shadowserver¶ ↑

The Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware.

This rubygem queries various Shadowserver services for ASN information, malware hash lookups, and whitelist hash lookups

Usage¶ ↑

Whitelist¶ ↑

w = Shadowserver::Whitelist.by_hash(“0E53C14A3E48D94FF596A2824307B492”) {“source_version”=>“$version”, “language”=>“English”, “os_name”=>“Windows NT”, “mfg_name”=>“Corel Corporation”, “filesize”=>“2226”, “os_version”=>“Generic”, “product_name”=>“Gallery”, “filename”=>“00br2026.gif”, “crc32”=>“AA6A7B16”, “application_type”=>“Graphic/Drawing”, “source”=>“NIST”, “os_mfg”=>“Microsoft”, “product_version”=>“750,000”}

w = Shadowserver::Whitelist.by_filename(“test/notepad.exe”) {“source_version”=>“$version”, “language”=>“English”, “os_name”=>“Unknown”, “mfg_name”=>“Sony”, “filesize”=>“66048”, “os_version”=>“Unknown”, “product_name”=>“VAIO Computer Quick Start”, “filename”=>“NOTEPAD.EXE”, “crc32”=>“0BE7841C”, “application_type”=>“System Software,System restoration”, “source”=>“NIST”, “os_mfg”=>“Unknown”, “product_version”=>“Version G186.0”}

w = Shadowserver::Whitelist.by_string(File.new(“test/notepad.exe”).read) {“source_version”=>“$version”, “language”=>“English”, “os_name”=>“Unknown”, “mfg_name”=>“Sony”, “filesize”=>“66048”, “os_version”=>“Unknown”, “product_name”=>“VAIO Computer Quick Start”, “filename”=>“NOTEPAD.EXE”, “crc32”=>“0BE7841C”, “application_type”=>“System Software,System restoration”, “source”=>“NIST”, “os_mfg”=>“Unknown”, “product_version”=>“Version G186.0”}

Malware Query¶ ↑

mr = Shadowserver::Malware.query(“aca4aad254280d25e74c82d440b76f79”) {“first_seen”=>“2010-06-15 03:09:41”, “filetype”=>“exe”, “avresults”=>{“TrendMicro”=>“TROJ_DLOADR.SMM”, “AntiVir”=>“WORM/VB.NVA”, “VirusBuster”=>“Worm.VB.FMYJ”, “QuickHeal”=>“Worm.VB.at”, “Clam”=>“Trojan.Downloader-50691”, “VBA32”=>“Trojan.VBO.011858”, “Sophos”=>“Troj/DwnLdr-HQY”, “NOD32”=>“Win32/AutoRun.VB.JP”, “Kaspersky”=>“Trojan.Win32.Cosmu.nyl”, “Panda”=>“W32/OverDoom.A”, “Vexira”=>“Trojan.DL.VB.EEDT”, “G-Data”=>“Trojan.Generic.2609117”, “Ikarus”=>“Trojan-Downloader.Win32.VB”, “Norman”=>“Suspicious_Gen2.SKLJ”, “McAfee”=>“Generic”, “AVG7”=>“Downloader.Generic9.URM”, “F-Secure”=>“Worm:W32/Revois.gen!A”, “F-Prot6”=>“W32/Worm.BAOX”, “DrWeb”=>“Win32.HLLW.Autoruner.6014”, “Avast-Commercial”=>“Win32:Zbot-LRA”}, “ssdeep”=>“12288:gOqOB0v2eZJys73dOvXDpNjNe8NuMpX4aBaa48L/93zKnP6ppgg2HFZlxVPbZX:sOA2eZJ8NI8Nah8L/4PqmTVPlX”, “sha1”=>“6fe80e56ad4de610304bab1675ce84d16ab6988e”, “last_seen”=>“2010-06-15 03:09:41”, “md5”=>“aca4aad254280d25e74c82d440b76f79”} If you have access to the Extended API (see www.shadowserver.org/wiki/pmwiki.php/Services/Sandboxapi for details), then you can use the download, avresult, and ssdeep APIs.

mr = Shadowserver::Malware.download(“aca4aad254280d25e74c82d440b76f79”) Digest::MD5.hexdigest(mr) == “aca4aad254280d25e74c82d440b76f79”

mr = Shadowserver::Malware.avresult(“aca4aad254280d25e74c82d440b76f79”) {“TrendMicro”=>“TROJ_DLOADR.SMM”, “AntiVir”=>“WORM/VB.NVA”, “VirusBuster”=>“Worm.VB.FMYJ”, “QuickHeal”=>“Worm.VB.at”, “Clam”=>“Trojan.Downloader-50691”, “VBA32”=>“Trojan.VBO.011858”, “Sophos”=>“Troj/DwnLdr-HQY”, “NOD32”=>“Win32/AutoRun.VB.JP”, “Kaspersky”=>“Trojan.Win32.Cosmu.nyl”, “Panda”=>“W32/OverDoom.A”, “Vexira”=>“Trojan.DL.VB.EEDT”, “G-Data”=>“Trojan.Generic.2609117”, “Ikarus”=>“Trojan-Downloader.Win32.VB”, “Norman”=>“Suspicious_Gen2.SKLJ”, “McAfee”=>“Generic”, “AVG7”=>“Downloader.Generic9.URM”, “F-Secure”=>“Worm:W32/Revois.gen!A”, “F-Prot6”=>“W32/Worm.BAOX”, “DrWeb”=>“Win32.HLLW.Autoruner.6014”, “Avast-Commercial”=>“Win32:Zbot-LRA”}

mr = Shadowserver::Malware.ssdeep(“768:iMgK0w6C07j107GjD9h73eVv+hu8XZXc7OZrxuZDJihVJvmtjP:ZZ0w70n4GjD9hbeaLXhcMxaDJQXvojP”) [“3ae7fc35e4dd3dd1b2afe7a9a20fe8f8”]

ASN Query¶ ↑

a = Shadowserver::ASN.origin(“4.2.2.5”) {“cc”=>“US”, “domain”=>“LEVEL3.NET”, “isp”=>“LEVEL 3 COMMUNICATIONS INC”, “asn”=>3356, “asname”=>“LEVEL3”, “cidr”=>“4.0.0.0/9”}

a = Shadowserver::ASN.peer(“4.2.2.5”) {“cc”=>“US”, “prefix”=>“4.0.0.0/9”, “domain”=>“LEVEL3.NET”, “isp”=>“LEVEL 3 COMMUNICATIONS INC”, “asn”=>3356, “asname”=>“LEVEL3”, “peers”=>[701, 1239]}

a = Shadowserver::ASN.prefix(2637) [“128.61.0.0/19”, “128.61.32.0/19”, “128.61.64.0/18”, “128.61.128.0/17”, “130.207.0.0/16”, “143.215.0.0/16”, “204.152.10.0/23”]

Contributing to shadowserver¶ ↑

• Check out the latest master to make sure the feature hasn’t been implemented or the bug hasn’t been fixed yet

• Check out the issue tracker to make sure someone already hasn’t requested it and/or contributed it

• Fork the project

• Start a feature/bugfix branch

• Commit and push until you are happy with your contribution

• Make sure to add tests for it. This is important so I don’t break it in a future version unintentionally.

• Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.

Copyright¶ ↑

Copyright © 2011 Chris Lee. See LICENSE.txt for further details.