Lopi/maltrieve

A tool to retrieve malware directly from the source for security researchers.

 _______ _______        _______  ______ _____ _______ _    _ _______
 |  |  | |_____| |         |    |_____/   |   |______  \  /  |______
 |  |  | |     | |_____    |    |    \_ __|__ |______   \/   |______

Maltrieve

Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites. Currently we crawl the following:

• Malc0de
• Malware Black List
• Malware Domain List
• VX Vault
• URLquery
• CleanMX
• ZeusTracker

These lists will be implemented if/when they return to activity.

• NovCon Minotaur

Other improvements include:

• Proxy support
• Multithreading for improved performance
• Logging of source URLs
• Multiple user agent support
• Better error handling
• VxCage, Viper and Cuckoo Sandbox support

Installation

Maltrieve requires the following dependencies:

• Python 2 plus header files (2.6 should be sufficient)
• BeautifulSoup version 4
• feedparser
• python-magic
• Requests

With the exception of the Python header files, these can all be found in requirements.txt. On Debian-based distributions, run sudo apt-get install python-dev. On Red Hat-based distributions, run sudo yum install python-devel. The rest of the requirements can be installed locally using pip install -r requirements.txt. You may need to prepend that with sudo if not running in a virtual environment.

Usage

Basic execution: python maltrieve.py

Options

usage: maltrieve.py [-h] [-p PROXY] [-d DUMPDIR] [-l LOGFILE] [-x] [-v] [-c] [-s]

optional arguments:
  -h, --help            show this help message and exit
  -p PROXY, --proxy PROXY
                        Define HTTP proxy as address:port
  -d DUMPDIR, --dumpdir DUMPDIR
                        Define dump directory for retrieved files
  -l LOGFILE, --logfile LOGFILE
                        Define file for logging progress
  -x, --vxcage          Dump the files to a VxCage instance
  -v, --viper           Dump the files to a Viper instance
  -c, --cuckoo          Enable Cuckoo analysis
  -s, --sort_mime       Sort files by MIME type

Configuration File

Many of Maltrieve's command line options can be specified in maltrieve.cfg.

License

Released under GPL version 3. See the LICENSE file for full details.

Known bugs

We list all the bugs we know about (plus some things we know we need to add) at the GitHub issues page.

How you can help

Aside from pull requests, non-developers can open issues on Github. Things we'd really appreciate:

• Bug reports, preferably with error logs
• Suggestions of additional sources for malware lists
• Descriptions of how you use it and ways we can improve it for you

Check the contributing guide for details. If you'd prefer not to open an issue, you can contact me on Twitter or email.