ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.
This project was inspired by Ragpicker (https://github.com/robbyFux/Ragpicker, formerly known as "Malware Crawler"). However, ph0neutria aims to:
- Limit the scope of crawling to only frequently updated and reliable sources.
- Maximise the effectiveness of individual indicators.
- Offer a single, reliable and well organised storage mechanism.
- Not do work that can instead be done by Viper.
- VX Vault.
- AlienVault OTX.
- CyberCrime Tracker.
- Payload Security (Hybrid Analysis).
- 0.6.0: Tor proxying requires pysocks (pip install pysocks) and at least version 2.10.0 of python requests for SOCKS proxy support.
- 0.9.0: OSINT functionality pulled from Phage Malware Tracker (private project) - requires VirusTotal API key. More robust retrieval of wild files. Local URL and hash caching (reduces API load).
- 0.9.1: Updated to use V3 Viper API. No longer compatiable with V2.
The following script will install ph0neutria along with Viper and Tor:
Simple as that!
chmod +x install.sh
Configure additional ClamAV signatures:
Rename os.<yourdistro>.conf to os.conf, for example:
git clone https://github.com/extremeshok/clamav-unofficial-sigs
cp clamav-unofficial-sigs.sh /usr/local/bin
chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh
cp config/ /etc/clamav-unofficial-sigs
Modify configuration files:
mv os.ubuntu.conf os.conf
- master.conf: search for "Enabled Databases" and enable/disable desired sources.
- user.conf: uncomment the required lines for sources you have enabled and complete them. user.conf overrides master.conf. You must uncomment user_configuration_complete="yes" once you've completed setup for the following commands to succeed.
It'll take a while to pull down the new signatures - during which time ClamAV may not be available.
cp systemd/* /etc/systemd
rm -rf clamav-unofficial-sigs
Take precautions when piecing together your malware zoo:
- Do not disable Tor unless replacing with an anonymous VPN.
- Operate on an isolated network and on dedicated hardware.
- Only execute samples in a suitable Sandbox (refer: https://github.com/phage-nz/malware-hunting/tree/master/sandbox).
- Monitor for abuse of your API keys.
Start the Viper API:
service tor restart
Start the Viper web interface:
sudo -H -u spider python viper-api
Take note of the admin password that is created when Viper is started. Use this to log into http://<viper IP>:<viper port>/admin and retrieve the API token.
sudo -H -u spider python viper-web
- Complete the config file at: /opt/ph0neutria/config/settings.conf
You can press Ctrl+C at any time to kill the run. You are free to run it again as soon as you'd like - you can't end up with database duplicates.
sudo -H -u spider python run.py
To run this daily, create a script in /etc/cron.daily with the following:
cd /opt/ph0neutria && sudo -H -u spider python run.py
- http://malshare.com/doc.php - MalShare API documentation.
- http://viper-framework.readthedocs.io/en/latest/usage/web.html - Viper API documentation.
- https://developers.virustotal.com/v2.0/reference - VirusTotal API documentation.
- https://www.hybrid-analysis.com/apikeys/info - Payload Security API documentation.
- https://otx.alienvault.com/api - AlienVault OTX API documentation.