Search Capability Arrives
by dave on Jun.10, 2011, under Analytics, Minotaur
Minotaur now has the ability to let users search for hashes of samples we may have analyzed, and has integrated the same reporting system into the CML. Click the ID number of the sample in the CML for a full report on what we know. You can search for any sample you want, using either the form on the homepage, or by clicking here.
Anit-Malware DNS Tool is Back Online
by dave on May.08, 2011, under Minotaur, Tools
Our Anti-Malware DNS Service Query Tool is back online. Add during testing, we found a flaw in the way the return data from ClearCloud DNS was being parsed. It appears they have added redirect servers we were not aware of, so we have added those to the system, which should yield better metrics in their favor. When the tool started, ClearCloud was the leader by a longshot in blocking access to domains hosting malicious content, but soon fell into the background. This may explain that slide.
If you have not yet used the tool, please check it out here: http://minotauranalysis.com/tools/dnscheck.aspx
Minotaur Update 110507
by dave on May.08, 2011, under Analytics, Malware, Minotaur
Updates
by dave on May.07, 2011, under Minotaur
There are many new updates behind the scenes at Minotaur. For starters, as you can tell, we have a new look. Actually, this is an old look for anyone who has seen our internal servers, but we wanted to bring a consistent look and feel to the public side as well.
We have moved around a lot of our databases and are hoping to provide new stats and the ability to search for a sample soon. The database changes are the reason the collection system has been offline for a few days, but fear not, it is running full-steam now, and we should be getting some brand new samples from the crawls.
The anti-malware DNS resolver appears to be down. We are looking into this.
Minotaur now has ssh honeypots based on kippo installed and recording data.
Long-time friend of Minotaur, dyslexicjedi, has started a blog at http://www.dyslexicjedi.com/.
Lots of fixes going on behind the scenes.
If you find this system useful, please drop us a line at info@novcon.net. We’d love to hear from you.
Week-in-Malware Review
by dave on Apr.12, 2011, under Malware
- Monthly update from Sophos: help get rid of IE6, avoid tsunami scams, check out Pwn2own, be surprised at RSA, and groan at Epsilon
- Team Cymru: Episode 98
- The Hacker News Network:
- Languy99′s Emsisoft Antimalware 5.1 Review:
- Languy99′s K7 Total Security Review:
- Matt Rizos on Using the Norton Bootable Removal Tool:
- XP/Vista/Win 7 Anti-Virus/Anti-Spyware/Home/Total/Internet Security 2011 Removal Guide by RogueAmp:
- Avast! Free Antivirus 6.0 Review and Malware Test by Cudgelwap1:
- Activation Ransom Trojan – by F-Secure
Reviving TRUMAN: Introducing NUMAN
by dave on Apr.10, 2011, under Minotaur
We’re going to start opening up about some of the projects we’re working on that we think will benefit the research community at large.
Minotaur is a lot of things to us internally. Mostly, it is an experimental platform for malware analysis. It contains a few different sandboxes and sandnets but it itself is not. The sandboxes just provide the data for the bigger projects.
Below, you are looking at the first screenshots of the internal platform, just recently constructed. The four-plex view is a view of several analyst workstations using mRemoteNG. The single screenshot is the result of our efforts to adapt TRUMAN to our environment, which was a serious challenge as not that much information exists on the TRUMAN SandNet at all. The current version of the project is something we’re calling NUMAN, since it is a new version of TRUMAN, and well, MUMAN sounded funny…
NUMAN is able to successfully run under proxmox and has a hybrid approach to the imaging required by a sandnet. If there is sufficient interest, we’d be happy to detail the steps we took and publish our changes. In some ways there’s almost nothing left of TRUMAN, and it has been replaced by our own code/methods.
Along with NUMAN, we are running 20 zerowine images in a queued system, and all samples deemed malicious are sent through that system and the data is parsed into our databases. We are looking for commonality in dropfiles, naming conventions, calls, packers, evasion technologies and many other attributes of each sample.
Analysts/researchers/volunteers are also given full remote desktop to workstations in the research network. A common wiki/portal for all research and information is called the “Oracle”
Access to the research network is provided by VPN, and we are accepting informal applications. If you are interested in access to the platform, or sharing samples, output, stats, etc, please let us know at info@novcon.net
More to come…
Setting up the blog
by dave on Mar.30, 2011, under Minotaur
We have a lot of things going on behind the scenes at Minotaur, and we’ve decided to drop our in-house system we were going to use for a blog and pick up wordpress. This should allow us to update the blog easier and provide a better home for some upcoming data dumps.
The web site you see here is just a small fraction of what Minotaur is, so stay tuned as we begin to open up about the virtualization cluster, some of the tests we run, the environment we work in and the data we’re getting from the samples we analyze.
Introducing the DNS Comparison Tool
by admin on Feb.27, 2011, under Analytics, Tools
NovCon is pleased to announce the availability of a new tool to view the entries of several major anti-malware DNS providers for a given hostname. Please check out the new DNS research tool available here and also see some of our statistics on the tool here. Note that our own internal collectors and tools are using the same backend, so we already have some rich data that we are mining for statistics.
