As promised, I uploaded virustotal results for *every* file the paris db.

The packed sql data has 600k, to use:

bunzip paris-20091207-missionpack_avs.sql.bz2
sqlite3 logsql.sqlite < paris-20091207-missionpack_avs.sql

I can recommend sqliteman to for playing with the database.

I reran the query to get the Conficker share of the attacks incoming, for the paris db, Conficker caused more than 97% of all successful attacks.

If you want to know how many files from the paris db match a conficker signature, and which hashes belong to Conficker files:

SELECT 
	COUNT(download_md5_hash), 
	download_md5_hash 
FROM 
	downloads 
	JOIN (SELECT DISTINCT av_md5_hash FROM avs WHERE av_result LIKE '%onficker%') ON(av_md5_hash = download_md5_hash)
GROUP BY
	download_md5_hash
ORDER BY 
	COUNT(download_md5_hash) DESC

The opposite, all files which do not match a Conficker signature

SELECT 
	COUNT(download_md5_hash), 
	download_md5_hash 
FROM 
	downloads 
	LEFT OUTER JOIN (SELECT DISTINCT av_md5_hash FROM avs WHERE av_result LIKE '%onficker%') ON(av_md5_hash = download_md5_hash)
WHERE
	av_md5_hash IS NULL
GROUP BY
	download_md5_hash
ORDER BY 
	COUNT(download_md5_hash) DESC

This query is really slow, but you can watch TED - Dan Pink on motivation in the meantime

I'm not 100% satisfied with the script which gathered the data yet, as I have severe doubts the pythonic way of a file to a homepage is:

os.system("/opt/dionaea/bin/curl -L -o /dev/null --progress-bar -F archivo=@/tmp/binaries/%s -F enviar=true -F distribuir=1 http://www.virustotal.com/vt/en/recepcionf" % info['md5'])

I've found some snippets for python2.x, but I use python3. If you got an idea how to

• upload a file via http in python3 using POST
• without reading the file to memory
• creating the whole body including mimetype and boundary yourself

please let me know.

I'll leave comments open, maybe somebody posts a cool query or at least tips where to get cheap viagra.