Linux Malware Detection

Malware analysis
Malware analysis is the study of malicious code. Why we need to do malware analysis? Investigating an incident to assess damage and determine what information was accessed, identifying the source of the compromise and whether this is a targeted attack or just malware that has found its way to our network, and to recover the system(s) after an attack. Malware analysis is essential when developing antivirus and/or IDS/IPS signatures to prevent the infection on other systems. Malware is composed of many things. Malware consists of viruses, Trojans, worms and more
Types of Malware Analysis:
● Static analysis: analysing the contents of the file(s) without running the program. For example, comparing hashes, using antimalware scans, looking at the ASCII contents, executable metadata and dropper detection, and inspection of the machine instructions / source code.
● Dynamic analysis: running the malware and infecting a (virtualised) system to see what it does. This can involve manually stepping the malware through each instruction (debugging), or letting it run while tracking which files and registry entries change, along with the network connections and traffic that is involved
Tools
There are so many tools are available in market now a days for Malware detection & analysis. Some of them are listed below.

  1. Bang- Binary Analysis next Generation
  2. Lief- library for analysis of executable formats
  3. Malice-
  4. Multiscanner
    After studying multiple tools I come to a judgement that LMD would be a perfect tool for us to install on Centos box. Why I choose LMD?
    LMD (Linux Malware Detect) is an open source & fully-featured malware detector for Linux specifically designed and targeted at shared hosted environments. LMD can use any available scanner engine. This will normally give better performance than the built-in scanner engine of the software package. Also the scanner engine we will use here is the ClamAV. It is an open source antivirus solution to detect virus, malware, Trojans and other malicious programs. It is one of the best free anti-virus programs for Linux and the open source standard for mail gateway scanning software that supports almost all mail file formats. It supports virus database updates on all systems and scan within archives and compressed files and supports formats such as Zip, Tar, 7Zip, Rar among others and more other features.
    Requirements & Supplies
     A safe analysis environment- Please ensure that when you are doing Malware analysis you are working on safe & controlled environment. Always keep your system or VM security patched & up to date.
     Centos 7 server: A fully patched with latest kernel release & updated server.
     Configure Repo: to install latest packages we need to configure epel repo

Installation

  1. Here we will first install the scanner engine that is ClamAV. To begin installation of ClamAV follow the below steps.
    yum –y update
    yum -y install clamav clamav-devel clamav-update
    Now edit the file /etc/freshclam.conf as mentioned below:
    Comment seventh line
    #Example
    Uncomment Database Directory
    DatabaseDirectory
    Add below line at the bottom of file
    DatabaseMirror database.clamav. net
    Save the file & exit.
    Issue below command
    sudo chmod -R 777 /usr/lib/clamav
    To update the signatures issue the following commands.
    Freshclam
    To scan a directory run command as mentioned below
    Clamscan –r –i Directory
    Where DIRECTORY is the location to scan. The options -r, means recursively scan and the -i means to only show infected files.
    2 Now the scanner is installed & ready to use. Next we need to begin with LMD installation & get it integrate with ClamAV.
    To perform installation use below commands:
    cd /tmp wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xvf maldetect-current.tar.gz cd maldetect-1.6.4/
    ls
    CHANGELOG CHANGELOG.RELEASE CHANGELOG.VARIABLES COPYING.GPL cron.daily cron.d.pub files install.sh README
    You will see here a script for installation is present. Run this script as sudo ./install.sh
    Above script will create default installation directory, creates daily cron job.
    3 configure LMD
    There is a help document available for maldet configuration.
    /usr/local/src/maldetect-1.4.2/README
    To configure LMD edit below file:
    /usr/local/maldetect/conf.maldet
    Below points need to configure in conf file. 1. EMAIL ALERTS
  2. QUARANTINE OPTIONS 3. SCAN OPTIONS 4. STATISTICAL ANALYSIS 5. MONITORING OPTIONS
    File will look like below shown
    Email_alert=1
    Email_addr=xxxxxxxxxx@gmail.com
    Email_sub=”malware alerts for $HOSTNAME - $(date +%Y-%m-%d)”
    quar_hits=1
    quar_clean=1
    quar_susp=1
    clamav=1
    scan_ignore_root=1
    quar_hits sets the default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) when malware is detected.
    clamav_scan=1 will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine. This yields an up to four times faster scan performance and superior hex analysis. This option only uses ClamAV as the scanner engine, and LMD signatures are still the basis for detecting threats.
    Here our Centos server is all set to detect Malware & prepare a report of the same for analysis & set to take appropriate action on them.
    Below are the extra commands &details:
     scan the directory for malware
    maldet -a /tmp
     LMD Scan Report LMD stores scan reports under /usr/local/maldetect/sess/
    maldet –report SCANID
     Remove all quarantined files
    rm -rf /usr/local/maldetect/quarantine/*
     To clean
    maldet --clean SCANID
     list of all reports
    maldet -e list
     Scan files that have been created/modified in the last X days.
    maldet -r /var/www/html/ 5
     Restore files from the quarantine directory
    maldet -s SCANID
     Enable monitoring of a directory
    maldet -m /var/www/html/
     Check the monitor log file
    tail -f /usr/local/maldetect/logs/inotify_log
     Use the following command to update your LMD
    maldet –d
     To update LMD signatures
    maldet –u
    Thank You

Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki