#!/bin/bash ################################################ ## MALWARE HASH BASH ## ## Written by Michael LaSalvia ## ## http://www.digitaloffensive.com ## ## Inspired by an article at enclave Security ## ################################################ #Variables and clean up #Edit in Path to dir that contains file for analsys inPath=/home/mike/virus/infect #Path to your md5sum app to verify it is not compromised. I got the hash from a new install on fedora 12. wmd5sum=/usr/bin/md5sum md5sum /usr/bin/md5sum > .tmp mverify=`cut -f 1 -d ' ' .tmp` if [$mverify == 019329f334fa7ef6116ad1a24271c8da ] then echo "Your md5 hash matches" else echo " Your md5sum hash is not right, Please verify it before continuing. Press CTRL+C now to exit" fi rm -Rf .tmp # I strongly urge you to make sure your md5 application is not compromised or the rest of this script is useless. Sleep 20 #Get a list of file to analyze and get their hash ls $inPath > files.txt for vfiles in $(cat files.txt) do cd $inPath md5sum $vfiles >> hashes sort hashes | uniq > $inPath/hashes.txt done #Clean up my files cat $inPath/hashes.txt | grep -v hashes >> .tmp; mv .tmp $inPath/hashes.txt cat $inPath/hashes.txt | grep -v md5 >> .tmp; mv .tmp $inPath/hashes.txt cat $inPath/hashes.txt | grep -v clean >> .tmp; mv .tmp $inPath/hashes.txt #Format file to submit to http://www.team-cymru.org as a batch cut -f 1 -d ' ' $inPath/hashes.txt >> $inPath/md5hash.txt cut -f 3 -d ' ' $inPath/hashes.txt >> $inPath/md5name.txt echo "begin"| cat - $inPath/md5hash.txt > .tmp && mv .tmp $inPath/md5hash.txt echo end >> $inPath/md5hash.txt rm -Rf $inPath/hashes.txt #Send batch request o the Malware Hash Registry (I Love netcat) nc hash.cymru.com 43 < $inPath/md5hash.txt > $inPath/md5results.txt #Clean up response and format it cat $inPath/md5results.txt | grep -v "#" >> .bk; mv .bk $inPath/md5results.txt paste $inPath/md5name.txt $inPath/md5results.txt > $inPath/results.txt #cat $inPath/results.txt cat $inPath/md5hash.txt | grep -v "begin" >> .tmp; mv .tmp $inPath/md5hash.txt cat $inPath/md5hash.txt | grep -v "end" >> .tmp; mv .tmp $inPath/md5hash.txt #Dirty web scraper and formating (site may be out of date) for whashes in $(cat $inPath/md5hash.txt) do wget --random-wait http://www.malwarehash.com/result.php?hash=$whashes -O $whashes if grep "INFECTED" $whashes > /dev/null; then cat $whashes | grep -m 1 a-squared >> $inPath/.tmp cat $whashes | grep -m 1 "Avira AntiVir" >> $inPath/.tmp cat $whashes | grep -m 1 "Avast<" >> $inPath/.tmp cat $whashes | grep -m 1 AVG >> $inPath/.tmp cat $whashes | grep -m 1 BitDefender >> $inPath/.tmp cat $whashes | grep -m 1 ClamAV >> $inPath/.tmp cat $whashes | grep -m 1 Comodo >> $inPath/.tmp cat $whashes | grep -m 1 "Dr.Web" >> $inPath/.tmp cat $whashes | grep -m 1 Ewido >> $inPath/.tmp cat $whashes | grep -m 1 F-PROT >> $inPath/.tmp cat $whashes | grep -m 1 "G DATA" >> $inPath/.tmp cat $whashes | grep -m 1 IkarusT3 >> $inPath/.tmp cat $whashes | grep -m 1 Kaspersky >> $inPath/.tmp cat $whashes | grep -m 1 McAfee >> $inPath/.tmp cat $whashes | grep -m 1 "Malware Hash Registry" >> $inPath/.tmp cat $whashes | grep -m 1 NOD32 >> $inPath/.tmp cat $whashes | grep -m 1 Norman >> $inPath/.tmp cat $whashes | grep -m 1 Panda >> $inPath/.tmp cat $whashes | grep -m 1 "QuickHeal" >> $inPath/.tmp cat $whashes | grep -m 1 "Solo Antivirus" >> $inPath/.tmp cat $whashes | grep -m 1 Sophos >> $inPath/.tmp cat $whashes | grep -m 1 TrendMicro >> $inPath/.tmp cat $whashes | grep -m 1 VBA32 >> $inPath/.tmp cat $whashes | grep -m 1 "VirusBuster" >> $inPath/.tmp #More Cleaning and report creation. sed -f $inPath/clean $inPath/.tmp > $inPath/.tmp1; mv $inPath/.tmp1 $inPath/$whashes rm -Rf .tmp .tmp1 echo "Results from MalwareHash.com" >> $inPath/final_report.txt echo " ------------------------------------------------------" >> $inPath/final_report.txt echo "$whashes : " >> $inPath/final_report.txt echo " ------------------------------------------------------" >> $inPath/final_report.txt cat $inPath/$whashes >> $inPath/final_report.txt echo " ------------------------------------------------------" >> $inPath/final_report.txt else echo "Results from MalwareHash.com" >> $inPath/final_report.txt echo "NO RESULTS FOUND for: $whashes" >> $inPath/final_report.txt echo " ------------------------------------------------------" >> $inPath/final_report.txt fi rm -Rf $inPath/$whashes rm -Rf $inPath/md5* rm -Rf $inPath/hashes done cat $inPath/results.txt | cat - $inPath/final_report.txt > .tmp && mv .tmp $inPath/final_report.txt echo "Results from The Malware Hash Registry" | cat - $inPath/final_report.txt > .tmp && mv .tmp $inPath/final_report.txt mail -s"Malware" me@me.com < final_report.txt