threatexpert 0.1.0

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/Gemfile

@@ -0,0 +1,14 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+gem "nokogiri", ">= 1.4.4"
+gem "multipart-post", ">= 1.1.0"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "shoulda", ">= 0"
+  gem "bundler", "~> 1.0.0"
+  gem "jeweler", "~> 1.5.2"
+  gem "rcov", ">= 0"
+end

data/Gemfile.lock

@@ -0,0 +1,24 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    git (1.2.5)
+    jeweler (1.5.2)
+      bundler (~> 1.0.0)
+      git (>= 1.2.5)
+      rake
+    multipart-post (1.1.0)
+    nokogiri (1.4.4)
+    rake (0.8.7)
+    rcov (0.9.9)
+    shoulda (2.11.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.0.0)
+  jeweler (~> 1.5.2)
+  multipart-post (>= 1.1.0)
+  nokogiri (>= 1.4.4)
+  rcov
+  shoulda

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Chris Lee
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,28 @@
+= threatexpert
+
+The threatexpert gem provides a simple API to query ThreatExpert by malware name (to receive a list of matching hashes) or hash (to receive a malware report).  This also provides a simple upload feature.
+
+require 'threatexpert'
+
+t = ThreatExpert::Search.new
+hashes = t.name("Worm.Hamweg.Gen")
+html = t.md5(hashes[0])
+sb = ThreatExpert::Submit.new
+filename = "/malware_share/downadup/62c6c217e7980e53aa3b234e19a5a25e.dll"
+sb.submit(filename, youremailhere)
+
+== Contributing to threatexpert
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== Copyright
+
+Copyright (c) 2011 Chris Lee. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1,51 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "threatexpert"
+  gem.homepage = "http://github.com/chrislee35/threatexpert"
+  gem.license = "MIT"
+  gem.summary = %Q{Allows for malware name and md5 hash searching of, and malware submission to ThreatExpert.com.}
+  gem.description = %Q{Provides a simple API to query ThreatExpert by malware name (to receive a list of matching hashes) or hash (to receive a malware report).  This also provides a simple upload feature.}
+  gem.email = "rubygems@chrislee.dhs.org"
+  gem.authors = ["Chris Lee"]
+  gem.add_runtime_dependency "nokogiri", ">= 1.4.4"
+	gem.add_runtime_dependency "multipart-post", ">= 1.1.0"
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+require 'rcov/rcovtask'
+Rcov::RcovTask.new do |test|
+  test.libs << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "threatexpert #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/lib/threatexpert.rb

@@ -0,0 +1,2 @@
+require 'threatexpert/search'
+require 'threatexpert/submit'

data/lib/threatexpert/search.rb

@@ -0,0 +1,45 @@
+require 'nokogiri'
+require 'open-uri'
+
+module ThreatExpert
+	class Search
+		@@baseurl = 'http://www.threatexpert.com'
+		def initialize
+		end
+		
+		def md5(hash)
+			url = @@baseurl+"/report.aspx?md5=#{hash}"
+			_parse_report(url)
+		end
+		
+		def name(mwname)
+			url = @@baseurl+"/reports.aspx?find=#{mwname}"
+			_parse_list(url)
+		end
+		
+		def _parse_list(nextpage)
+			hashes = []
+			while nextpage
+				page = open(nextpage).read
+				nextpage = nil
+				n = Nokogiri::HTML.parse(page)
+				n.xpath('//a').each do |a|
+					if a['href'] =~ /report\.aspx\?md5=([0-9a-fA-F]{32,128})/
+						hashes << $1
+					elsif a.text == 'Next'
+						nextpage = "http://www.threatexpert.com/"+a['href']
+					end
+				end
+			end
+			hashes
+		end
+		
+		def _parse_report(page)
+			page = open(page).read
+			return nil unless page =~ /Submission Summary:/
+			n = Nokogiri::HTML.parse(page)
+			ul = n.xpath('//ul')
+			t = ul.to_s.gsub(/<img.*?>/,'')
+		end
+	end
+end

data/lib/threatexpert/submit.rb

@@ -0,0 +1,54 @@
+require 'net/http'
+require 'net/http/post/multipart'
+require 'uri'
+require 'nokogiri'
+require 'pp'
+
+module ThreatExpert
+	class Submit
+		@@submiturl = "http://www.threatexpert.com/submit.aspx"
+
+		def submit(filename, email, headers={})
+			uri = URI.parse(@@submiturl)
+			http = Net::HTTP.new(uri.host, uri.port)
+			headers['User-Agent'] ||= "Ruby/#{RUBY_VERSION} threatexpert gem (https://github.com/chrislee35/threatexpert)"
+			headers['Referer'] ||= @@submiturl
+			resp, data = http.get(uri.path, headers)
+			cookie = resp.header["set-cookie"] if resp.header["set-cookie"]
+			
+			doc = Nokogiri::HTML.parse(data)
+			forms = doc.xpath('//form')
+			inputs = forms[0].xpath('//input')
+			params = {}
+			inputs.each do |input|
+				name = input['name']
+				value = input['value']
+				if name =~ /Agree/
+					params[name] = 1
+				elsif name =~ /Upload/
+					file = File.open(filename)
+					params[name] = UploadIO.new(file, "application/octet-stream", File.basename(filename))
+				elsif name =~ /Email/
+					params[name] = email
+				elsif name =~ /btnSubmit/
+					params[name+".x"] = rand(100)
+					params[name+".y"] = rand(27)
+				else
+					params[name] = value
+				end
+			end
+			
+			headers['Referer'] = @@submiturl
+			request = Net::HTTP::Post::Multipart.new(uri.path, params)
+			headers.each do |name,value|
+				request.add_field(name, value)
+			end
+			response = http.request(request)
+			if response.body =~ /The file has been accepted/
+				true
+			else
+				false
+			end
+		end
+	end
+end

data/test/helper.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'threatexpert'
+
+class Test::Unit::TestCase
+end

data/test/test_threatexpert.rb

@@ -0,0 +1,28 @@
+require 'helper'
+require 'pp'
+class TestThreatexpert < Test::Unit::TestCase
+	should "parse the page for 70cf23409191820593022ca797fbcbd0" do
+		t = ThreatExpert::Search.new
+		html = t.md5("70cf23409191820593022ca797fbcbd0")
+		assert_not_nil(html)
+		puts html
+	end
+	
+	should "return nil for 70cf23409191820593022ca797fbcbd1" do
+		t = ThreatExpert::Search.new
+		html = t.md5("70cf23409191820593022ca797fbcbd1")
+		assert_nil(html)
+	end
+	
+	should "parse the list for Worm.Hamweg.Gen" do
+		t = ThreatExpert::Search.new
+		hashes = t.name("Worm.Hamweg.Gen")
+		assert_equal(159, hashes.length)
+	end
+
+	should "return no results for Worm.Hamwex.Gen" do
+		t = ThreatExpert::Search.new
+		hashes = t.name("Worm.Hamwex.Gen")
+		assert_equal(0, hashes.length)
+	end
+end

metadata

@@ -0,0 +1,201 @@
+--- !ruby/object:Gem::Specification 
+name: threatexpert
+version: !ruby/object:Gem::Version 
+  hash: 27
+  prerelease: 
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- Chris Lee
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-04-27 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 1
+        - 4
+        - 4
+        version: 1.4.4
+  requirement: *id001
+  prerelease: false
+  name: nokogiri
+  type: :runtime
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 19
+        segments: 
+        - 1
+        - 1
+        - 0
+        version: 1.1.0
+  requirement: *id002
+  prerelease: false
+  name: multipart-post
+  type: :runtime
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  requirement: *id003
+  prerelease: false
+  name: shoulda
+  type: :development
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 1
+        - 0
+        - 0
+        version: 1.0.0
+  requirement: *id004
+  prerelease: false
+  name: bundler
+  type: :development
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 1
+        - 5
+        - 2
+        version: 1.5.2
+  requirement: *id005
+  prerelease: false
+  name: jeweler
+  type: :development
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  requirement: *id006
+  prerelease: false
+  name: rcov
+  type: :development
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id007 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 1
+        - 4
+        - 4
+        version: 1.4.4
+  requirement: *id007
+  prerelease: false
+  name: nokogiri
+  type: :runtime
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id008 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 19
+        segments: 
+        - 1
+        - 1
+        - 0
+        version: 1.1.0
+  requirement: *id008
+  prerelease: false
+  name: multipart-post
+  type: :runtime
+description: Provides a simple API to query ThreatExpert by malware name (to receive a list of matching hashes) or hash (to receive a malware report).  This also provides a simple upload feature.
+email: rubygems@chrislee.dhs.org
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE.txt
+- README.rdoc
+files: 
+- .document
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/threatexpert.rb
+- lib/threatexpert/search.rb
+- lib/threatexpert/submit.rb
+- test/helper.rb
+- test/test_threatexpert.rb
+homepage: http://github.com/chrislee35/threatexpert
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.7.2
+signing_key: 
+specification_version: 3
+summary: Allows for malware name and md5 hash searching of, and malware submission to ThreatExpert.com.
+test_files: 
+- test/helper.rb
+- test/test_threatexpert.rb