Linux Malware Detect: boost security

medical_compLinux has its own share of antivirus suites like Clam or AVG. But speaking of malware, the drawback from which these suites suffer is they concentrate primarily on OS level trojans, rootkits and traditional file-infecting viruses; user account level malwares are missed. The fact is, malware are on the rise.

Linux Malware Detect (LMD) is a project by R-fx Networks that aims at detecting and cleansing malware using information from several sources. The project was driven by the data on malware detection rate by 30 major antivirus products. They ran an analysis on these AV products with 5,393 core malware MD5 hashes. 81% remained undetected and there’s only 48% detection rate for the rest of the 19%!

LMD targets shared hosted environments where malware threats are more. It uses a signature based detection mechanism and receives its data from 4 sources:

  • Network Edge IPS: Daily abuse events on (over 35K) web servers logged by network edge IPS. The IPS events are processed to extract malware url’s, decode POST payload and base64/gzip encoded abuse data and finally that malware is retrieved, reviewed, classified and signatures generated.
  • Community Data: Data aggregated from community malware websites such as clean-mx and malwaredomainlist.
  • ClamAV: The HEX & MD5 detection signatures from ClamAV.
  • User Submission: LMD has a checkout feature that allows users to submit suspected malware for review.

LMD 1.4.0 has a total of 7,241 (5393 MD5 / 1848 HEX) signatures (before updates).

Features

  • MD5 file hash detection for quick threat identification
  • HEX based pattern matching for identifying threat variants
  • statistical analysis component for detection of obfuscated threats (e.g: base64)
  • integrated detection of ClamAV to use as scanner engine for improved performance
  • integrated signature update feature with -u|–update
  • integrated version update feature with -d|–update-ver
  • scan-recent option to scan only files that have been added/changed in X days
  • scan-all option for full path based scanning
  • checkout option to upload suspected malware to rfxn.com for review / hashing
  • full reporting system to view current and previous scan results
  • quarantine queue, batching, restore, suspend
  • cleaner rules to attempt removal of malware injected strings
  • cleaner batching option to attempt cleaning of previous scan reports
  • cleaner rules to remove base64 and gzinflate(base64 injected malware
  • daily cron based scanning of all changes in last 24h in user homedirs
  • daily cron script compatible with stock RH style systems, Cpanel & Ensim
  • kernel based inotify real time file scanning of created/modified/moved files
  • kernel inotify monitor that can take path data from STDIN or FILE
  • kernel inotify monitor convenience feature to monitor system users
  • kernel inotify monitor can be restricted to a configurable user html root
  • kernel inotify monitor with dynamic sysctl limits for optimal performance
  • kernel inotify alerting through daily and/or optional weekly reports
  • HTTP upload scanning through mod_security2 inspectFile hook
  • e-mail alert reporting after every scan execution (manual & daily)
  • path, extension and signature based ignore options
  • background scanner option for unattended scan operations
  • verbose logging & output of all actions

Installation

To install LMD, run the following:

$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
$ tar -zxvf maldetect-current.tar.gz
$ cd maldetect*
$ ./install.sh

Usage

LMD adds itself as a cron job which is used to update signatures daily, keep the session, temp and quarantine data to no more than 14 days old and run a daily scan of recent file system changes.

The configuration file for LMD is /usr/local/maldetect/conf.maldet. The file is well documented within to understand the options. By default public scanning is disabled. To check the options of LMD, run:

$ sudo maldet --help

Updates to the product are not performed automatically at the time of writing. To do a manual update (if available), run:

$ sudo maldet -d

By default LMD has the auto-quarantine of files disabled, this will mean that YOU WILL NEED TO ACT on any threats detected or pass the SCANID to the ‘-q’ option to batch quarantine the results. This can be changed by setting quar_hits=1 in conf.maldet.

The inotify monitoring feature is designed to monitor users in real-time for file creation/modify/move operations. There are three monitoring modes (USERS / PATHS / FILES). E.g.:

$ sudo maldet --monitor users
$ sudo maldet --monitor /root/monitor_paths
$ sudo maldet --monitor /home/mike,/home/ashton

Webpage: Linux Malware Detect

Similar software

4 thoughts on “Linux Malware Detect: boost security”

  1. I’ve got it set up on a server, which has 6 accounts on it
    I setup the scanner to keep tabs on /home/username (all 6) and the monitoring process IS checking files being uploaded, created or modified, but on two occasions now, it has missed infected files being put on the server.
    Running maldet -a /home/XXX manually and it picks up the infected files and quarantines them, as the monitoring process is supposed to do.
    The log file shows the file being created/modified, but nothing about it picking up the malware.

    grep -w ‘backup/proxy.php’ /usr/local/maldetect/inotify/inotify_log
    /home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php CREATE 27 Apr 14:44:52
    /home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52
    /home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52
    /home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52
    /home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MODIFY 27 Apr 14:44:52

    Running a manual scan results in:

    malware detect scan report for xxxxxxxxxxxx:
    SCAN ID: 042715-1505.3285
    TIME: Apr 27 15:07:41 +0100
    PATH: /home/username/public_html/
    TOTAL FILES: 37322
    TOTAL HITS: 2
    TOTAL CLEANED: 0

    FILE HIT LIST:
    {CAV}Php.Malware.Mailbot-1 : /home/username/public_html/xxxxxxxx/images/testimonials/css.php => /usr/local/maldetect/quarantine/css.php.8062
    {CAV}Php.Malware.Mailbot-1 : /home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php => /usr/local/maldetect/quarantine/proxy.php.3538

    The inotify log then shows the files being moved to (I assume quarantine)

    /home/username/public_html/newsite/wp-content/plugins/revslider/backup/proxy.php MOVED_FROM 27 Apr 15:07:41

    But, why isn’t the monitoring process picking up the malware? any ideas?

    1. In brief, it should pick by itself if it can do the same using manual scan. Please raise a bug on the GitHub project page.

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s