BICHOS


About BICHOS

This project is related to the recollection and analysis of binaries found in the wild in the incident and response world, the name of the project, "B.I.C.H.O.S.", means "Basic Information Collector of Harmful ObjectS". Well, this in not a nice description, but in Spanish bicho is a common word for "little bug" and "bug" is a world that is tied to the software programming mistakes, so we choose "bichos" as name of this project. But then was changed to be "Backbone Information Collector of Harmful Objects", to explain the use of the backbone infrastructure to diverge some port traffic to a low interaction honeypot (currently mwcollect, to analyze the files. The main objective of this collection of harmful binaries is to obtain information about the bots and virus that are been distributed in the network, and use this information to prevent further propagation of the malware. From this binaries we plan to publish a file withe the basic information (MD5 and SHA-1 fingerprint), size, etc. of the files that could be use to:
  • Detect bots and Trojans in compromised systems.
  • Provide detailed information to the ISP's about the system used to control the malware
  • Contact with Antivirus vendors and provide information about new variants found
The system will work sending information to a central collector with the following information:
  • IP address that seems to be compromised and were found scanning
  • New specimens and shellcodes detected
  • Binaries found
  • All this information will be send asynchronously , using email, and PGP encrypted , to avoid problems with the MTA and antivirus. The use of PGP would also avoid the processing of spam related mails (only encrypted mails from the sensors would be processed.

    The central processor would:

    • Generate a public list of the detected malware
    • Do statistics about the attacks detected
    • Warn ISP's and network operators about the IP addresses that were scanning
    • Contact with a expert team when new malware is detected to process to analyze it
    • Provide a private area in which the information about the malware could be shared by the analyzers
    This recollection of malware would be done: