Pages

Showing posts with label malware. Show all posts
Showing posts with label malware. Show all posts

Thursday, August 22, 2019

Fedora 30 : Set up the Linux Malware Detect.

If you have an SELinux warning detection then the details you can see how can be fixed:
[mythcat@desk ~]$ su
Password: 
[root@desk mythcat]# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-systemd.pp

[root@desk mythcat]# semodule -X 300 -i my-systemd.pp
This tool comes with three modes that the monitor can be executed with and they relate to what will be monitored.
These modes are USERS|PATHS|FILES.
The options break down as follows:
  • USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them.If inotify_webdir is set then the users webdir, if it exists, will only be monitored;
  • PATHS: A comma spaced list of paths to monitor;
  • FILE: A line spaced file list of paths to monitor
$ maldet --monitor users
$ maldet --monitor /root/initial-setup-ks.cfg
$ maldet --monitor /home/mythcat
Let's test the USERS option:
[mythcat@desk maldetect-1.6.4]$ maldet --monitor users
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7958): {mon} could not find inotifywait command, install yum package inotify-tools or 
download from https://github.com/rvoicilas/inotify-tools/wiki/


[root@desk maldetect-1.6.4]# dnf search inotify-tools
Last metadata expiration check: 0:01:39 ago on Wed 21 Aug 2019 11:09:22 PM EEST.
============================================ Name Exactly Matched: inotify-tools ======
inotify-tools.i686 : Command line utilities for inotify
inotify-tools.x86_64 : Command line utilities for inotify
================================================ Name Matched: inotify-tools ======
inotify-tools-devel.i686 : Headers and libraries for building apps that use libinotifytools
inotify-tools-devel.x86_64 : Headers and libraries for building apps that use libinotifytools
[root@desk maldetect-1.6.4]# dnf install inotify-tools.x86_64
...
Installed:
  inotify-tools-3.14-16.fc30.x86_64                                                                                          

Complete!
[root@desk maldetect-1.6.4]# maldet --monitor users
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(973): {mon} set inotify max_user_watches to 16384
maldet(973): {mon} added /dev/shm to inotify monitoring array
maldet(973): {mon} added /var/tmp to inotify monitoring array
maldet(973): {mon} added /tmp to inotify monitoring array
maldet(973): {mon} starting inotify process on 3 paths, this might take awhile...
maldet(973): {mon} inotify startup successful (pid: 1800)
maldet(973): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log

Wednesday, August 21, 2019

Fedora 30 : Testing the Linux Malware Detect.

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments.
This tool is provided by R-fx Networks.
Let's install and test it:
[mythcat@desk ~]$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
[mythcat@desk ~]$ tar -xf maldetect-current.tar.gz 
[mythcat@desk ~]$ cd maldetect-1.6.4/
[mythcat@desk maldetect-1.6.4]$ su
Password: 
[root@desk maldetect-1.6.4]# ./install.sh
Failed to enable unit: Unit file maldet.service does not exist.
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@r-fx.org>
            (C) 2019, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(31046): {sigup} performing signature update check...
maldet(31046): {sigup} local signature set is version 201907043616
maldet(31046): {sigup} new signature set 2019081912001 available
maldet(31046): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(31046): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(31046): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(31046): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(31046): {sigup} verified md5sum of maldet-clean.tgz
maldet(31046): {sigup} unpacked and installed maldet-clean.tgz
maldet(31046): {sigup} signature set update completed
maldet(31046): {sigup} 15552 signatures (12740 MD5 | 2035 HEX | 777 YARA | 0 USER)
[root@desk maldetect-1.6.4]# vim /usr/local/maldetect/conf.maldet
Change this row to scan_user_access=1
Now you can run it:
[mythcat@desk ~]$ /usr/local/sbin/maldet -a 
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(32628): {scan} signatures loaded: 15552 (12740 MD5 | 2035 HEX | 777 YARA | 0 USER)
maldet(32628): {scan} building file list for , this might take awhile...
maldet(32628): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(32628): {scan} file list completed in 13s, found 44109 files...
maldet(32628): {scan} scan of  (44109 files) in progress...

Tuesday, December 29, 2015

Nemesis Bootkit Malware the new stealthy Payment Card.

After I read many articles I got this infos about Nemesis Bootkit Malware:
 - suspected to originate from Russia;
 - infect PCs by loading before Windows starts
 - has ability to modify the legitimate volume boot record;
 - seam to be like another Windows rootkit named Alureon;
 - intercepts several system interrupts to pass boot process;
 - can steal payment data from anyone's not just targeting financial institutions and retailers;
 - this malware hides between partitions and is also almost impossible to remove;

I think about the antivirus and internet security solutions can deal with this type of issues.

Take a look at how fast working the scan disk and how it's working the memory traps, how it's working the booting process or maybe try to see how selinux works.
In my opinion these Antivirus and Internet security solutions are just not effective in design and heuristic detection.
Most of that the prices of this softwars is huge versus non make anything all.

Maybe will see into the future a mega malware wich jump from first boot to any operating system and this because the hardware is more complex and fast.