This document discusses Zagros, a tool for automating the mining of malware data from VirusTotal. It summarizes Zagros' capabilities like obtaining malicious hashes, URLs, and files seen in the wild with low false positives. It provides an overview of Zagros' algorithms for scoring and selecting indicators. Stats show it mines a large percentage of new data submitted to VirusTotal each day. The document demonstrates Zagros' use and provides resources for using it along with necessary prerequisites.
hex editor and see multiple occurrences of the split 'visua' followed by an MZ header
possibly proving that the file infector contains many other files in it that it has attempted to infect over time as it’s spread.
200 ok -> The request has succeeded.
100 Continue The client SHOULD continue with its request. This interim response is used to inform the client that the initial part of the request has been received and has not yet been rejected by the server. The client SHOULD continue by sending the remainder of the request or, if the request has already been completed, ignore this response.
403: Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated.
404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
https://www.forcepoint.com/master-database-url-categories
categories_score = {"blogs" : 1,
"uncategorized" : 0,
"malicious web sites": 4, # sites containing code intentionally modify users
"suspicious content" : 1, # sites with suspicious content
"business" : 0,
"known infection source" : 5,
"parked" : 0,
"phishing and other frauds" : 5, # counterfeit legitimate sites
"business and economy": 0, # Sites sponsored by or devoted to business firms
"travel" : 0,
"bot networks": 4, # Command and control centers
"parked domain": 0, # Sites that are expired, offered for sale, ..
"computersandsoftware" : 0,
"health" : 0,
"real estate" : 0, # Sites that provide information about renting, buying, selling
"information technology" : 0, # Computers, software, the Internet and related business firms
"entertainment" : 0,
"compromised websites" : 5, # Sites that are vulnerable and known to host an injected malicious
"dynamic content": 2, # URLs dynamically being generated
"not recommended site" : 3,
"potentially unwanted software" : 2, # Sites altering operation of a user's hardware, software, ...
"web and email spam" : 2,
"application and software download" : 1,
"personal network storage and backup" : 1, #store personal files on web servers for backup or exchange
"hacking" : 5,
"elevated exposure" : 2,
"education" : 0,
"web hosting" : 0,
"marketing" : 0,
"radiomusic" : 0,
"internet radio and tv" : 0,
"videos" : 0,
"proxy avoidance" : 2,