Malware analysis
Malware analysis is the study of malicious code. Why we need to do malware analysis? Investigating an incident to assess damage and determine what information was accessed, identifying the source of the compromise and whether this is a targeted attack or just malware that has found its way to our network, and to recover the system(s) after an attack. Malware analysis is essential when developing antivirus and/or IDS/IPS signatures to prevent the infection on other systems. Malware is composed of many things. Malware consists of viruses, Trojans, worms and more
Types of Malware Analysis:
● Static analysis: analysing the contents of the file(s) without running the program. For example, comparing hashes, using antimalware scans, looking at the ASCII contents, executable metadata and dropper detection, and inspection of the machine instructions / source code.
● Dynamic analysis: running the malware and infecting a (virtualised) system to see what it does. This can involve manually stepping the malware through each instruction (debugging), or letting it run while tracking which files and registry entries change, along with the network connections and traffic that is involved
Tools
There are so many tools are available in market now a days for Malware detection & analysis. Some of them are listed below.
- Bang- Binary Analysis next Generation
- Lief- library for analysis of executable formats
- Malice-
- Multiscanner
After studying multiple tools I come to a judgement that LMD would be a perfect tool for us to install on Centos box. Why I choose LMD?
LMD (Linux Malware Detect) is an open source & fully-featured malware detector for Linux specifically designed and targeted at shared hosted environments. LMD can use any available scanner engine. This will normally give better performance than the built-in scanner engine of the software package. Also the scanner engine we will use here is the ClamAV. It is an open source antivirus solution to detect virus, malware, Trojans and other malicious programs. It is one of the best free anti-virus programs for Linux and the open source standard for mail gateway scanning software that supports almost all mail file formats. It supports virus database updates on all systems and scan within archives and compressed files and supports formats such as Zip, Tar, 7Zip, Rar among others and more other features.
Requirements & Supplies
A safe analysis environment- Please ensure that when you are doing Malware analysis you are working on safe & controlled environment. Always keep your system or VM security patched & up to date.
Centos 7 server: A fully patched with latest kernel release & updated server.
Configure Repo: to install latest packages we need to configure epel repo
Installation
- Here we will first install the scanner engine that is ClamAV. To begin installation of ClamAV follow the below steps.
yum –y update
yum -y install clamav clamav-devel clamav-update
Now edit the file /etc/freshclam.conf as mentioned below:
Comment seventh line
#Example
Uncomment Database Directory
DatabaseDirectory
Add below line at the bottom of file
DatabaseMirror database.clamav. net
Save the file & exit.
Issue below command
sudo chmod -R 777 /usr/lib/clamav
To update the signatures issue the following commands.
Freshclam
To scan a directory run command as mentioned below
Clamscan –r –i Directory
Where DIRECTORY is the location to scan. The options -r, means recursively scan and the -i means to only show infected files.
2 Now the scanner is installed & ready to use. Next we need to begin with LMD installation & get it integrate with ClamAV.
To perform installation use below commands:
cd /tmp wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xvf maldetect-current.tar.gz cd maldetect-1.6.4/
ls
CHANGELOG CHANGELOG.RELEASE CHANGELOG.VARIABLES COPYING.GPL cron.daily cron.d.pub files install.sh README
You will see here a script for installation is present. Run this script as sudo ./install.sh
Above script will create default installation directory, creates daily cron job.
3 configure LMD
There is a help document available for maldet configuration.
/usr/local/src/maldetect-1.4.2/README
To configure LMD edit below file:
/usr/local/maldetect/conf.maldet
Below points need to configure in conf file. 1. EMAIL ALERTS - QUARANTINE OPTIONS 3. SCAN OPTIONS 4. STATISTICAL ANALYSIS 5. MONITORING OPTIONS
File will look like below shown
Email_alert=1
Email_addr=xxxxxxxxxx@gmail.com
Email_sub=”malware alerts for $HOSTNAME - $(date +%Y-%m-%d)”
quar_hits=1
quar_clean=1
quar_susp=1
clamav=1
scan_ignore_root=1
quar_hits sets the default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) when malware is detected.
clamav_scan=1 will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine. This yields an up to four times faster scan performance and superior hex analysis. This option only uses ClamAV as the scanner engine, and LMD signatures are still the basis for detecting threats.
Here our Centos server is all set to detect Malware & prepare a report of the same for analysis & set to take appropriate action on them.
Below are the extra commands &details:
scan the directory for malware
maldet -a /tmp
LMD Scan Report LMD stores scan reports under /usr/local/maldetect/sess/
maldet –report SCANID
Remove all quarantined files
rm -rf /usr/local/maldetect/quarantine/*
To clean
maldet --clean SCANID
list of all reports
maldet -e list
Scan files that have been created/modified in the last X days.
maldet -r /var/www/html/ 5
Restore files from the quarantine directory
maldet -s SCANID
Enable monitoring of a directory
maldet -m /var/www/html/
Check the monitor log file
tail -f /usr/local/maldetect/logs/inotify_log
Use the following command to update your LMD
maldet –d
To update LMD signatures
maldet –u
Thank You