As promised, I uploaded virustotal results for *every* file the paris db.
The packed sql data has 600k, to use:
sqlite3 logsql.sqlite < paris-20091207-missionpack_avs.sql
I can recommend sqliteman to for playing with the database.
I reran the query to get the Conficker share of the attacks incoming, for the paris db, Conficker caused more than 97% of all successful attacks.
If you want to know how many files from the paris db match a conficker signature, and which hashes belong to Conficker files:
JOIN (SELECT DISTINCT av_md5_hash FROM avs WHERE av_result LIKE '%onficker%') ON(av_md5_hash = download_md5_hash)
The opposite, all files which do not match a Conficker signature
LEFT OUTER JOIN (SELECT DISTINCT av_md5_hash FROM avs WHERE av_result LIKE '%onficker%') ON(av_md5_hash = download_md5_hash)
av_md5_hash IS NULL
This query is really slow, but you can watch TED - Dan Pink on motivation in the meantime
I'm not 100% satisfied with the script which gathered the data yet, as I have severe doubts the pythonic way of a file to a homepage is:
os.system("/opt/dionaea/bin/curl -L -o /dev/null --progress-bar -F archivo=@/tmp/binaries/%s -F enviar=true -F distribuir=1 http://www.virustotal.com/vt/en/recepcionf" % info['md5'])
I've found some snippets for python2.x, but I use python3.
If you got an idea how to
upload a file via http in python3 using POST
without reading the file to memory
creating the whole body including mimetype and boundary yourself
please let me know.
I'll leave comments open, maybe somebody posts a cool query or at least tips where to get cheap viagra.