…what’s 15,000 pictures worth?

Yup, minotaur now saves a video of each (relevant) sample processed via it’s cuckoo VMs.

What does it look like? WHy not check out a few samples with videos:

Fake AV
Hupigon

And for some old school mayhem:
Joke.Program

The system is automatically recording new samples as they come in as well as back-filling samples as it has time.

Languy99 has published a video comparison of malware detection capabilities or Kaspersky 2012 vs. Norton 2012 Beta

If it’s true a picture is worth a thousand words, then things just got a lot more interesting here…

That’s right… Minotaur now has screenshots taken at intervals during the execution of the malware in one of our sandbox systems (cuckoo)

Not all samples have screenshots. For some examples, try:

• 149c6c045b0b50dd158f160af75ded60
• a1707abae656968dc069a483ec848bd6
• 58d1c30452243b2a0682a7f5ff9d1fd8
• 918db0dbacb499775f12fa89cae0f0a9
• c2854eec4e766ec33c223bbae3a43819
• ce9787ed7a281f28c57b2f7fabd7d7c3

Once we catch up on the backlog, the system should add these screenshots as each sample is analyzed (exe only for now, PDF next).

Because cuckoo can run these dynamic analysis routines faster than the other sandbox environments we’ve built, it is becoming an integral part of the Minotaur platform. We are just working on scaling it up to what minotaur needs now.

Minotaur now presents all stats on every malware family we track here.

The list page presents little maps of the average location of our detections of each malware family. While still in the very early stages of developing these tools, I have noticed the vast majority of these maps center in on europe. At this time, I believe this is due to that region being the intersection of all the points from otherwise very diverse geographic locations, and is not indicative of raised activity in europe.

Clicking on a family name will take you to our detailed statistics for that malware family, including a map of the most recently observed distribution servers. There is also a list of the actual samples here. Clicking on a sample will bring you to our detailed report on that particular sample.

This page will show you everything we know about a particular sample, including filetype probabilities, vendor concurrence, detections by all vendor engines, and links to outside information. In the near future, upgrades will allow you to pull the raw data reports from our tools for each sample.

We’ve also been busy integrating our different toolsets. For instance, in the detailed malware sample reports, near the bottom we have integrated our anti-malware DNS system’s known info for the originating site’s domain:

And very importantly, we are working on integrating a discussion engine into every page for every family, every sample, every category, everything. Feel free to leave a comment on any object you want, as it builds our community and could help out the malware research community as a whole by sharing what we know with each other.

Minotaur now has the ability to let users search for hashes of samples we may have analyzed, and has integrated the same reporting system into the CML. Click the ID number of the sample in the CML for a full report on what we know. You can search for any sample you want, using either the form on the homepage, or by clicking here.