full screen background image
Search
Wednesday 13 September 2017
  • :
  • :

theZoo – A repository of LIVE malwares for your own joy and pleasure

 

theZoo is a project created to make the possibility of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.
Documentation and Notes

Background:
theZoo’s objective is to offer a fast and easy way of retrieving malware samples and source code in an organized fashion in hopes of promoting malware research.

Root Files:
Since version 0.42 theZoo has been undergoing dramatic changes. It now runs in both CLI and ARGVS modes. You can call the program with the same command line arguments as before. The current default state of theZoo runtime is the CLI. The following files and directories are responsible for the application’s behaviour.

/conf
The conf folder holds files relevant to the particular running of the program but are not part of the application. You can find the EULA file in the conf and more.

/imports
Contains .py and .pyc import files used by the rest of the application

/malwares/Binaries
The actual malwares samples – be careful!

/malware/Source
Malware source code 🙂

Directory Structure:
Each directory is composed of 4 files:

  • Malware files in an encrypted ZIP archive.
  • SHA256 sum of the 1st file.
  • MD5 sum of the 1st file.
  • Password file for the archive.

Structure of maldb.db
maldb.db is the DB which theZoo is acting upon to find malware indexed on your drive. The structure is as follows:

uid,location,type,name,version,author,language,date,architecture,platform,comments,tags
  • UID – Determined based on the indexing process.
  • Location – The location on the drive of the malware you have searched for.
  • Type – Sorts the different types of malware there are. So far we sort by: Virus, Trojans, Botnets, Ransomware, Spyware
  • Name – Just the name of the malware.
  • Version – Nothing to say here as well.
  • Author – … I’m not that into documentation…
  • Programming Language – The state of the malware in regard to source, bin, or which type of source. c/cpp/bin…
  • Date – See ‘Author’ section.
  • Architecture – The arch the platform was build for. Can be x86, x64, arm7….
  • Platform – Win32, Win64, *nix32, *nix64, iOS, android and so on.
  • Comments – Any comments there may be about the item.
  • Tags – Tags matching the item.

An example line will look as follow:

104,Source/Original/Dexter,trojan,Dexter,2,unknown,c,00/05/2013,x86,win32,NULL,Source

Bugs and Reports

Change Log for v0.60:

  • Moved DB to SQLite3.
  • Searching overhaul to a freestyle fashion.
  • Fixed “get” command.
  • More & more malwares.

Change Log for v0.50:

  • Better and easier UI.
  • Aligned printing of malwares.
  • Command line arguments are now working.
  • Added 10 more malwares (cool ones) to the DB.

Change Log for v0.42:

  • Fix EULA for proper disclaimer.
  • More precise searching and indexing including platform and more.
  • Added 10 new malwares.
  • Git update of platform and new malware.
  • Fix display of search.
  • Enable support for platform and architecture in indexing.
  • Separate between database and application.
  • UI improvements.

Change Log for v0.43:

  • Verify argv to be working properly. (fixes in v0.5)
  • Virus-Total upload and indexing module. – Not possible due to restrictions of VT.
  • Automatic reporting system for malwares which are not indexed in the framework.

Change Log for v0.50:

  • Malware analysis pack has been removed to reduce clone size.
  • More documentation has been added.
  • Removed debugging function which were dead in the code.

Predicted Change Log for v1.0

  • Fix auto-complete for malware frameworks. (thanks to 5fingers)
  • Consider changing DB to XML or SQLite3. (Sheksa – done :))
  • Move malwares to another repo.
  • Better UI features.
Πηγή : kitploit


Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Part-Time Hacker || Child Pornography & Sexual Abuse Combat


Leave a Reply