add: New module to check if a bitcoin address has been abused

- Also related update of documentation

README.md

@@ -18,6 +18,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
 ### Expansion modules
 
 * [BGP Ranking](misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking.
+* [BTC scam check](misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to instantly check if a BTC address has been abused.
 * [BTC transactions](misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.
 * [CIRCL Passive DNS](misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
 * [CIRCL Passive SSL](misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate seen.

doc/README.md

@@ -1 +0,0 @@
-documentation.md

doc/expansion/btc_scam_check.json

@@ -0,0 +1,9 @@
+{
+    "description": "An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused.",
+    "requirements": ["dnspython3: dns python library"],
+    "features": "The module queries a dns blacklist directly with the bitcoin address and get a response if the address has been abused.",
+    "logo": "logos/bitcoin.png",
+    "input": "btc address attribute.",
+    "output" : "Text to indicate if the BTC address has been abused.",
+    "references": ["https://btcblack.it/"]
+}

doc/generate_documentation.py

@@ -30,7 +30,7 @@ def generate_doc(root_path):
                     value = ', '.join(value) if isinstance(value, list) else '{}'.format(value.replace('\n', '\n>'))
                     markdown.append('- **{}**:\n>{}\n'.format(field, value))
             markdown.append('\n-----\n')
-    with open('documentation.md', 'w') as w:
+    with open('README.md', 'w') as w:
         w.write(''.join(markdown))
 
 

misp_modules/modules/expansion/__init__.py

@@ -8,4 +8,4 @@ __all__ = ['vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl',
            'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl',
            'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator',
            'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query', 'macaddress_io',
-           'intel471']
+           'intel471', 'btc_scam_check']

misp_modules/modules/expansion/btc_scam_check.py

@@ -0,0 +1,43 @@
+import json
+import sys
+
+try:
+    from dns.resolver import Resolver, NXDOMAIN
+    from dns.name import LabelTooLong
+    resolver = Resolver()
+    resolver.timeout = 1
+    resolver.lifetime = 1
+except ImportError:
+    sys.exit("dnspython3 in missing. use 'pip install dnspython3' to install it.")
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['btc'], 'output': ['text']}
+moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
+              'description': 'Checks if a BTC address is referenced as a scam.',
+              'module-type': ['hover']}
+moduleconfig = []
+
+url = 'bl.btcblack.it'
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    btc = request['btc']
+    query = f"{btc}.{url}"
+    try:
+        result = ' - '.join([str(r) for r in resolver.query(query, 'TXT')])[1:-1]
+    except NXDOMAIN:
+        result = f"{btc} is not known as a scam address."
+    except LabelTooLong:
+        result = f"{btc} is probably not a valid BTC address."
+    return {'results': [{'types': mispattributes['output'], 'values': result}]}
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo