diff --git a/README.md b/README.md
index 32000eb..8d55eec 100644
--- a/README.md
+++ b/README.md
@@ -42,7 +42,7 @@ Since version 0.42 theZoo have been going dramatic changes. It now runs in both
The current default state of theZoo runtime is the CLI which is inspired by MSF. The following files and directories are responsible for the application's behaviour.
### /conf
-The conf folder holds files relevant to the particular running of the program but are not part of the application. You can find the EULA file in the conf, the current database version, the CSV index file and more.
+The conf folder holds files relevant to the particular running of the program but are not part of the application. You can find the EULA file in the conf and more.
### /imports
Contains .py and .pyc import files used by the rest of the application
### /malwares
@@ -52,17 +52,17 @@ Since mdbv0.2 is stable for the command line arguments (where as of 0.42 we are
## Directory Structure:
-Each directory is composed of 5 files:
+Each directory is composed of 4 files:
- Malware files in an encrypted ZIP archive.
- SHA256 sum of the 1st file.
- MD5 sum of the 1st file.
- Password file for the archive.
-- index.log file for the indexer.
-## Structure of index.csv
-The main index.csv is the DB which you will look in to find malwares indexed on your drive. We use the , charachter as the delimiter to our CSVs.
-The structure is al follows:
+
+## Structure of maldb.db
+maldb.db is the DB which theZoo is acting upon to find malwares indexed on your drive.
+The structure is as follows:
uid,location,type,name,version,author,language,date
@@ -87,13 +87,19 @@ Bugs and Reports
The repository holding all files is currently
https://github.com/ytisf/theZoo
-##Change Log for v0.50:
+## Change Log for v0.60:
+- [x] Moved DB to SQLite3.
+- [x] Searching overhaul to a freestyle fashion.
+- [x] Fixed "get" command.
+- [x] More & more malwares.
+
+## Change Log for v0.50:
- [x] Better and easier UI.
- [x] Aligned printing of malwares.
- [x] Command line arguments are now working.
- [x] Added 10 more malwares (cool ones) to the DB.
-##Change Log for v0.42:
+## Change Log for v0.42:
- [x] Fix EULA for proper disclaimer.
- [x] More precise searching and indexing including platform and more.
- [x] Added 10 new malwares.
@@ -113,7 +119,7 @@ The repository holding all files is currently
- [X] More documentation has been added.
- [X] Removed debugging function which were dead in the code.
-##Predicted Change Log for v1.0
+## Predicted Change Log for v1.0
- [ ] Fix auto-complete for malware frameworks.
- [ ] Better UI features.
- [ ] Consider changing DB to XML or SQLite3.
diff --git a/conf/index.csv b/conf/index.csv
deleted file mode 100644
index 5a32e9c..0000000
--- a/conf/index.csv
+++ /dev/null
@@ -1,69 +0,0 @@
-1,Source/Original/Dokan_Dec2008/Dokan_Dec2008,botnet,Dokan,unknown,unknown,c,00/12/2008,x86,win32,0
-3,Source/Original/ShadowBotv3_March2007/ShadowBotv3_March2007,botnet,ShadowBot,3,unknown,cpp,מרץ-07,x86,win32,0
-4,Source/Original/rBot0.3.3_May2004/rBot0.3.3_May2004,botnet,rBot,0.3.3,unknown,cpp,00/05/2004,x86,win32,0
-5,Source/Original/ZeuS2.0.8.9_Feb2013/ZeuS2.0.8.9_Feb2013,botnet,ZeuS,2.0.8.9,unknown,c,פבר-13,x86,win32,1
-6,Source/Original/X0R-USB_Jan2009/X0R-USB_Jan2009,virus,X0R-USB-Virus,unknown,unknown,c,00/01/2009,x86,win32,0
-7,Source/Original/LoexBot1.3_Sep2008/LoexBot1.3_Sep2008,botnet,LoexBot,1.3,unknown,cpp,00/09/2008,x86,win32,0
-8,Source/Original/ZunkerBot1.4.5_Sep2007/ZunkerBot1.4.5_Sep2007,botnet,ZunkerBot,1.4.5,unknown,php,ספט-07,x86,win32,0
-9,Source/Original/DopeBotv0.22_UnCrippled_Feb2007/DopeBotv0.22_UnCrippled_Feb2007,botnet,DopeBot-UnCrippled,0.22,unknown,cpp,00/02/2007,x86,win32,0
-10,Source/Original/vbBot_Jan2007/vbBot_Jan2007,botnet,vbBot,unknown,unknown,vb,ינו-07,x86,win32,0
-11,Source/Original/xTBot0.0.2_2Feb2002/xTBot0.0.2_2Feb2002,botnet,xTBot,0.0.2,unknown,cpp,פבר-02,x86,win32,0
-12,Source/Original/VBS.Win32.Vabian/VBS.Win32.Vabian,VBS-Worm,VBS.Win32.Vabian,botnet,unknown,vb,unknown,x86,win32,0
-13,Source/Original/DopeBotv0.22_CrippledFeb2007/DopeBotv0.22_CrippledFeb2007,botnet,DopeBot-Crippled,0.22,unknown,cpp,00/02/2007,x86,win32,0
-14,Source/Original/Win32.MiniPig_Nov2006/Win32.MiniPig_Nov2006,Worm,Win32.MiniPig,virus,unknown,c,00/11/2006,x86,win32,0
-15,Source/Original/HellBotv3.0_10June2005/HellBotv3.0_10June2005,botnet,Hellbot,3,unknown,cpp,00/06/2005,x86,win32,0
-16,Source/Original/Win32.ogw0rm_Nov2008/Win32.ogw0rm_Nov2008,Worm,Win32.ogwOrm,unknown,unknown,cpp,00/11/2008,x86,win32,0
-17,Source/Original/DopeBot.B_Dec2004/DopeBot.B_Dec2004,botnet,DopeBot.B,unknown,unknown,cpp,00/12/2004,x86,win32,0
-18,Source/Original/LiquidBot_May2005/LiquidBot_May2005,botnet,LiquidBot,unknown,unknown,cpp,00/05/2005,x86,win32,0
-19,Source/Original/SpazBot2.12_June2007/SpazBot2.12_June2007,botnet,SpazBot,2.12,unknown,vb,00/06/2007,x86,win32,0
-20,Source/Original/DBotv3.1_March2007/DBotv3.1_March2007,botnet,DBot,3.1,unknown,c,00/03/2007,x86,win32,0
-21,Source/Original/CyberBotv2.2_October2006/CyberBotv2.2_October2006,botnet,CyberBot,2.2,unknown,cpp,00/10/2006,x86,win32,0
-22,Source/Original/DopeBot.A_Dec2004/DopeBot.A_Dec2004,botnet,DopeBot.A,unknown,unknown,cpp,00/12/2004,x86,win32,0
-23,Source/Original/MyDoom.A_Jan2004/MyDoom.A_Jan2004,virus,MyDoom.A,unknown,unknown,c,00/01/2004,x86,win32,0
-24,Source/Original/ShadowBot_Sep2008/ShadowBot_Sep2008,botnet,ShadowBot,unknown,unknown,cpp,00/09/2008,x86,win32,0
-25,Binaries/CryptoLocker20Nov2013/CryptoLocker20Nov2013,ransomeware,CryptoLocker,Unknown,Unknown,bin,20/12/2013,x86,win32,1
-26,Binaries/CryptoLocker_10Sep2013/CryptoLocker_10Sep2013,ransomeware,CryptoLocker,Unknown,Unknown,bin,10/12/2013,x86,win32,1
-27,Binaries/IllusionBot_May2007/IllusionBot_May2007,botnet,Illusion Bot,Unknown,Unknown,bin,00/05/2007,x86,win32,0
-28,Source/Original/NBot_July2008/NBot_July2008,botnet,nBot,0.32,Unknown,c,00/05/2008,x86,win32,0
-29,Binaries/Trojan.Dropper.Gen/Trojan.Dropper.Gen,trojan,Dropper,Unknown,Unknown,bin,00/01/2014,x86,win32,0
-30,Binaries/Trojan.NSIS.Win32/Trojan.NSIS.Win32,trojan,NSIS,Unknown,Unknown,bin,00/01/2014,x86,win32,0
-31,Binaries/Trojan.Win32.Bechiro.BCD/Trojan.Win32.Bechiro.BCD,trojan,Bechiro,BCD,Unknown,bin,00/01/2014,x86,win32,0
-32,Binaries/AndroRat_6Dec2013/AndroRat_6Dec2013,botnet,AndroRat,דצמ-13,Unknown,java,06/12/2013,x86,win32,0
-33,Binaries/CryptoLocker_22Jan2014/CryptoLocker_22Jan2014,ransomeware,CryptoLocker,ינו-14,Unknown,bin,22/01/2014,x86,win32,1
-34,Binaries/njRAT-v0.6.4/njRAT-v0.6.4,botnet,njRAT,0.6.4,Unknown,bin,00/09/2013,x86,win32,0
-35,Binaries/ZeusBankingVersion_26Nov2013/ZeusBankingVersion_26Nov2013,botnet,Zeus - zBot,נוב-13,Unknown,bin,23/11/2013,x86,win32,1
-36,Source/Original/NullBot_Dec2006/NullBot_Dec2006,botnet,NullBot,דצמ-06,Unknown,cpp,00/12/2006,x86,win32,0
-37,Binaries/Artemis,trojan,Artemis,Unknown,Unknown,bin,00/00/0000,x86,win32,0
-38,Binaries/Somoto,apt,Somoto,unknown,unknown,bin,00/00/0000,x86,win32,0
-39,Binaries/Variant.Kazy,trojan,Variant.Kazy,unknown,unknown,bin,00/00/0000,x86,win32,0
-40,Binaries/Win32/Brontok.W,Worm,Brontok.FE ,unknown,unknown,bin,00/00/0000,x86,win32,1
-41,Binaries/Trojan.Loadmoney.1,trojan,LMclicker.1,unknown,unknown,bin,00/00/0000,x86,win32,0
-42,Binaries/Win32Dircrypt.Trojan.Ransom.ABZ,ransomeware,Trojan.Ransom,unknown,unknown,bin,00/00/0000,x86,win32,0
-43,Binaries/TrojanWin32.Duqu.Stuxnet,botnet,Trojan.Win32.Duqu.Aoq .,unknown,unknown,bin,00/00/0000,x86,win32,1
-45,Binaries/Win32.Botnet.Stuxnet.B,apt,Stuxnet Duqu,Realtek Signed B,Unknown,bin,00/00/2007,x86,win32,1
-44,Binaries/Win32.Botnet.Stuxnet.A,apt,Stuxnet Duqu,C-Media Electronics Incorporation Signature - A,Unknown,bin,00/00/2009,x86,win32,1
-46,Binaries/Skywiper-A.Flame,apt,Skywiper AKA Flame,A,Unknown,bin,00/00/2012,x86,win32,1
-47,Binaries/Careto_Feb2014,apt,Careto aka The Mask,A,Unknown,bin,15/02/2014,x86,win32,0
-48,Binaries/ZeusGamever_Feb2014,botnet,Zeus,Gamever,Unknown,bin,19/02/2014,x86,win32,1
-49,Binaries/Android.Spy.49_iBanking_Feb2014,botnet,Android Spy 29,Banking Version,Unknown,apk,19/02/2014,arm,android,0
-50,Binaries/Win32.Cridex,worm,Cridex,B,Unknown,bin,00/02/2014,x86,win32,0
-51,Binaries/Win32.Alina.3.4.B,apt,Alina,3.4B,Unknown,bin,15/03/2014,x86,win32,1
-52,Binaries/Win32.Boaxxe.BB,botnet,Boaxxe,BB,Unknown,bin,15/03/2014,x86,win32,0
-53,Binaries/Win32.Infostealer.Dexter,botnet,Dexter,Unknown,Unknown,bin,15/03/2014,x86,win32,0
-54,Binaries/Win32.Caphaw.Shylock,botnet,Shylock,Unknown,Unknown,bin,15/03/2014,x86,win32,1
-55,Binaries/Win32.Turla,apt,Torola\Urubus rootkit,Unknown,Russia,bin,15/03/2014,x86,win32,1
-56,Binaries/Win32.Zurgop,botnet,Zurgop/Dofoil/Bredo,Unknown,Unknown,bin,23/06/2014,x86,win32,0
-57,Binaries/Win32.ZeusVM,botnet,Zeus VM,VM,Unknown,bin,23/06/2014,x86,win32,0
-58,Binaries/Win32.Fareit,botnet,Fareit,Unknown,Unknown,bin,23/06/2014,x86,win32,0
-59,Binaries/BlackEnergy2.1,rootkit,Black Energy,2.1,Unknown,bin,23/06/2014,x64,win64,1
-60,Binaries/SpyEye,botnet,SpyEye,Unknown,Unknown,bin,23/06/2014,x86,win32,0
-61,Binaries/Poweliks,botnet,Poweliks,Unknown,Unknown,bin,09/08/2014,x86,win32,1
-62,Binaries/ZeroLocker,ransomware,Zerolocker,A,Unknown,bin,09/08/2014,x86,win32,0
-63,Sources/Original/TinyBanker_Jan2012,botnet,Tiny Banker,A,Russia,asm,00/01/2012,x86,win32,0
-64,Source/Original/XtremeRAT_March2009,botnet,XtremeRat,Unknown,Unknown,c,00/03/2009,x86,win32,0
-65,Binaries/Win32.Reveton,ransomeware,Reveton,Y,unknown,bin,Unknown,x86,win32,0
-66,Binaries/Trojan.Bladabindi,trojan,Bladabindi,unknown,bin,00/07/2013,x86,win32,0
-67,Source/Original/Win32.Remhead,rootkit,Remhead AKA n00bkit,unknown,c,unknown,x86,win32,0
-68,Source/Original/ExploitKit.Blackhole.100,exploitkit,Blackhole,unknown,HodLuM & Paunch,php,00/08/10,web,win32,0
-69,Source/Original/ExploitKit.Blackhole.102,exploitkit,Blackhole,unknown,HodLuM & Paunch,php,20/11/10,web,win32,0
-70,Source/Original/AryanRAT_March2010,botnet,AryanRAT,0.5,unknown,cpp,07/03/2010,x86,win32,0
\ No newline at end of file
diff --git a/conf/maldb.db b/conf/maldb.db
new file mode 100644
index 0000000..e00e27c
Binary files /dev/null and b/conf/maldb.db differ
diff --git a/imports/db_handler.py b/imports/db_handler.py
new file mode 100644
index 0000000..c774e13
--- /dev/null
+++ b/imports/db_handler.py
@@ -0,0 +1,32 @@
+import sqlite3 as lite
+from imports import globals
+import sys
+
+
+class DBHandler:
+
+ def __init__(self):
+ try:
+ self.con = lite.connect(globals.vars.db_path)
+ self.cur = self.con.cursor()
+ except lite.Error as e:
+ print "An error occurred:", e.args[0]
+ sys.exit()
+
+ def get_full_details(self):
+ return self.cur.execute("SELECT * FROM Malwares").fetchall()
+
+ def get_partial_details(self):
+ return self.cur.execute("SELECT ID, TYPE, LANGUAGE, ARCHITECTURE, PLATFORM, NAME FROM Malwares").fetchall()
+
+ def get_mal_names(self):
+ # Sqlite3 returns a tuple even if a single value is returned
+ # We use x[0] for x to unpack the tuples
+ return [val[0] for val in self.cur.execute("SELECT NAME FROM Malwares").fetchall()]
+
+ def query(self, query, param=''):
+ try:
+ return self.cur.execute(query, param).fetchall()
+ except lite.Error as e:
+ print "An error occurred:", e.args[0]
+ sys.exit()
diff --git a/imports/eula_handler.py b/imports/eula_handler.py
index 3a7b2e2..c4ac6b5 100644
--- a/imports/eula_handler.py
+++ b/imports/eula_handler.py
@@ -1,31 +1,32 @@
#!/usr/bin/env python
- #Malware DB - the most awesome free malware database on the air
- #Copyright (C) 2014, Yuval Nativ, Lahad Ludar, 5Fingers
+ # Malware DB - the most awesome free malware database on the air
+ # Copyright (C) 2014, Yuval Nativ, Lahad Ludar, 5Fingers
- #This program is free software: you can redistribute it and/or modify
- #it under the terms of the GNU General Public License as published by
- #the Free Software Foundation, either version 3 of the License, or
+ # This program is free software: you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
- #This program is distributed in the hope that it will be useful,
- #but WITHOUT ANY WARRANTY; without even the implied warranty of
- #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- #GNU General Public License for more details.
+ # This program is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ # GNU General Public License for more details.
- #You should have received a copy of the GNU General Public License
- #along with this program. If not, see .
+ # You should have received a copy of the GNU General Public License
+ # along with this program. If not, see .
import sys
+import os
from imports import globals
class EULA:
- def __init__(self, langs = None, oneRun=True):
+ def __init__(self, langs=None, oneRun=True):
#self.oneRun = oneRun
self.check_eula_file()
- #self.prompt_eula()
+ # self.prompt_eula()
def check_eula_file(self):
try:
@@ -36,13 +37,13 @@ def check_eula_file(self):
def prompt_eula(self):
globals.init()
- #os.system('clear')
+ os.system('cls' if os.name == 'nt' else 'clear')
print globals.bcolors.RED
print '_____________________________________________________________________________'
print '| ATTENTION!!! ATTENTION!!! ATTENTION!!! |'
print '| ' + globals.vars.appname + ' v' + globals.vars.version + ' |'
print '|___________________________________________________________________________|'
- print '|This program contain live and dangerous malware files |'
+ print '|This program contains live and dangerous malware files |'
print '|This program is intended to be used only for malware analysis and research |'
print '|and by agreeing the EULA you agree to only use it for legal purposes and |'
print '|studying malware. |'
@@ -51,10 +52,11 @@ def prompt_eula(self):
print '|infect you machines will live and dangerous malwares!. |'
print '|___________________________________________________________________________|'
print globals.bcolors.WHITE
- eula_answer = raw_input('Type YES in captial letters to accept this EULA.\n > ')
+ eula_answer = raw_input(
+ 'Type YES in captial letters to accept this EULA.\n > ')
if eula_answer == 'YES':
new = open(globals.vars.eula_file, 'a')
new.write(eula_answer)
else:
print 'You need to accept the EULA.\nExiting the program.'
- sys.exit(0)
\ No newline at end of file
+ sys.exit(0)
diff --git a/imports/globals.py b/imports/globals.py
index 3eb79bb..9af2c1c 100644
--- a/imports/globals.py
+++ b/imports/globals.py
@@ -1,35 +1,39 @@
#!/usr/bin/env python
- #Malware DB - the most awesome free malware database on the air
- #Copyright (C) 2014, Yuval Nativ, Lahad Ludar, 5Fingers
+ # Malware DB - the most awesome free malware database on the air
+ # Copyright (C) 2014, Yuval Nativ, Lahad Ludar, 5Fingers
- #This program is free software: you can redistribute it and/or modify
- #it under the terms of the GNU General Public License as published by
- #the Free Software Foundation, either version 3 of the License, or
+ # This program is free software: you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
- #This program is distributed in the hope that it will be useful,
- #but WITHOUT ANY WARRANTY; without even the implied warranty of
- #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- #GNU General Public License for more details.
+ # This program is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ # GNU General Public License for more details.
- #You should have received a copy of the GNU General Public License
- #along with this program. If not, see .
+ # You should have received a copy of the GNU General Public License
+ # along with this program. If not, see .
import sys
+
class init:
+
def init(self):
# Global Variables
- version = "0.5.0 Citadel"
+ version = "0.6.0 Moat"
appname = "theZoo"
- codename = "Citadel"
+ codename = "Moat"
authors = "Yuval Nativ, Lahad Ludar, 5fingers"
licensev = "GPL v3.0"
fulllicense = appname + " Copyright (C) 2014 " + authors + "\n"
- fulllicense += "This program comes with ABSOLUTELY NO WARRANTY; for details type '" + sys.argv[0] +" -w'.\n"
+ fulllicense += "This program comes with ABSOLUTELY NO WARRANTY; for details type '" + \
+ sys.argv[0] + " -w'.\n"
fulllicense += "This is free software, and you are welcome to redistribute it."
- usage = '\nUsage: ' + sys.argv[0] + ' -s search_query -t trojan -p vb\n\n'
+ usage = '\nUsage: ' + sys.argv[0] + \
+ ' -s search_query -t trojan -p vb\n\n'
usage += 'The search engine can search by regular search or using specified arguments:\n\nOPTIONS:\n -h --help\t\tShow this message\n -t --type\t\tMalware type, can be virus/trojan/botnet/spyware/ransomeware.\n -p --language\tProgramming language, can be c/cpp/vb/asm/bin/java.\n -u --update\t\tUpdate malware index. Rebuilds main CSV file. \n -s --search\t\tSearch query for name or anything. \n -v --version\tPrint the version information.\n -w\t\t\tPrint GNU license.\n'
column_for_pl = 6
@@ -46,10 +50,10 @@ def init(self):
conf_folder = 'conf'
eula_file = conf_folder + '/eula_run.conf'
maldb_ver_file = conf_folder + '/db.ver'
- main_csv_file = conf_folder + '/index.csv'
- giturl = 'https://raw.github.com/ytisf/theZoo/master/'
+ giturl = 'https://github.com/ytisf/theZoo/blob/master'
addrs = ['reverce_tcp/', 'crazy_mal/', 'mal/', 'show malwares']
+
class bcolors:
PURPLE = '\033[95m'
BLUE = '\033[94m'
@@ -58,18 +62,22 @@ class bcolors:
RED = '\033[91m'
WHITE = '\033[0m'
+
class vars:
- version = "0.5.0 Citadel"
+ version = "0.6.0 Moat"
appname = "Malware DB"
authors = "Yuval Nativ, Lahad Ludar, 5fingers"
licensev = "GPL v3.0"
fulllicense = appname + " Copyright (C) 2014 " + authors + "\n"
- fulllicense += "This program comes with ABSOLUTELY NO WARRANTY; for details type '" + sys.argv[0] +" -w'.\n"
+ fulllicense += "This program comes with ABSOLUTELY NO WARRANTY; for details type '" + \
+ sys.argv[0] + " -w'.\n"
fulllicense += "This is free software, and you are welcome to redistribute it."
- usage = '\nUsage: ' + sys.argv[0] + ' -s search_query -t trojan -p vb\n\n'
+ usage = '\nUsage: ' + sys.argv[0] + ' -s search_query -t trojan -p vb\n\n'
usage += 'The search engine can search by regular search or using specified arguments:\n\nOPTIONS:\n -h --help\t\tShow this message\n -t --type\t\tMalware type, can be virus/trojan/botnet/spyware/ransomeware.\n -p --language\tProgramming language, can be c/cpp/vb/asm/bin/java.\n -u --update\t\tUpdate malware index. Rebuilds main CSV file. \n -s --search\t\tSearch query for name or anything. \n -v --version\tPrint the version information.\n -w\t\t\tPrint GNU license.\n'
+ # :todo: add filter usage
+
column_for_pl = 6
column_for_type = 2
column_for_location = 1
@@ -81,23 +89,32 @@ class vars:
column_for_plat = 9
column_for_vip = 10
+ opts = [
+ ("type", ("virus", "worm", "ransomware", "botnet", "apt", "rootkit", "trojan", "exploitkit", "dropper")),
+ ("architecture", ("x86", "x64", "arm", "web")),
+ ("platform", ("win32", "win64", "android", "ios", "mac", "*nix32", "*nix64")),
+ ("language", ("c", "cpp", "asm", "bin", "java", "apk", "vb", "php"))]
+
conf_folder = 'conf'
eula_file = conf_folder + '/eula_run.conf'
maldb_ver_file = conf_folder + '/db.ver'
- main_csv_file = conf_folder + '/index.csv'
+ db_path = conf_folder + "/maldb.db"
giturl = 'https://raw.github.com/ytisf/theZoo/master/'
with file(maldb_ver_file) as f:
db_ver = f.read()
- maldb_banner = " __ ___ __ ____ ____\n"
- maldb_banner += " / |/ /___ _/ / ______ _________ / __ \/ __ )\n"
- maldb_banner += " / /|_/ / __ `/ / | /| / / __ `/ ___/ _ \______/ / / / __ |\n"
- maldb_banner += " / / / / /_/ / /| |/ |/ / /_/ / / / __/_____/ /_/ / /_/ /\n"
- maldb_banner += " /_/ /_/\__,_/_/ |__/|__/\__,_/_/ \___/ /_____/_____/\n\n"
- maldb_banner += " version: " + version + "\n"
- maldb_banner += " db_version: " + db_ver + "\n"
- maldb_banner += " built by: " + authors + "\n\n"
+ maldb_banner = " __ ___ __ ____ ____\n"
+ maldb_banner += " / |/ /___ _/ / ______ _________ / __ \/ __ )\n"
+ maldb_banner += " / /|_/ / __ `/ / | /| / / __ `/ ___/ _ \______/ / / / __ |\n"
+ maldb_banner += " / / / / /_/ / /| |/ |/ / /_/ / / / __/_____/ /_/ / /_/ /\n"
+ maldb_banner += " /_/ /_/\__,_/_/ |__/|__/\__,_/_/ \___/ /_____/_____/\n\n"
+ maldb_banner += " version: " + \
+ version + "\n"
+ maldb_banner += " db_version: " + \
+ db_ver + "\n"
+ maldb_banner += " built by: " + \
+ authors + "\n\n"
addrs = ['reverce_tcp/', 'crazy_mal/', 'mal/', 'show malwares']
addrs = ['list', 'search', 'get', 'exit']
diff --git a/imports/manysearches.py b/imports/manysearches.py
index fe7b4d0..f523292 100644
--- a/imports/manysearches.py
+++ b/imports/manysearches.py
@@ -1,38 +1,63 @@
from imports import globals
+from imports import db_handler
+from sys import exit
class MuchSearch(object):
+
def __init__(self):
- self.array = []
-
- def sort(self, array, column, value):
- i=0
- m=[]
- for each in array:
- if array[i][column] == value:
- m.append(each)
- i += 1
- return m
-
- def print_payloads(self, m):
- '''
- :todo: Need to get this function much smaller.
- apparently i was way too sleepy to write code...
- :param m: Array to print out
- :return:nothing
- '''
- print "\nPayloads Found:"
- array = m
- i = 0
- print "ID\tVIP\tType\t\tLang\tArch\tPlat\tName"
- print '---\t---\t-----\t\t-----\t----\t-----\t----------------'
- for element in array:
- answer = array[i][globals.vars.column_for_uid]
- answer = array[i][globals.vars.column_for_vip]
- answer += '\t%s' % ('{0: <12}'.format(array[i][globals.vars.column_for_type]))
- answer += '\t%s' % ('{0: <12}'.format(array[i][globals.vars.column_for_pl]))
- answer += array[i][globals.vars.column_for_arch] + '\t'
- answer += array[i][globals.vars.column_for_plat] + '\t'
- answer += '\t%s' % ('{0: <12}'.format(array[i][globals.vars.column_for_name]))
- print answer
- i += 1
+ self.db = db_handler.DBHandler()
+ self.names = [x.lower() for x in self.db.get_mal_names()]
+
+ #:todo: make this more efficient
+ def sort(self, args):
+ self.hits = {}
+ self.query = None
+ self.param = None
+ self.prequery = "SELECT ID, TYPE, LANGUAGE, ARCHITECTURE, PLATFORM, NAME FROM MALWARES WHERE "
+ self.ar = []
+ args = [x.lower() for x in args]
+
+ for arg in args:
+ for optname, values in globals.vars.opts:
+ for value in values:
+ if arg in value:
+ self.hits.update({optname: value})
+ # Malware name checking has its own iterations to avoid false matches
+ if not self.hits:
+ for arg in args:
+ for name in self.names:
+ if arg in name:
+ self.query = "NAME LIKE ?"
+ self.param = name
+
+ if len(self.hits) > 0:
+ self.query = self.build_query(self.hits)
+ self.ar = self.db.query(self.prequery + self.query)
+ self.print_payloads(self.ar)
+ elif self.param is not None:
+ self.ar = self.db.query(self.prequery + self.query, [self.param])
+ self.print_payloads(self.ar)
+ else:
+ print "Error: filter did not match any malware :("
+ exit()
+
+ return self.hits
+
+ # Build the dynamic query
+ def build_query(self, dic):
+ qlist = []
+ for key, val in dic.items():
+ if isinstance(val, (list, tuple)):
+ tmp = str(key) + ' in (' + ','.join(map(lambda x: '\'' + str(x) + '\'', val)) + ') '
+ else:
+ tmp = str(key) + '=' + '\'' + str(val) + '\''
+ qlist.append(' ' + tmp + ' ')
+ return "and".join(qlist)
+
+ def print_payloads(self, m, fields=["ID", "Type", "Language", "Architecture", "Platform", "Name"]):
+ print '\n' + ''.join("{0}\t".format(x) for x in fields)
+ print "-" * 12 * len(fields)
+ for col in m:
+ print ''.join("{0:<11}".format(x) for x in col)
+ print "\n"
diff --git a/imports/terminal_handler.py b/imports/terminal_handler.py
index 6b4f18b..bac6a7f 100644
--- a/imports/terminal_handler.py
+++ b/imports/terminal_handler.py
@@ -5,207 +5,157 @@
import globals
from imports import manysearches
from imports.updatehandler import Updater
+from imports import db_handler
class Controller:
- def __init__(self):
- self.modules = None
- self.currentmodule = ''
- self.commands = [("search", "searching for malwares using given parameter with 'set'."),
- ("list all", "lists all available modules"),
- ("set", "sets options for the search"),
- ("get", "downloads the malware"),
- ("report-mal", "report a malware you found"),
- ("update-db", "updates the databse"),
- ("back", "removes currently chosen malware and filters"),
- ("help", "displays this help..."),
- ("exit", "exits...")]
-
- self.searchmeth = [("arch", "which architecture etc; x86, x64, arm7 so on..."),
- ("plat", "platform: win32, win64, mac, android so on..."),
- ("lang", "c, cpp, vbs, bin so on..."),
- ("vip", "1 or 0")]
-
- self.modules = self.GetPayloads()
-
- self.plat = ''
- self.arch = ''
- self.lang = ''
- self.type = ''
- self.vip = ''
-
- def GetPayloads(self):
- m = []
- csvReader = csv.reader(open(globals.vars.main_csv_file, 'rb'), delimiter=',')
- for row in csvReader:
- m.append(row)
- return m
-
- def MainMenu(self):
- # This will give you the nice prompt you like to much
- if len(self.currentmodule) > 0:
- g = int(self.currentmodule) - 1
- just_print = self.modules[int(g)][int(globals.vars.column_for_name)]
- cmd = raw_input(
- globals.bcolors.GREEN + 'mdb ' + globals.bcolors.RED + str(
- just_print) + globals.bcolors.GREEN + '#> ' + globals.bcolors.WHITE).strip()
- else:
- cmd = raw_input(
- globals.bcolors.GREEN + 'mdb ' + globals.bcolors.GREEN + '#> ' + globals.bcolors.WHITE).strip()
-
- try:
- while cmd == "":
- #print 'no cmd'
- self.MainMenu()
-
- if cmd == 'help':
- print " Available commands:\n"
- for (cmd, desc) in self.commands:
- print "\t%s\t%s" % ('{0: <12}'.format(cmd), desc)
- print ''
- self.MainMenu()
-
- if cmd == 'search':
- ar = self.modules
- manySearch = manysearches.MuchSearch()
-
- # function to sort by arch
- if len(self.arch) > 0:
- ar = manySearch.sort(ar, globals.vars.column_for_arch, self.arch)
- # function to sort by plat
- if len(self.plat) > 0:
- ar = manySearch.sort(ar, globals.vars.column_for_plat, self.plat)
- # function to sort by lang
- if len(self.lang) > 0:
- ar = manySearch.sort(ar, globals.vars.column_for_pl, self.lang)
- if len(self.type) > 0:
- ar = manySearch.sort(ar, globals.vars.column_for_type, self.type)
- if len(self.vip) > 0:
- ar = manySearch.sort(ar, globals.vars.column_for_vip, self.vip)
- printController = manysearches.MuchSearch()
- printController.print_payloads(ar)
- self.MainMenu()
-
- if re.match('^set', cmd):
- try:
- cmd = re.split('\s+', cmd)
- print cmd[1] + ' => ' + cmd[2]
- if cmd[1] == 'arch':
- self.arch = cmd[2]
- if cmd[1] == 'plat':
- self.plat = cmd[2]
- if cmd[1] == 'lang':
- self.lang = cmd[2]
- if cmd[1] == 'type':
- self.type = cmd[2]
- except:
- print 'Need to use the set method with two arguments.'
- cmd = ''
- self.MainMenu()
-
- if cmd == 'show':
- if len(self.currentmodule) == 0:
- print "No modules have been chosen. Use 'use' command."
- if len(self.currentmodule) > 0:
- print 'Currently selected Module: ' + self.currentmodule
- print '\tarch => ' + str(self.arch)
- print '\tplat => ' + str(self.plat)
- print '\tlang => ' + str(self.lang)
- print '\ttype => ' + str(self.type)
- print ''
- self.MainMenu()
-
- if cmd == 'exit':
- sys.exit(1)
-
- if cmd == 'update-db':
- updateHandler = Updater()
- updateHandler.get_maldb_ver()
- self.MainMenu()
-
- if cmd == 'report-mal':
- rprt_name = raw_input("Name of malware: ")
- rprt_type = raw_input("Type of malware: ")
- rprt_version = raw_input("Version: ")
- rprt_lang = raw_input("Language: ")
- rprt_src = raw_input("Source / Binary (s/b): ")
- rprt_arch = raw_input("Win32, ARM etc. ? ")
- rprt_reporter = raw_input("Your name for a thanks note on theZoo.\nPlease notice that this will be public!\n\nName: ")
- rprt_comments = raw_input("Comments? ")
-
- report = ("//%s//\n" % rprt_name)
- report += ("///type/%s///\n" % rprt_type)
- report += ("///ver/%s///\n" % rprt_version)
- report += ("///lang/%s///\n" % rprt_lang)
- report += ("///src/%s///\n" % rprt_src)
- report += ("///arch/%s///\n" % rprt_arch)
- report += ("//reporter/%s//\n" % rprt_reporter)
- report += ("//comments/%s//\n" % rprt_comments)
-
- # Just to avoid bots spamming us...
- email = "info"
- email += "\x40"
- email += "morirt\x2ecom"
- print "-------------- Begin of theZoo Report --------------"
- print report
- print "-------------- Ending of theZoo Report --------------"
- print "To avoid compromising your privacy we have chose this method of reporting."
- print "If you have not stated your name we will not write a thanks in our README."
- print "Your email will remain private in scenario and will not be published."
- print ""
- print "Please create an archive file with the structure as in the README file"
- print "And attach it to the email. "
- print("Please send this report to %s" % email)
-
- self.MainMenu()
-
- # 'get' command. Not yet fully operational
- if cmd == 'get':
- updateHandler = Updater()
- try:
- updateHandler.get_malware(self.currentmodule, self.modules)
- self.MainMenu()
- except:
- print globals.bcolors.RED + '[-]' + globals.bcolors.WHITE + 'Error getting malware.'
- self.MainMenu()
-
- # If used the 'use' command
- if re.match('^use', cmd):
- try:
- cmd = re.split('\s+', cmd)
- self.currentmodule = cmd[1]
- cmd = ''
- except:
- print 'The use method needs an argument.'
- self.MainMenu()
-
- # Rests all current data
- if cmd == 'back':
- self.arch = ''
- self.plat = ''
- self.lang = ''
- self.type = ''
- self.currentmodule = ''
- self.MainMenu()
-
- if cmd == 'list all':
- print "\nAvailable Payloads:"
- array = self.modules
- i = 0
- print "ID\tName\tType"
- print '-----------------'
- for element in array:
- answer = array[i][globals.vars.column_for_uid]
- answer += '\t%s' % ('{0: <12}'.format(array[i][globals.vars.column_for_name]))
- answer += '\t%s' % ('{0: <12}'.format(array[i][globals.vars.column_for_type]))
- print answer
- i = i + 1
- self.MainMenu()
-
- if cmd == 'quit':
- print ":("
- sys.exit(1)
-
- except KeyboardInterrupt:
- print ("i'll just go now...")
- sys.exit()
+
+ def __init__(self):
+ self.modules = None
+ self.currentmodule = ''
+ self.db = db_handler.DBHandler()
+ self.commands = [("search", "Search for malwares according to a filter,\n\t\t\te.g 'search cpp worm'."),
+ ("list all", "Lists all available modules"),
+ ("use", "Selects a malware by ID"),
+ ("get", "Downloads selected malware"),
+ ("report-mal", "Report a malware you found"),
+ ("update-db", "Updates the databse"),
+ ("help", "Displays this help..."),
+ ("exit", "Exits...")]
+
+ self.searchmeth = [("arch", "which architecture etc; x86, x64, arm7 so on..."),
+ ("plat",
+ "platform: win32, win64, mac, android so on..."),
+ ("lang", "c, cpp, vbs, bin so on..."),
+ ("vip", "1 or 0")]
+
+ self.modules = self.GetPayloads()
+
+ def GetPayloads(self):
+ return self.db.get_full_details()
+
+ def MainMenu(self):
+ # This will give you the nice prompt you like so much
+ if len(self.currentmodule) > 0:
+ g = int(self.currentmodule) - 1
+ just_print = self.modules[
+ int(g)][int(globals.vars.column_for_name)]
+ cmd = raw_input(
+ globals.bcolors.GREEN + 'mdb ' + globals.bcolors.RED + str(
+ just_print) + globals.bcolors.GREEN + '#> ' + globals.bcolors.WHITE).strip()
+ else:
+ cmd = raw_input(
+ globals.bcolors.GREEN + 'mdb ' + globals.bcolors.GREEN + '#> ' + globals.bcolors.WHITE).strip()
+ try:
+ while cmd == "":
+ # print 'no cmd'
+ self.MainMenu()
+
+ if cmd == 'help':
+ print " Available commands:\n"
+ for (cmd, desc) in self.commands:
+ print "\t%s\t%s" % ('{0: <12}'.format(cmd), desc)
+ print ''
+ self.MainMenu()
+
+ # Checks if normal or freestyle search
+ if re.match('^search', cmd):
+ manySearch = manysearches.MuchSearch()
+ num_args = len(cmd.rsplit(' '))
+ if num_args > 1:
+ args = cmd.rsplit(' ')[1:]
+ num_args = len(args)
+ if num_args > 0:
+ manySearch.sort(args)
+ else:
+ print "Uh oh, Invalid search query"
+ self.MainMenu()
+
+ if cmd == 'exit':
+ sys.exit(1)
+
+ if cmd == 'update-db':
+ updateHandler = Updater()
+ updateHandler.get_maldb_ver()
+ self.MainMenu()
+
+ if cmd == 'report-mal':
+ rprt_name = raw_input("Name of malware: ")
+ rprt_type = raw_input("Type of malware: ")
+ rprt_version = raw_input("Version: ")
+ rprt_lang = raw_input("Language: ")
+ rprt_src = raw_input("Source / Binary (s/b): ")
+ rprt_arch = raw_input("Win32, ARM etc. ? ")
+ rprt_reporter = raw_input(
+ "Your name for a thank you note on theZoo.\n"
+ "Please notice that this will be public!\n\nName: ")
+ rprt_comments = raw_input("Comments? ")
+
+ report = ("//%s//\n" % rprt_name)
+ report += ("///type/%s///\n" % rprt_type)
+ report += ("///ver/%s///\n" % rprt_version)
+ report += ("///lang/%s///\n" % rprt_lang)
+ report += ("///src/%s///\n" % rprt_src)
+ report += ("///arch/%s///\n" % rprt_arch)
+ report += ("//reporter/%s//\n" % rprt_reporter)
+ report += ("//comments/%s//\n" % rprt_comments)
+
+ # Just to avoid bots spamming us...
+ email = "info"
+ email += "\x40"
+ email += "morirt\x2ecom"
+ print "-------------- Begin of theZoo Report --------------"
+ print report
+ print "-------------- Ending of theZoo Report --------------"
+ print "To avoid compromising your privacy we have chose this method of reporting."
+ print "If you have not stated your name we will not write a thanks in our README."
+ print "Your email will remain private in scenario and will not be published."
+ print ""
+ print "Please create an archive file with the structure described in the README file"
+ print "And attach it to the email. "
+ print("Please send this report to %s" % email)
+
+ self.MainMenu()
+
+ if cmd == 'get':
+ updateHandler = Updater()
+ try:
+ updateHandler.get_malware(self.currentmodule)
+ self.MainMenu()
+ except:
+ print globals.bcolors.RED + '[-]' + globals.bcolors.WHITE + 'Error getting malware.'
+ self.MainMenu()
+
+ # If used the 'use' command
+ if re.match('^use', cmd):
+ try:
+ cmd = re.split('\s+', cmd)
+ self.currentmodule = cmd[1]
+ cmd = ''
+ except:
+ print 'The use method needs an argument.'
+ self.MainMenu()
+
+ if cmd == 'list all':
+ print "\nAvailable Payloads:"
+ array = self.modules
+ i = 0
+ print "ID\tName\tType"
+ print '-----------------'
+ for element in array:
+ answer = str(array[i][globals.vars.column_for_uid])
+ answer += '\t%s' % (
+ '{0: <12}'.format(array[i][globals.vars.column_for_name]))
+ answer += '\t%s' % (
+ '{0: <12}'.format(array[i][globals.vars.column_for_type]))
+ print answer
+ i = i + 1
+ self.MainMenu()
+
+ if cmd == 'quit':
+ print ":("
+ sys.exit(1)
+
+ except KeyboardInterrupt:
+ print ("\n\nI'll just go now...")
+ sys.exit()
diff --git a/imports/updatehandler.py b/imports/updatehandler.py
index 0359272..488dfea 100644
--- a/imports/updatehandler.py
+++ b/imports/updatehandler.py
@@ -1,23 +1,24 @@
#!/usr/bin/env python
- #Malware DB - the most awesome free malware database on the air
- #Copyright (C) 2014, Yuval Nativ, Lahad Ludar, 5Fingers
+ # Malware DB - the most awesome free malware database on the air
+ # Copyright (C) 2014, Yuval Nativ, Lahad Ludar, 5Fingers
- #This program is free software: you can redistribute it and/or modify
- #it under the terms of the GNU General Public License as published by
- #the Free Software Foundation, either version 3 of the License, or
+ # This program is free software: you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
- #This program is distributed in the hope that it will be useful,
- #but WITHOUT ANY WARRANTY; without even the implied warranty of
- #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- #GNU General Public License for more details.
+ # This program is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ # GNU General Public License for more details.
- #You should have received a copy of the GNU General Public License
- #along with this program. If not, see .
+ # You should have received a copy of the GNU General Public License
+ # along with this program. If not, see .
import sys
import urllib2
from imports import globals
+from imports import db_handler
class Updater:
@@ -30,7 +31,8 @@ def get_maldb_ver(self):
with file(globals.vars.maldb_ver_file) as f:
return f.read()
except IOError:
- print("No malware DB version file found.\nPlease try to git clone the repository again.\n")
+ print(
+ "No malware DB version file found.\nPlease try to git clone the repository again.\n")
return 0
def update_db(self):
@@ -42,11 +44,13 @@ def update_db(self):
with file(globals.vars.maldb_ver_file) as f:
f = f.read()
except IOError:
- print("No malware DB version file found.\nPlease try to git clone the repository again.\n")
+ print(
+ "No malware DB version file found.\nPlease try to git clone the repository again.\n")
return 0
curr_maldb_ver = f
- response = urllib2.urlopen(globals.vars.giturl + globals.vars.maldb_ver_file)
+ response = urllib2.urlopen(
+ globals.vars.giturl + globals.vars.maldb_ver_file)
new_maldb_ver = response.read()
if new_maldb_ver == curr_maldb_ver:
print globals.bcolors.GREEN + '[+]' + globals.bcolors.WHITE + " No need for an update.\n" + globals.bcolors.GREEN + '[+]' + globals.bcolors.WHITE + " You are at " + new_maldb_ver + " which is the latest version."
@@ -72,20 +76,24 @@ def update_db(self):
break
file_size_dl += len(buffer)
f.write(buffer)
- status = r"%10d [%3.2f%%]" % (file_size_dl, file_size_dl * 100. / file_size)
- status = status + chr(8)*(len(status)+1)
+ status = r"%10d [%3.2f%%]" % (
+ file_size_dl, file_size_dl * 100. / file_size)
+ status = status + chr(8) * (len(status) + 1)
print status,
f.close()
- def get_malware(self, id, allmal):
- #get mal location
- loc = allmal[id][globals.vars.column_for_location]
- #concat with location
- ziploc = globals.vars.giturl + '/' + loc + '.zip'
- passloc = globals.vars.giturl + '/' + loc + '.pass'
- #get from git
+ def get_malware(self, id):
+ # get mal location
+ db = db_handler.DBHandler()
+ loc = db.query("SELECT LOCATION FROM MALWARES WHERE ID=?", id)[0][0]
+ name = loc.rsplit('/')[-1]
+ # concat with location
+ ziploc = globals.vars.giturl + 'malwares/' + loc + '/' + name + '.zip'
+ passloc = globals.vars.giturl + 'malwares/' + loc + '/' + name + '.pass'
+ print ziploc + '\n' + passloc
+ # get from git
u = urllib2.urlopen(ziploc)
- f = open(id+'zip', 'wb')
+ f = open(name + '.zip', 'wb')
meta = u.info()
file_size = int(meta.getheaders("Content-Length")[0])
print "Downloading: %s Bytes: %s" % (loc, file_size)
@@ -97,14 +105,15 @@ def get_malware(self, id, allmal):
break
file_size_dl += len(buffer)
f.write(buffer)
- status = r"%10d [%3.2f%%]" % (file_size_dl, file_size_dl * 100. / file_size)
- status = status + chr(8)*(len(status)+1)
+ status = r"%10d [%3.2f%%]" % (
+ file_size_dl, file_size_dl * 100. / file_size)
+ status = status + chr(8) * (len(status) + 1)
print status,
f.close()
- #get pass from git
+ # get pass from git
u = urllib2.urlopen(passloc)
- f = open(id+'pass', 'wb')
+ f = open(name + '.pass', 'wb')
meta = u.info()
file_size = int(meta.getheaders("Content-Length")[0])
print "Downloading: %s Bytes: %s" % (loc, file_size)
@@ -116,8 +125,9 @@ def get_malware(self, id, allmal):
break
file_size_dl += len(buffer)
f.write(buffer)
- status = r"%10d [%3.2f%%]" % (file_size_dl, file_size_dl * 100. / file_size)
- status = status + chr(8)*(len(status)+1)
+ status = r"%10d [%3.2f%%]" % (
+ file_size_dl, file_size_dl * 100. / file_size)
+ status = status + chr(8) * (len(status) + 1)
print status,
f.close()
- #alert ready
+ # alert ready
diff --git a/malwares/Binaries/AndroRat_6Dec2013/AndroRat_6Dec2013.rar b/malwares/Binaries/AndroRat_6Dec2013/AndroRat.zip
similarity index 69%
rename from malwares/Binaries/AndroRat_6Dec2013/AndroRat_6Dec2013.rar
rename to malwares/Binaries/AndroRat_6Dec2013/AndroRat.zip
index 131f1c0..dd6c3e5 100644
Binary files a/malwares/Binaries/AndroRat_6Dec2013/AndroRat_6Dec2013.rar and b/malwares/Binaries/AndroRat_6Dec2013/AndroRat.zip differ
diff --git a/malwares/Binaries/AndroRat_6Dec2013/AndroRat_6Dec2013.md5 b/malwares/Binaries/AndroRat_6Dec2013/AndroRat_6Dec2013.md5
new file mode 100644
index 0000000..0861bac
--- /dev/null
+++ b/malwares/Binaries/AndroRat_6Dec2013/AndroRat_6Dec2013.md5
@@ -0,0 +1 @@
+0a4c1058b765637b6c099cc73b993e9e C:\Users\Shahak\Documents\GitHub\theZoo\malwares\Binaries\AndroRat_6Dec2013\AndroRat_6Dec2013.rar
diff --git a/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.md5 b/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.md5
new file mode 100644
index 0000000..bbc01ae
--- /dev/null
+++ b/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.md5
@@ -0,0 +1 @@
+b6734f8c013ed8e011f775a1012bbfc4 Android.Spy.49_iBanking_Feb2014.zip
diff --git a/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.md5sum b/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.md5sum
deleted file mode 100644
index f755d71..0000000
--- a/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.md5sum
+++ /dev/null
@@ -1 +0,0 @@
- b6734f8c013ed8e011f775a1012bbfc4
\ No newline at end of file
diff --git a/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.pass b/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.pass
index ba701bf..cba4e8b 100644
--- a/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.pass
+++ b/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.pass
@@ -1 +1 @@
-infected
+infected
diff --git a/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.sha256 b/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.sha256
new file mode 100644
index 0000000..b83be51
--- /dev/null
+++ b/malwares/Binaries/Android.Spy.49_iBanking_Feb2014/Android.Spy.49_iBanking_Feb2014.sha256
@@ -0,0 +1 @@
+2c1cd1664a79187107d5861daea265ab68c2beb1671ed54da2c90035af1b5aaf Android.Spy.49_iBanking_Feb2014.zip
diff --git a/malwares/Binaries/Trojan.Regin/Trojan.Regin.md5 b/malwares/Binaries/Trojan.Regin/Trojan.Regin.md5
new file mode 100644
index 0000000..19cc1e4
--- /dev/null
+++ b/malwares/Binaries/Trojan.Regin/Trojan.Regin.md5
@@ -0,0 +1 @@
+b4c4793b8a1ad09c256377c38d3eaafc regin.zip
diff --git a/malwares/Binaries/Trojan.Regin/Trojan.Regin.pass b/malwares/Binaries/Trojan.Regin/Trojan.Regin.pass
new file mode 100644
index 0000000..cba4e8b
--- /dev/null
+++ b/malwares/Binaries/Trojan.Regin/Trojan.Regin.pass
@@ -0,0 +1 @@
+infected
diff --git a/malwares/Binaries/Trojan.Regin/Trojan.Regin.sha256 b/malwares/Binaries/Trojan.Regin/Trojan.Regin.sha256
new file mode 100644
index 0000000..e2316af
--- /dev/null
+++ b/malwares/Binaries/Trojan.Regin/Trojan.Regin.sha256
@@ -0,0 +1 @@
+43fbb96db22586311816a5d789f1ffb4c950209996cdeb06c77b4bad117f735b regin.zip
diff --git a/malwares/Binaries/Trojan.Regin/Trojan.Regin.zip b/malwares/Binaries/Trojan.Regin/Trojan.Regin.zip
new file mode 100644
index 0000000..95dbb0d
Binary files /dev/null and b/malwares/Binaries/Trojan.Regin/Trojan.Regin.zip differ
diff --git a/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.md5 b/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.md5
new file mode 100644
index 0000000..551bc50
--- /dev/null
+++ b/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.md5
@@ -0,0 +1 @@
+69d57ad449c855745b412c5182ac7372 ExploitKit.BleedingLife.2.zip
diff --git a/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.pass b/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.pass
new file mode 100644
index 0000000..cba4e8b
--- /dev/null
+++ b/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.pass
@@ -0,0 +1 @@
+infected
diff --git a/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.sha256 b/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.sha256
new file mode 100644
index 0000000..6c27bb7
--- /dev/null
+++ b/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.sha256
@@ -0,0 +1 @@
+81bcbdc28b2b73e9ae2b33518f114c7f39295adbaa0dc8aaab193d8a72ad1ea1 ExploitKit.BleedingLife.2.zip
diff --git a/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.zip b/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.zip
new file mode 100644
index 0000000..843333c
Binary files /dev/null and b/malwares/Source/Original/ExploitKit.BleedingLife.2/ExploitKit.BleedingLife.2.zip differ
diff --git a/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.md5 b/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.md5
new file mode 100644
index 0000000..94ccb52
--- /dev/null
+++ b/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.md5
@@ -0,0 +1 @@
+e40ba13ffda2e29c595234ab8a503ed7 Crimepack.3.1.3.zip
diff --git a/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.pass b/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.pass
new file mode 100644
index 0000000..cba4e8b
--- /dev/null
+++ b/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.pass
@@ -0,0 +1 @@
+infected
diff --git a/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.sha256 b/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.sha256
new file mode 100644
index 0000000..1de69c6
--- /dev/null
+++ b/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.sha256
@@ -0,0 +1 @@
+10e04d56217857d206c6d71771d9ea22ef4f65b637e056febad8580739ca5a1d Crimepack.3.1.3.zip
diff --git a/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.zip b/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.zip
new file mode 100644
index 0000000..ac061d5
Binary files /dev/null and b/malwares/Source/Original/ExploitKit.CrimePack.3.1.3/Crimepack.3.1.3.zip differ
diff --git a/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.md5 b/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.md5
new file mode 100644
index 0000000..4c99195
--- /dev/null
+++ b/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.md5
@@ -0,0 +1 @@
+dab70acf97ed516dcc7068614f90ceb9 ExploitKit.Phoenix.2.5.zip
diff --git a/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.pass b/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.pass
new file mode 100644
index 0000000..cba4e8b
--- /dev/null
+++ b/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.pass
@@ -0,0 +1 @@
+infected
diff --git a/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.sha256 b/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.sha256
new file mode 100644
index 0000000..e0001ea
--- /dev/null
+++ b/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.sha256
@@ -0,0 +1 @@
+cf5058188c7051f548ba43ef685ce2ba795ba034deb984b1970a23b5303959cf C:\Users\Shahak\Documents\GitHub\theZoo\malwares\Source\Original\ExploitKit.Phoenix.2.5\ExploitKit.Phoenix.2.5.zip
diff --git a/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.zip b/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.zip
new file mode 100644
index 0000000..b20256e
Binary files /dev/null and b/malwares/Source/Original/ExploitKit.Phoenix.2.5/ExploitKit.Phoenix.2.5.zip differ
diff --git a/theZoo.py b/theZoo.py
index ba02e47..69c71ec 100644
--- a/theZoo.py
+++ b/theZoo.py
@@ -1,34 +1,35 @@
#!/usr/bin/env python
- #Malware DB - the most awesome free malware database on the air
- #Copyright (C) 2014, Yuval Nativ, Lahad Ludar, 5Fingers
+ # Malware DB - the most awesome free malware database on the air
+ # Copyright (C) 2014, Yuval Nativ, Lahad Ludar, 5Fingers
- #This program is free software: you can redistribute it and/or modify
- #it under the terms of the GNU General Public License as published by
- #the Free Software Foundation, either version 3 of the License, or
+ # This program is free software: you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
- #This program is distributed in the hope that it will be useful,
- #but WITHOUT ANY WARRANTY; without even the implied warranty of
- #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- #GNU General Public License for more details.
+ # This program is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ # GNU General Public License for more details.
- #You should have received a copy of the GNU General Public License
- #along with this program. If not, see .
+ # You should have received a copy of the GNU General Public License
+ # along with this program. If not, see .
import sys
-import csv
import os
from optparse import OptionParser
from imports.updatehandler import Updater
+from imports import manysearches
from imports import muchmuchstrings
from imports.eula_handler import EULA
from imports.globals import vars
from imports.terminal_handler import Controller
+from imports import db_handler
-__version__ = "0.5.0 Citadel"
-__codename__ = "Citadel"
+__version__ = "0.6.0 Moat"
+__codename__ = "Moat"
__appname__ = "theZoo"
__authors__ = ["Yuval Nativ", "Shahak Shalev", "Lahad Ludar", "5Fingers"]
__licensev__ = "GPL v3.0"
@@ -42,6 +43,7 @@ def main():
updateHandler = Updater
eulaHandler = EULA()
bannerHandler = muchmuchstrings.banners()
+ db = db_handler.DBHandler()
terminalHandler = Controller()
def filter_array(array, colum, value):
@@ -51,22 +53,18 @@ def filter_array(array, colum, value):
def getArgvs():
parser = OptionParser()
parser = OptionParser()
- parser.add_option("-t", "--type", dest="type_of_mal", default='', help="Type of malware to search. \ne.g. botnet,trojan,virus,etc...")
- parser.add_option("-l", "--language", dest="lang_of_mal", default='', help="Language of the version of the malware which is in the databse.\e.g. vbs,vb,c,cpp,bin,etc...")
- parser.add_option("-a", "--architecture", dest="arch_of_mal", default='', help="The architecture the malware is intended for.\ne.g. x86,x64,arm7,etc...")
- parser.add_option("-p", "--platform", dest="plat_of_mal", default="", help="Platform the malware is inteded for.\ne.g. win32,win64,ios,android,etc...")
- parser.add_option("-u", "--update", dest="update_bol", default=0, help="Updates the DB of theZoo.", action="store_true")
- parser.add_option("-v", "--version" , dest="ver_bol", default=0, help="Shows version and licensing information.", action="store_true")
- parser.add_option("-w", "--license", dest="license_bol", default=0, help="Prints the GPLv3 license information.", action="store_true")
+ parser.add_option("-f", "--filter", dest="mal_filter", default=[],
+ help="Filter the malwares.", action="append")
+ parser.add_option("-u", "--update", dest="update_bol", default=0,
+ help="Updates the DB of theZoo.", action="store_true")
+ parser.add_option("-v", "--version", dest="ver_bol", default=0,
+ help="Shows version and licensing information.", action="store_true")
+ parser.add_option("-w", "--license", dest="license_bol", default=0,
+ help="Prints the GPLv3 license information.", action="store_true")
(options, args) = parser.parse_args()
return options
-
# Here actually starts Main()
-
- # Zeroing everything
- m = []
-
arguments = getArgvs()
# Checking for EULA Agreement
@@ -75,7 +73,7 @@ def getArgvs():
eulaHandler.prompt_eula()
# Get arguments
-
+
# Check if update flag is on
if arguments.update_bol == 1:
a = Updater()
@@ -92,47 +90,14 @@ def getArgvs():
bannerHandler.print_license()
sys.exit(1)
- if (len(arguments.type_of_mal) > 0) or (len(arguments.arch_of_mal) > 0) or (len(arguments.lang_of_mal) > 0) or (len(arguments.plat_of_mal) > 0):
-
- # Take index.csv and convert into array m
- csvreader = csv.reader(open(vars.main_csv_file, 'rb'), delimiter=',')
- for row in csvreader:
- m.append(row)
-
- # Filter by type
- if len(arguments.type_of_mal) > 0:
- m = filter_array(m, vars.column_for_type, arguments.type_of_mal)
-
- # Filter by programming language
- if len(arguments.lang_of_mal) > 0:
- m = filter_array(m, vars.column_for_plat, arguments.lang_of_mal)
-
- # Filter by architecture
- if len(arguments.arch_of_mal) > 0:
- m = filter_array(m, vars.column_for_arch, arguments.arch_of_mal)
-
- # Filter by Platform
- if len(arguments.plat_of_mal) > 0:
- m = filter_array(m, vars.column_for_plat, arguments.plat_of_mal)
-
- i=0
+ if len(arguments.mal_filter) > 0:
+ manySearch = manysearches.MuchSearch()
print vars.maldb_banner
- print 'ID\tName\t\tType\t\tVersion\t\tLanguage'
- print '--\t----\t\t----\t\t-------\t\t--------'
- for g in m:
- #print 'now'
- answer = m[i][vars.column_for_uid]
- answer += '\t%s' % ('{0: <12}'.format(m[i][vars.column_for_name]))
- answer += '\t%s' % ('{0: <12}'.format(m[i][vars.column_for_type]))
- answer += '\t%s' % ('{0: <12}'.format(m[i][vars.column_for_version]))
- answer += '\t%s' % ('{0: <12}'.format(m[i][vars.column_for_pl]))
- print answer
- i += 1
-
+ manySearch.sort(arguments.mal_filter)
sys.exit(1)
- # Initiate normal run. No arguments given.
- os.system('clear')
+ # Initiate normal run. No arguments given.
+ os.system('cls' if os.name == 'nt' else 'clear')
print vars.maldb_banner
while 1:
terminalHandler.MainMenu()