Virus Blog

15 Nov, 2007

Infiltrator v0.1

— Posted by zeroq @ 17:19 - 15 Nov, 2007

For those of you interested in little helpful tools, i uploaded my infiltrator script for quick and dirty botnet monitoring. There is no documentation available right now but usually a questionmark in front of a command gives some hints (e.g. ? show all).

Have fun: infiltrator.tar.gz



Comments

  1. ...just stumbled upon your blog,
    haven't had the chance of "playing" around with "Infiltrator" yet...
    seems to be a really nifty automation tool ;-)
    Any plans for further development...
    eg.is it's functionality gonna be included in Amun or so?

    Posted by sowhat-x — 22 Nov 2007, 04:15

  2. thx, but should play around with tool first, then praise me =)
    i was thinking about further development, maybe i integrate some other protocols like HTTP to monitor. currently i do not have much time.
    amun is a honeypot designed to capture malware, and infiltrator is a tool for quick and dirty botnet monitoring, so they do not really fit together. however i was thinking about some system composed of amun, a sandbox, probably cwsandbox and something like the infiltrator to work together...but weŽll see =)

    Posted by jan — 22 Nov 2007, 07:19

  3. ...so you do have some further plans in mind ;-)
    And yes,you're right,sometimes I do get over-excited,lol...
    haven't seen many tools for fiddling around with IRC though,
    Honeysnap only,that's where my enthusiasm came from...

    Posted by sowhat-x — 24 Nov 2007, 05:45

  4. thanks for your great work!
    I've a question , why don't you use "irc library for python" to develop this tool?

    Posted by xiaoxiao — 09 Jan 2008, 10:38

  5. actually i don't know =)
    but i will take a closer look at it, because it sounds really good. thx for the hint.

    Posted by jan — 09 Jan 2008, 16:27

  6. I've been using your amun for several days and it really do an excellent work. Now I can
    capture about 10 malware samples per day.

    I'm so glad to give a valuable information to you because you have helped us so much thanks for your share spirit :-)

    The python lib is below:
    http://python-irclib.sourceforge.net/

    Besides, I can't agree more your opinion that a http-based botnet tracking funtion should be added to the Infiltrator. The http-based botnets have become a mainsteam nowdays :)

    Thanks again for your excellent work and share spirit.

    Posted by xiaoxiao — 10 Jan 2008, 02:24

  7. glad to hear that its working =)

    thx for the url.

    do you have some http botnet based information? i currently have only one http botnet to monitor...some more would be better to improve the monitoring script

    Posted by jan — 11 Jan 2008, 13:22

  8. For several days, I can't access the website.
    I'm tring to capture http-based botnet ASAP recently. If I've valuable result, I'll share them with you immediately.
    My Email: BotFocus@gmail.com

    Besides, I've found a bug in amun in submit_md5.py.

    When amun runs in Windows, it will replace
    '0A' to '0D0A'. As a result, the md5 is correct but the malware file is corrupted.

    ### store to disc
    ...
    fp = open(filename, 'a+')
    fp.write(file_data)
    ...
    change the 'a+' to 'a+b', then it works correctly in Windows :-)

    Posted by xiaoxiao — 17 Jan 2008, 04:02

  9. hi, i donŽt know why the webserver was down. the whole kulando pages where not reachable...
    sharing information would be very nice.

    do i get that right, you are running amun in microsoft windows?

    thanks for the bug information, iŽll fix it with the next minor release, which is almost ready.

    Posted by jan — 17 Jan 2008, 09:10

  10. Exactly, I use amun in a vmware-based windows xp. So the python api will replace
    0a to 0d0a automatically if it regards the file
    as "text" type.

    Great, look forward to your next version amun!

    Posted by xiaoxiao — 18 Jan 2008, 09:27

  11. wow, i didnŽt expect amun to run almost unchanged with windows. Good to know =)

    Posted by jan — 20 Jan 2008, 14:34

  12. Thanks for script. Posted only on 2nd attempt :)

    Posted by Fergie — 26 Apr 2008, 08:18

  13. hey thanks for the script

    Posted by currency forex trading — 23 Jul 2008, 13:16

  14. Are you releasing any other updates to your infiltrator script? Great tool!

    Posted by magictao — 10 Oct 2008, 21:38

  15. i guess it is about time =) i try to get a tar file ready by the end of the week.

    Posted by jan — 14 Oct 2008, 10:12


Add comment



 authimage




Powered by kulando