BICHOS
About BICHOS
This project is related to the recollection and analysis of binaries found in the wild in the incident and response world, the name of the project, "B.I.C.H.O.S.", means "Basic Information Collector of Harmful ObjectS". Well, this in not a nice description, but in Spanish bicho is a common word for "little bug" and "bug" is a world that is tied to the software programming mistakes, so we choose "bichos" as name of this project. But then was changed to be "Backbone Information Collector of Harmful Objects", to explain the use of the backbone infrastructure to diverge some port traffic to a low interaction honeypot (currently mwcollect, to analyze the files. The main objective of this collection of harmful binaries is to obtain information about the bots and virus that are been distributed in the network, and use this information to prevent further propagation of the malware. From this binaries we plan to publish a file withe the basic information (MD5 and SHA-1 fingerprint), size, etc. of the files that could be use to:- Detect bots and Trojans in compromised systems.
- Provide detailed information to the ISP's about the system used to control the malware
- Contact with Antivirus vendors and provide information about new variants found
The central processor would:
- Generate a public list of the detected malware
- Do statistics about the attacks detected
- Warn ISP's and network operators about the IP addresses that were scanning
- Contact with a expert team when new malware is detected to process to analyze it
- Provide a private area in which the information about the malware could be shared by the analyzers
- Manually recovered from real compromised systems or honeypots
- Using automatics tools like mwcollect
- or Multipot or the more recent Nepenthes , with scripts that would parse the information and submit it
