License: GPL

Download: nepynthes-0.0.1

Platform: tested on Linux only

Purpose

Nepenthes collects every malware it can from the Internet by simulating a poorly protected computer. When a file has never been downloaded before, it gets stored into a special directory under a name which is its MD5 sum signature. Therefore collected files are strictly different malware files. They can then be analysed to guess - or not - what was their purpose.

nepynthes is a small Python script that scans these files with ClamAV[1] and then displays some statistics on the number of new malware each day or the ratio of actually detected malware files. This way you can estimate the Internet threat on your computer but also estimate your antivirus relevancy.

nepenthes chart report

Display larger version

Both generated charts are respectively:

  1. the number of new malware collected per day, this does not mean that your antivirus doesn't know them but rather that this is the first time your computer is provided with them
  2. the ratio of new malware files that ClamAV actually detects as malware, the older the files the more likely the file is detected as malware

On each chart are drawn raw data and a spline filtered version of data. The filtered signal extracts long range variations.

Instructions

Just uncompress the archive anywhere and run the nepynthes.py Python script! Typical use is:

$ python nepynthes.py /var/lib/nepenthes/binaries

This should display a figure of collected malware and ratio of ClamAV scan results similar to the charts displayed above.

Nepynthes requires the following software be installed to run:

Good analyses!

Notes

[1] if you're able to do the same job with other antivirus software, please let me know your results since I do not own any commercial antivirus software.