag named 'yahoo'. The embedded link can direct the malware to download and execute files.</description>
	<autho
	require 'rubygems'
	require 'mail'

	Dir["./*/.mbox"].each do \|file\|
	puts "processing #{file}"
	dir = File.basename file
	puts "placing into #{dir}"
	messages = File.read(file).split(/^From .*$/).reject{\|m\| m.blank? }.map {\|m\| Mail.read_from_string m }
	puts "found #{messages.length} messages"
	messages.each_with_index do \|m, i\|
	module Daybreak
	class BackgroundCompaction
	def initialize(file, options = {})
	@db = Daybreak::DB.new(file)
	@thread = Thread.new(&method(:run))
	@options = options
	end

	def stop
	@stop = true
	require 'thread'
	require 'csv'
	require 'net/http'
	require 'json'

	id = 0
	max_id = 30

	class Atomic
	def initialize(val)

	return CAIRO_STATUS_SUCCESS;

	fail4:
	free (cff_subset->widths);
	fail3:
	free (cff_subset->ps_name);
	fail2:
	_cairo_type2_charstrings_fini (&type2_subset);
	fail1:
	def ngrams(n)
	tokenize.each_with_index.map {\|_, i\| toks.slice(i, n).join ' ' }
	end

	def sim_hash!
	gramz = Set.new(ngrams(9))

	ordered = gramz.map {\|g\| g.hash }.sort

	return if ordered.length < 10
	def as_json(opts = {})
	ret = super(opts)
	ret.reduce({}) do \|memo, kv\|
	memo[kv.first] = kv.last if kv.last
	memo
	end
	end
	f = File.open 't', 'w'
	require 'fcntl'
	f.flock(File::LOCK_EX)
	t = File.open 't', 'w'
	t.flock(File::LOCK_EX)
	# on jruby returns false.
	require 'fcntl'
	require 'thread'
	class ConcurrentFile
	def initialize
	@out = File.open 't', 'w'
	@mutex = Mutex.new
	end

	def lock
	@out.flock(File::LOCK_EX)
	With queue optimizations (1.9.3):

	benchmarks 1 10 100 1000 10000
	bench_inserting_keys 0.000032 0.000026 0.000122 0.001285 0.059764
	bench_keys_with_sync 0.000255 0.000853 0.006070 0.060688 0.663408
	bench_reading_keys 0.000026 0.000044 0.000223 0.001935 0.022019

	Without:

	benchmarks 1 10 100 1000 10000