Network Forensic Analysis - NetworkMiner

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files

Network Forensic Analysis Features

ºNetwork Forensics
ºNetwork Sniffing
ºPCAP Parser
ºDigital Forensics
ºPacket Sniffer

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble/rebuild transmitted files, directory structures and certificates from PCAP files.


The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner also comes in very handy when analyzing malware traffic, such as C&C (command-and-control) traffic from a BotNet, since uploaded and downloaded files are extracted to disk.

NetworkMiner performs OS fingerprinting based on TCP SYN and SYN+ACK packet by using OS fingerprinting databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform OS fingerprinting based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) OS fingerprinting database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).

NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This is a neat function that can be used to extract and save media files (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB.

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the “Credentials” tab. Please be considerate when displaying the contents of this tab to the public.

Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.


Version 0.84 (and newer) of NetworkMiner support sniffing and parsing of WLAN (IEEE 802.11) traffic. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.

Download  NetworkMiner

Read More

Portable Linux Auditing CD

PLAC is a business card sized bootable cdrom running linux. It has network auditing, disk recovery, and forensic analysis tools. ISO will be avialable and scripts to roll you own cd.

Download PLAC

Read More

Bootable Forensics - snarl

snarl is a bootable forensics ISO based on FreeBSD and using @stake's autopsy and task as well as scmoo's list of known good checksums. Once you boot the iso just log in as root there is no password. You will boot into a dialog driven menu. select the first option and choose the checksum set for the OS you are auditing. this will convert the schmoo checksum database into a format that autopsy understands. Then select the second option. this will configure and start autopsy. Then select the third option and links will be launched browsing the autopsy page. You can also select exit and use the large collection of security related ports.

Download snarl

Read More

TrueCrypt brute-force password cracker - TrueCrack

TrueCrack is a brute-force password cracker for TrueCrypt volume files. It works on Linux and it is optimized for Nvidia Cuda technology

Algorithms:

ºPBKDF2 (defined in PKCS5 v2.0) is based on RIPEMD160 Key derivation function.
ºXTS block cipher mode for hard disk encryption based on AES.


TrueCrypt brute-force password cracker:

ºDictionary attack: reads the passwords from a file of only words (one password for line).
ºCharset attack: generates the passwords from a set of symbols defined from the user (for example: all possible strings of n characters from the charset “abc” ).


Performance

The execution time of TrueCrack for a dictionary attack is (average word length 10 characters):

        CPU  3.00GHz   GTX650    GTX680
1000     0m  12.031s 0m  3.771s 0m 2.693s
10000    2m   0.421s 0m 15.893s 0m 5.628s
100000  20m   3.811s 2m 20.379s 0m 37.610s


Dictionary attack:

truecrack -t truecrypt_file -w passwords_file [-k ripemd160 | -k sha512 | -k whirlpool] [-e aes | -e serpent | -e twofish] [-a blocks] [-b] [-H] [-r number]


Alphabet attack:

truecrack -t truecrypt_file -c alphabet [-s minlength] -m maxlength [-k ripemd160 | -k sha512 | -k whirlpool] [-e aes | -e serpent | -e twofish] [-a blocks] [-b] [-H] [-r number]


Usage

-h --help Display this information.
-t --truecrypt <truecrypt_file> Truecrypt volume file.
-k --key <ripemd160 | sha512 | whirlpool> Key derivation function (default ripemd160).
-e --encryption <aes | serpent | twofish> Encryption algorithm (default aes).
-a --aggressive <blocks> Number of parallel computations (board dependent).
-w --wordlist <wordlist_file> File of words, for Dictionary attack.
-c --charset <alphabet> Alphabet generator, for Alphabet attack.
-m --maxlength <maxlength> Maximum length of passwords, for Alphabet attack.
-s --startlength <minlength> Starting length of passwords, for Alphabet attack (default 1).
-r --restore <number> Restore the computation.
-b --backup Backup header instead of volume header.
-H --hidden Hidden Truecrypt volume.
-v --verbose Show verbose messages.


How To Install

cd truecrack
./configure
make
sudo make install


How To Configure ?

./configure
--enable-debug : enable nVidia CUDA debug mode [default=no]
--enable-cpu : disable cuda nvidia GPU and use CPU [default=no]
--with-cuda=PATH : prefix where cuda is installed [default=auto]

Download TrueCrack

Read More

Exploring Android Platform - Mercury

The Heavy Metal That Poisoned  the Droid

Mercury is a framework for exploring the Android platform; to find vulnerabilities and share proof-of-concept exploits.

A number of published security assessment methodologies currently exist to support researchers reviewing the security of Android applications and devices. The majority of these methodologies include static analysis methods and require the use of custom scripts and tools to perform single tasks. The general process of assessing the security of Android applications typically involves the following steps:


 ºDownload the target application packages
 ºExtract the application manifests
 ºDecompile the application into readable source code or byte code representations
 ºAnalyse the application manifests and code
 ºWrite a custom application to test anomalies in the entry points of the applications
 ºExploring Android Platform: Mercury documentation


This general process often requires a separate approach for each step, many different tools and lots of time, especially when a large number of applications need to be assessed as part of a project. If the process can be  simplified and tools provided to automate the repetitive parts, it would enable a security researcher to assess applications and devices in a more consistent manner and ultimately perform more comprehensive assessments.  This could also be done in less time whilst providing more assurance. Mercury is a framework that solves this problem by providing interactive tools that allow for dynamic interactions  with the target applications running on a device. This dynamic interaction greatly benefits vulnerability hunters and auditors who are under time constraints. At the time of writing, there were no known frameworks for performing dynamic analysis on Android, making Mercury unique in its space.

This paper will lay the foundations for performing dynamic analysis and finding ways to automate some of the tasks that are needed when assessing the security of Android applications and devices. It will also delve into some  techniques that could be used by malicious applications with minimal permissions to steal information from devices.

Exploring Android Platform

Mercury allows you to assume the role of a low-privileged Android app, and to interact with both other apps and the system.

Use dynamic analysis on Android applications and devices for quicker security assessments
Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices
Write custom tests and exploits, using the easy extensions interface

Mercury allows you to:

1. Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
3. Find information on installed packages with optional search filters to allow for better control
4. Built-in commands that can check application attack vectors on installed applications
5. Transfer files between the Android device and your computer
6. Create new modules to exploit your latest finding on Android, and playing with those that others have found


Mercury does all of this over the network: it does not require ADB.

Download Mercury

Read More

Backup and Recovery - ReDo

First and foremost, Redo Backup & Recovery is free. Based on xPUD and partclone, this open source tool not only works with Windows but also supports Linux. Then, contrary to what most popular backup and recovery programs do, Redo provides a bare-metal restore, meaning that even if your hard drive melts, you can have an up and running system (on a new hard drive, of course) in no longer than 10 minutes.

Redo is a disaster recovery tool, hence it works outside of any OS environment. The downloaded package comes as an ISO file which you can easily burn to a CD-ROM or USB drive, and Redo’s GUI will boot in less than a minute. There are no installation requirements, and it can automatically find local network shares as well. You also get a healthy choice between which language to use

The team behind Redo Backup can’t argue that their tool is the most comprehensive on the market, but they can argue that it’s the easiest to use. Boot up with a Live CD or Live USB copy of Redo Backup and you’re only a few clicks away from backing up your system—or restoring it if your hard drive went to the great data center in the sky.

You can easily copy your files to a local drive but where Redo Backup really shines is support for network shares. When you run Redo Backup it seeks out available shared folders on your network so you can use them for remote backup of individual files or an entire disk image. Redo Backup also includes a web browser so you can access the web to download drivers and troubleshoot your computer problems. It’s a great backup and disk recovery solution, especially if you’d like to skip learning arcane commands or keeping a bulky manual on hand

Easy rescue system with GUI tools for full system backup, bare metal recovery, partition editing, recovering deleted files, data protection, web browsing, and more. Uses partclone (like Clonezilla) with a UI like Ghost or Acronis. Runs from CD/USB.

All your documents and settings will be restored to the exact same state they were in when the last snapshot was taken. Redo Backup and Recovery is a live CD, so it does not matter if you use Windows or Linux. You can use the same tool to backup and restore every machine. And because it is open source released under the GPL, it is completely free for personal and commercial use.

More Features, Less Complex

Redo Backup has the most features coupled with the simplest, most user-friendly interface:

ºEasy graphical user interface boots from CD in less than a minute
ºNo installation needed; runs from a CD-ROM or a USB stick
ºSaves and restores Windows and Linux machines
ºAutomatically finds local network shares
ºAccess your files even if you can’t log in
ºRecover deleted pictures, documents, and other files
ºInternet access with a full-featured browser to download drivers
ºLive CD download size is only about 250MB
ºOver 750,000 downloads

Download ReDo

Read More

PDF Analysis Tool - peepdf

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not.

The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it’s possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of Spidermonkey and Libemu it provides Javascript and shellcode analysis wrappers too. Apart of this it’s able to create new PDF files and to modify existent ones.


Functionalities:

Analysis:

ºDecodings: hexadecimal, octal, name objects
ºMore used filters
ºReferences in objects and where an object is referenced
ºStrings search (including streams)
ºPhysical structure (offsets)PDF Analysis Tool: peepdf
ºLogical tree structure
ºMetadata
ºModifications between versions (changelog)
ºCompressed objects (object streams)
ºAnalysis and modification of Javascript (Spidermonkey): unescape, replace, join
ºShellcode analysis (Libemu python wrapper, pylibemu)
ºVariables (set command)
ºExtraction of old versions of the document
ºEasy extraction of objects, Javascript code, shellcodes (>, >>, $>, $>>)
ºChecking hashes on VirusTotal

Creation/Modification:

ºBasic PDF creation
ºCreation of PDF with Javascript executed wen the document is opened
ºCreation of object streams to compress objects
ºEmbedded PDFs
ºStrings and names obfuscation
ºMalformed PDF output: without endobj, garbage in the header, bad header…
ºFilters modification
ºObjects modification

Execution modes:

ºSimple command line execution
ºPowerful interactive console (colorized or not)
ºBatch mode

Download peedf

Read More

Network Forensics - Xplico

Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng).

Unlike the protocol analyzer, whose main characteristic is not the reconstruction of the data carried by the protocols, Xplico was born expressly with the aim to reconstruct the protocols's application data and it is able to recognize the protocols with a technique named Port Independent Protocol Identification (PIPI).

The name "xplico" refers to the latin verb explico and its significance.

Xplico is free and open-source software, subject to the requirements of the GNU General Public License (GPL), version 2.


Ubuntu 32/64bit from 11.04 to 15.10

sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" >> /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico


VirtualBox Image:

Download OVA here.
Based on  Free VirtualBox Image.
user: ubuntu
password: reverse

Source code:

Download here.
Installation instructions are in the INSTALL file and in the Wiki.


Ubuntu 12.10 32bit:

Download here.

Ubuntu Server 12.10 64bit:


Download here

Deafult Users

user: admin, xplico
password: xplico, xplico

Download Xplico

Read More

Digital Forensics Framework - DFF

Digital Forensics Framework offers a graphical user interface (GUI) developed in PyQt and a classical tree view. Features such as recursive view, tagging, live search and bookmarking are available. Its command line interface allows the user to remotely perform digital investigation. It comes with common shell functions such as completion, task management, globing and keyboard shortcuts. DFF can run batch scripts at startup to automate repetitive tasks. Advanced users and developers can use DFF directly from a Python interpreter to script their investigation.

Download DFF

Read More

Digital Forensics - Autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.

Download Autopsy

Read More

Volatility 2.5 - Memory Forensics

This is the first release since the publication of The Art of Memory Forensics! It adds support for Windows 10 (initial), Linux kernels 4.2.3, and Mac OS X El Capitan. Additionally, the unified output rendering gives users the flexibility of asking for results in various formats (html, sqlite, json, xlsx, dot, text, etc.) while simplifying things for plugin developers. In short, less code leads to more functionality. This is especially useful for framework designers (GUIs, web interfaces, library APIs), because you can interface with a plugin directly and ask for json, which you then store, process, or modify however you want. 

Download Volatility 2.5

Read More

Cross Platform ELF Analysis - ELF Parser

How do I compile it?

ELF Parser can be compiled on Windows, OS X, or Linux (demangling and unit tests don’t work on Windows). Windows uses the VS 2010 project in the base directory for compilation whereas Linux/OS X uses CMake. Compiling on Linux goes like this:


cd ~/elfparser
mkdir build
cd build/
cmake ..
make


Obviously, you will need to resolve any dependencies. Specifically, Boost is required and Qt is required for the GUI build.


Compile Targets


ELF Parser has a number of compilation targets that can be configured by CMakeLists.txt. The targets are:

º Unit tests
º CLI build
º GUI build
º Visual Studios build


CLI Usage

The user can pass in a single file (-f) or a directory (-d) of files:


./elfparser-cli --help
options:
  --help                 A list of command line options
  --version              Display version information
  -f [ --file ] arg      The ELF file to examine
  -d [ --directory ] arg The directory to look through.
  -r [ --reasons ]       Print the scoring reasons
  -c [ --capabilities ]  Print the files observed capabilities
  -p [ --print ]         Print the ELF files various parsed structures.

Download ELF Parser

Read More

CAINE 7.0 - DeepSpace 64bit

CAINE (Computer Aided INvestigative Environment) is a Linux distribution specifically designed for digital forensics. It is based on Ubuntu.

The latest edition is CAINE 7, code-named DeepSpace. It is based on Ubuntu 14.04 LTS and, therefore, UEFI and Secure Boot ready.

It comes with some new features, including booting into a read-only mode whereby all block devices are not writable, and a VNC server and client that allows remote control of a Caine 7 installation.

This post offers screenshots from a test installation of CAINE 7 in a virtual environment.

This is the installation boot menu. If you want to install CAINE in a virtual environment (using VirtualBox) on Ubuntu, select the Boot Live in safe graphics mode. Booting using the default will only give you a garbled display.

Download CAINE 7.0

Read More

F.H.C - FORENSIC LIVE CD IMAGER

Forensic Hard Copy, is a Linux distribution, bootable CD (LiveCD), exclusively created to automate and speed up the copy of the storage devices. These procedures of copy are commonly in use in computer forensics. In computer science is orthodox practice, acquire data from the offending media in order to protect them from any alteration or damage, then later analyze the identical copy. The project was created to meet the operational needs of the police involved in investigations, the technical consultants (CTU) and part IT(CTU), ensuring the durability and the use of evidence in computer science criminal trial.


Has been used open source software, open-source scripts and to give all users the ability to understand, if necessary, the actual operation of the software in the process of copying or image acquisition. The process has been automated through a script-wizard that guides you step by step in the copy of a support. The new release has a 2.6.32 kernel which has a wide compatibility with controllers and disks. The recognition is done through media connections IDE, SATA, Firewire and USB, so you can also copy data to external media to the machine being analyzed.

Download F.H.C

Read More

Reverse engineering - Androguard

Androguard is mainly a tool written in python to play with :

º Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation),
º APK (Android application) (.apk),
º Android’s binary xml (.xml),
º Android Resources (.arsc).

Features:


º Map and manipulate DEX/ODEX/APK/AXML/ARSC format into full Python objects,
º Diassemble/Decompilation/Modification of DEX/ODEX/APK format,
º Decompilation with the first native (directly from dalvik bytecodes to java source codes)         dalvik decompiler (DAD),
º Access to the static analysis of the code (basic blocks, instructions, permissions (with           database from http://www.android-permissions.org/) …) and create your own static               analysis tool,
º Analysis a bunch of android apps,
º Analysis with ipython/Sublime Text Editor,
º Diffing of android applications,
º Measure the efficiency of obfuscators (proguard, …),
º Determine if your application has been pirated (plagiarism/similarities/rip-off indicator),
º Check if an android application is present in a database (malwares, goodwares ?),
º Open source database of android malware (this opensource database is done on my free     time, of course my free time is limited, so if you want to help, you are welcome !),
º Detection of ad/open source librairies (WIP),
º Risk indicator of malicious application,
º Reverse engineering of applications (goodwares, malwares),
º Transform Android’s binary xml (like AndroidManifest.xml) into classic xml,
º Visualize your application with gephi (gexf format), or with cytoscape (xgmml format), or       PNG/DOT output,
º Integration with external decompilers (JAD+dex2jar/DED/…)

Downlaod Androguard

Read More

DEFT - Linux Cyber Forensics

Deft is Ubuntu customization with a collection of computer forensic programs and documents created by thousands of individuals, teams and companies. Each of these works might come under a different licence. There Licence Policy describe the process that we follow in determining which software we will ship and by default on the deft install CD.

Download DEFT

Read More

Operator - Linux

Operator is a very fully featured LiveCD totally oriented around network security (with open source tools of course).

Operator is a complete Linux (Debian) distribution that runs from a single bootable CD and runs entirely in RAM. The Operator contains an extensive set of Open Source network security tools that can be used for monitoring and discovering networks. This virtually can turn any PC into a network security pen-testing device without having to install any software. Operator also contains a set of computer forensic and data recovery tools that can be used to assist you in data retrieval on the local system.

Download Operator

Read More

Xplico v1.1.1 - Open Source Network Forensic Analysis Tool (NFAT)

The goal of Xplico is extract from an internet traffic capture the applications data contained.

For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

Features

• Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
• Port Independent Protocol Identification (PIPI) for each application protocol;
• Multithreading;
• Output data and information in SQLite database or Mysql database and/or files;
• At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
• Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
• TCP reassembly with ACK verification for any packet or soft ACK verification;
• Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
• No size limit on data entry or the number of files entrance (the only limit is HD size);
• IPv4 and IPv6 support;
• Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcher) are all modules;
• The ability to easily create any kind of dispatcher with which to organize the data extracted in the most appropriate and useful to you;

Download Xplico

Read More

Security Onion - Linux Distro For Intrusion Detection, Network Security Monitoring, And Log Management

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes


Analyze your NIDS/HIDS alerts with Squert


Pivot between multiple data types with Sguil and send pcaps to Wireshark and NetworkMiner


Use ELSA to slice and dice your logs


Access full packet capture with CapMe


Snort/Suricata and Bro compiled with PF_RING to handle lots of traffic


Easy updates

Data Types

• Alert data - HIDS alerts from OSSEC and NIDS alerts from Snort/Suricata
• Asset data from Prads and Bro
• Full content data from netsniff-ng
• Host data via OSSEC and syslog-ng
• Session data from Argus, Prads, and Bro
• Transaction data - http/ftp/dns/ssl/other logs from Bro

Download Security Onion

Read More

LMD - Linux Malware Detect

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

The driving force behind LMD is that there is currently limited availability of open source/restriction free tools for Linux systems that focus on malware detection and more important that get it right. Many of the AV products that perform malware detection on Linux have a very poor track record of detecting threats, especially those targeted at shared hosted environments.

The threat landscape in shared hosted environments is unique from that of the standard AV products detection suite in that they are detecting primarily OS level trojans, rootkits and traditional file-infecting viruses but missing the ever increasing variety of malware on the user account level which serves as an attack platform.

The commercial products available for malware detection and remediation in multi-user shared environments remains abysmal. An analysis of 8,883 malware hashes, detected by LMD 1.5, against 30 commercial anti-virus and malware products paints a picture of how poorly commercial solutions perform.

DETECTED KNOWN MALWARE: 1951
% AV DETECT (AVG): 58
% AV DETECT (LOW): 10
% AV DETECT (HIGH): 100
UNKNOWN MALWARE: 6931

Using the Team Cymru malware hash registry, we can see that of the 8,883 malware hashes shipping with LMD 1.5, there was 6,931 or 78% of threats that went undetected by 30 commercial anti-virus and malware products. The 1,951 threats that were detected had an average detection rate of 58% with a low and high detection rate of 10% and 100% respectively. There could not be a clearer statement to the need for an open and community driven malware remediation project that focuses on the threat landscape of multi-user shared environments.

Features:

• MD5 file hash detection for quick threat identification
• HEX based pattern matching for identifying threat variants
• statistical analysis component for detection of obfuscated threats (e.g: base64)
• integrated detection of ClamAV to use as scanner engine for improved performance
• integrated signature update feature with -u|–update
• integrated version update feature with -d|–update-ver
• scan-recent option to scan only files that have been added/changed in X days
• scan-all option for full path based scanning
• checkout option to upload suspected malware to rfxn.com for review / hashing
• full reporting system to view current and previous scan results
• quarantine queue that stores threats in a safe fashion with no permissions
• quarantine batching option to quarantine the results of a current or past scans
• quarantine restore option to restore files to original path, owner and perms
• quarantine suspend account option to Cpanel suspend or shell revoke users
• cleaner rules to attempt removal of malware injected strings
• cleaner batching option to attempt cleaning of previous scan reports
• cleaner rules to remove base64 and gzinflate(base64 injected malware
• daily cron based scanning of all changes in last 24h in user homedirs
• daily cron script compatible with stock RH style systems, Cpanel & Ensim
• kernel based inotify real time file scanning of created/modified/moved files
• kernel inotify monitor that can take path data from STDIN or FILE
• kernel inotify monitor convenience feature to monitor system users
• kernel inotify monitor can be restricted to a configurable user html root
• kernel inotify monitor with dynamic sysctl limits for optimal performance
• kernel inotify alerting through daily and/or optional weekly reports
• e-mail alert reporting after every scan execution (manual & daily)
• path, extension and signature based ignore options
• background scanner option for unattended scan operations
• verbose logging & output of all actions

Source Data:

The defining difference with LMD is that it doesn’t just detect malware based on signatures/hashes that someone else generated but rather it is an encompassing project that actively tracks in the wild threats and generates signatures based on those real world threats that are currently circulating.

There are four main sources for malware data that is used to generate LMD signatures:

– Network Edge IPS: Through networks managed as part of my day-to-day job, primarily web hosting related, our web servers receive a large amount of daily abuse events, all of which is logged by our network edge IPS. The IPS events are processed to extract malware url’s, decode POST payload and base64/gzip encoded abuse data and ultimately that malware is retrieved, reviewed, classified and then signatures generated as appropriate. The vast majority of LMD signatures have been derived from IPS extracted data.

– Community Data: Data is aggregated from multiple community malware websites such as clean-mx and malwaredomainlist then processed to retrieve new malware, review, classify and then generate signatures.

– ClamAV: The HEX & MD5 detection signatures from ClamAV are monitored for relevant updates that apply to the target user group of LMD and added to the project as appropriate. To date there has been roughly 400 signatures ported from ClamAV while the LMD project has contributed back to ClamAV by submitting over 1,100 signatures and continues to do so on an ongoing basis.

– User Submission: LMD has a checkout feature that allows users to submit suspected malware for review, this has grown into a very popular feature and generates on average about 30-50 submissions per week.

Signature Updates:

The LMD signature are updated typically once per day or more frequently depending on incoming threat data from the LMD checkout feature, IPS malware extraction and other sources. The updating of signatures in LMD installations is performed daily through the default cron.daily script with the –update option, which can be run manually at any time.

An RSS feed is available for tracking malware threat updates: http://www.rfxn.com/api/lmd

Detected Threats:

LMD 1.5 has a total of 10,822 (8,908 MD5 / 1,914) signatures, before any updates. The top 60 threats by prevalence detected by LMD are as follows:

base64.inject.unclassed     perl.ircbot.xscan
bin.dccserv.irsexxy         perl.mailer.yellsoft
bin.fakeproc.Xnuxer         perl.shell.cbLorD
bin.ircbot.nbot             perl.shell.cgitelnet
bin.ircbot.php3             php.cmdshell.c100
bin.ircbot.unclassed        php.cmdshell.c99
bin.pktflood.ABC123         php.cmdshell.cih
bin.pktflood.osf            php.cmdshell.egyspider
bin.trojan.linuxsmalli      php.cmdshell.fx29
c.ircbot.tsunami            php.cmdshell.ItsmYarD
exp.linux.rstb              php.cmdshell.Ketemu
exp.linux.unclassed         php.cmdshell.N3tshell
exp.setuid0.unclassed       php.cmdshell.r57
gzbase64.inject             php.cmdshell.unclassed
html.phishing.auc61         php.defash.buno
html.phishing.hsbc          php.exe.globals
perl.connback.DataCha0s     php.include.remote
perl.connback.N2            php.ircbot.InsideTeam
perl.cpanel.cpwrap          php.ircbot.lolwut
perl.ircbot.atrixteam       php.ircbot.sniper
perl.ircbot.bRuNo           php.ircbot.vj_denie
perl.ircbot.Clx             php.mailer.10hack
perl.ircbot.devil           php.mailer.bombam
perl.ircbot.fx29            php.mailer.PostMan
perl.ircbot.magnum          php.phishing.AliKay
perl.ircbot.oldwolf         php.phishing.mrbrain
perl.ircbot.putr4XtReme     php.phishing.ReZulT
perl.ircbot.rafflesia       php.pktflood.oey
perl.ircbot.UberCracker     php.shell.rc99
perl.ircbot.xdh             php.shell.shellcomm

Real-Time Monitoring:

The inotify monitoring feature is designed to monitor paths/users in real-time for file creation/modify/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default. If you are running CentOS 4 you should consider an inbox upgrade with:

http://www.rfxn.com/upgrade-centos-4-8-to-5-3/

There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.

       e.g: maldet --monitor users
       e.g: maldet --monitor /root/monitor_paths
       e.g: maldet --monitor /home/mike,/home/ashton

The options break down as follows:

USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.

PATHS: A comma spaced list of paths to monitor

FILE: A line spaced file list of paths to monitor

Once you start maldet in monitor mode, it will preprocess the paths based on the option specified followed by starting the inotify process. The starting of the inotify process can be a time consuming task as it needs to setup a monitor hook for every file under the monitored paths. Although the startup process can impact the load temporarily, once the process has started it maintains all of its resources inside kernel memory and has a very small userspace footprint in memory or cpu usage.

Download LMD

Read More