Malware Forge

To step away from using snort as a base for detecting binary packers, I decided to go with a more direct approach and use a library that handled stream reassembly within python. I then simply took the data once the connection had closed, and scanned the data with PeFile. The python script, which I call nPEiD (network peid), can either scan a pcap if passed in as an argument, or sniff on an interface (default is eth0).

Example Output:

famousjs@youbantoo:~/npeid$ ./npeid.py out.pcap
['UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser']

Download: http://www.malforge.com/npeid/npeid.zip

*UPDATE - Added http gzip encoding, and FTP handling
Old located at npeid/npeid_orig.zip

-Added '-e' option to extract and save binaries.