Malcom - Malware Communications Analyzer
Tuesday, September 24, 2019
Edit
Malcom - Malware Communications Analyzer - Hi friends mederc, In the article that you read this time with the title Malcom - Malware Communications Analyzer, We have prepared this article well for you to read and retrieve information from it. hopefully fill the posts
Article Geolocation,
Article Intelligence,
Article Intercept,
Article Linux,
Article Malcom,
Article Malware,
Article Malware Analysis,
Article Network Traffic,
Article Pcap,
Article Port Forwarding,
Article Python,
Article Threat Intelligence, we write this you can understand. Alright, happy reading.
Title : Malcom - Malware Communications Analyzer
link : Malcom - Malware Communications Analyzer
What is Malcom?
Malcom tin flame assistance you:
Check the wiki for a Quickstart amongst closed to dainty screenshots as well as a tutorial on how to add together your ain feeds.
If yous demand closed to help, or desire to contribute, experience complimentary to bring together the mailing list or endeavour to catch mortal on IRC (#malcom on freenode.net, it's pretty tranquillity but there's ever mortal around). You tin flame also hitting upwardly on twitter @tomchop_
Here's an instance graph for host tomchop.me
Dataset persuasion (filtered to only present IPs)
Quick how-to
Installation
Malcom is written inwards python. Provided yous accept the necessary libraries, yous should hold out able to run it on whatever platform. I highly recommend the piece of employment of python virtual environments (
The next was tested on Ubuntu server 14.04 LTS:
Configuration options
Database
By default, Malcom volition endeavour to connect to a local mongodb instance as well as create its ain database, named
Set an other advert for your Malcom database
By default, Malcom volition piece of employment a database named
Remote database(s)
By default, Malcom volition endeavour to connect to
If you'd similar to piece of employment a standalone database on host
Use authentication
You may accept configured your mongod instances to enforce authenticated connections. In that case, yous accept to laid the username the driver volition accept to piece of employment to connect to your mongod instance. To practise this, only add together a
Case of a replica set
When using a replica set, yous may demand to ensure yous are connected to the correct one. For that, only add together the
Docker instance
The quickest means to larn yous started is to line the Docker icon from the public docker repo. To line older, to a greater extent than stable Docker builds, piece of employment
Quick banking corporation notation on TLS interception
Malcom similar a shot supports TLS interception. For this to work, yous demand to generate closed to keys inwards Malcom/networking/tlsproxy/keys. See the KEYS.md file at that spot for to a greater extent than information on how to practise this.
Make sure enough yous also accept IPtables (you already should) as well as permissions to practise closed to port forwarding amongst it (you ordinarily demand to hold out root for that). You tin flame to this using the convenient
Expect this procedure to hold out automated inwards hereafter releases.
Environment
Malcom was designed as well as tested on a Ubuntu Server 14.04 LTS VM.
If you're used to doing malware analysis, yous likely already accept tons of virtual machines running on a host OS. Just install Malcom on a novel VM, as well as road your other VM's connections through Malcom. Use
As long equally it's getting layer-3 network data, Malcom tin flame hold out deployed anywhere. Although it's non recommended to piece of employment it on high-availability networks (it wasn't designed to hold out fast, encounter disclaimer), yous tin flame accept it running at the terminate of your switch's mirror port or on your gateway.
Feeds
To launch an instance of Malcom that ONLY fetches information from feeds, run Malcom amongst the
Your database should hold out populated automatically. If yous tin flame dig into the code, adding feeds is pretty straightforward (assuming you're generating
You tin flame also piece of employment
Technical specs
Malcom was written by as well as large from scratch, inwards Python. It uses the next frameworks to work:
You are now reading the article Malcom - Malware Communications Analyzer with the link address https://mederc.blogspot.com/2019/09/malcom-malware-communications-analyzer.html
Title : Malcom - Malware Communications Analyzer
link : Malcom - Malware Communications Analyzer
Malcom - Malware Communications Analyzer
Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, as well as cross-reference them amongst known malware sources. This comes handy when analyzing how sure enough malware species endeavour to communicate amongst the exterior world.
What is Malcom?
Malcom tin flame assistance you:
- detect primal command as well as command (C&C) servers
- understand peer-to-peer networks
- observe DNS fast-flux infrastructures
- quickly create upwardly one's heed if a network artifact is 'known-bad'
Check the wiki for a Quickstart amongst closed to dainty screenshots as well as a tutorial on how to add together your ain feeds.
If yous demand closed to help, or desire to contribute, experience complimentary to bring together the mailing list or endeavour to catch mortal on IRC (#malcom on freenode.net, it's pretty tranquillity but there's ever mortal around). You tin flame also hitting upwardly on twitter @tomchop_
Here's an instance graph for host tomchop.me
Dataset persuasion (filtered to only present IPs)
Quick how-to
- Install
- Make sure enough
mongodb
as well asredis-server
are running - Elevate your privileges to root (yeah, I know, encounter disclaimer)
- Start the webserver using the default configuration amongst
./malcom.py -c malcom.conf
(or encounter options amongst./malcom.py --help
) ** For an instance configuration file, yous tin flame re-createmalcom.conf.example
tomalcom.conf
** Default port is 8080 ** Alternatively, run the feeds fromcelery
. See the feeds department for details on how to to this.
Installation
Malcom is written inwards python. Provided yous accept the necessary libraries, yous should hold out able to run it on whatever platform. I highly recommend the piece of employment of python virtual environments (
virtualenv
) so equally non to mess upwardly your arrangement libraries.The next was tested on Ubuntu server 14.04 LTS:
- Install
git
,python
as well aslibevent
libs,mongodb
,redis
, as well as other dependencies
$ sudo apt-get install build-essential git python-dev libevent-dev mongodb libxml2-dev libxslt-dev zlib1g-dev redis-server libffi-dev libssl-dev python-virtualenv
- Clone the Git repo:
$ git clone https://github.com/tomchop/malcom.git malcom
- Create your virtualenv as well as activate it:
$ cd malcom $ virtualenv env-malcom $ source env-malcom/bin/activate
- Get as well as install
scapy
:
$ cd .. $ wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz $ tar xvzf scapy-latest.tar.gz $ cd scapy-2.1.0 $ python setup.py install
- Still from your virtualenv, install necessary python packages from the
requirements.txt
file:
$ cd ../malcom $ pip install -r requirements.txt
- For IP geolocation to work, yous demand to download the Maxmind database as well as extract the file to the
malcom/Malcom/auxiliary/geoIP
directory. You tin flame larn Maxmind's complimentary (and hence to a greater extent than or less accurate) database from the next link: http://dev.maxmind.com/geoip/geoip2/geolite2/:
$ cd Malcom/auxiliary/geoIP $ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz $ gunzip -d GeoLite2-City.mmdb.gz $ mv GeoLite2-City.mmdb GeoIP2-City.mmdb
- Launch the webserver from the
malcom
directory using./malcom.py
. Check./malcom.py --help
for hear interface as well as ports.
- For starters, yous tin flame re-create the
malcom.conf.example
file tomalcom.conf
as well as run./malcom.py -c malcom.conf
- For starters, yous tin flame re-create the
Configuration options
Database
By default, Malcom volition endeavour to connect to a local mongodb instance as well as create its ain database, named
malcom
. If this is OK for you, yous may skip the next steps. Otherwise, yous demand to edit the database
department of your malcom.conf
file.Set an other advert for your Malcom database
By default, Malcom volition piece of employment a database named
malcom
. You tin flame alter this deportment past times editing the malcom.conf
file as well as setting the name
directive from the database
department to your liking. [database] ... advert = my_malcom_database ...
Remote database(s)
By default, Malcom volition endeavour to connect to
localhost
, but your database may hold out on closed to other server. To alter this, only laid the hosts
directive. You may piece of employment hostnames or IPv4/v6 addresses (just popular off along inwards heed to enclose your IPv6 addresses betwixt [
as well as ]
, e.g. [::1]
).If you'd similar to piece of employment a standalone database on host
my.mongo.server
, only set: [database] ... hosts = my.mongo.server ...
You tin flame also specify the port mongod is listening on past times specifying it afterwards the name/address of your server, separated amongst a :
[database] ... hosts = localhost:27008 ...
And if you're using a ReplicaSet
regrouping my.mongo1.server
as well as my.mongo2.server
, only set: [database] ... hosts = my.mongo1.server,my.mongo2.server ...
Use authentication
You may accept configured your mongod instances to enforce authenticated connections. In that case, yous accept to laid the username the driver volition accept to piece of employment to connect to your mongod instance. To practise this, only add together a
username
directive to the database
department inwards the malcom.conf
file. You may also accept to laid the password amongst the password
directive. If the user does non accept a password, only ignore (i.e. comment out) the password
directive. [database] ... username = my_user password = change_me ...
If the user is non linked to the malcom
database but to closed to other ane (for instance the admin
database for a admin user), yous volition accept to laid the authentication_database
directive amongst the advert of that database. [database] ... authentication_database = some_other_database ...
Case of a replica set
When using a replica set, yous may demand to ensure yous are connected to the correct one. For that, only add together the
replset
directive to forcefulness the mongo driver to cheque the advert of the replicaset [database] ... replset = my_mongo_replica ...
By default, Malcom volition endeavour to connect to the principal node of th replica set. You may need/want to alter that. In fellowship to alter that behaviour, only laid the read_preference
directive. See the mongo documentation for to a greater extent than information. [database] ... read_preference = NEAREST ...
Supported read preferences are:- PRIMARY
- PRIMARY_PREFERRED
- SECONDARY
- SECONDARY_PREFERRED
- NEAREST
Docker instance
The quickest means to larn yous started is to line the Docker icon from the public docker repo. To line older, to a greater extent than stable Docker builds, piece of employment
tomchop/malcom
instead of tomchop/malcom-automatic
. $ sudo docker line tomchop/malcom-automatic $ sudo docker run -p 8080:8080 -d --name malcom tomchop/malcom-automatic
Connecting to http://<docker_host>:8080/
should larn yous started.Quick banking corporation notation on TLS interception
Malcom similar a shot supports TLS interception. For this to work, yous demand to generate closed to keys inwards Malcom/networking/tlsproxy/keys. See the KEYS.md file at that spot for to a greater extent than information on how to practise this.
Make sure enough yous also accept IPtables (you already should) as well as permissions to practise closed to port forwarding amongst it (you ordinarily demand to hold out root for that). You tin flame to this using the convenient
forward_port.sh
script. For example, to intercept all TLS communications towards port 443, piece of employment forward_port.sh 443 9999
. You'll as well as so accept to say malcom to run an interception proxy on port 9999
.Expect this procedure to hold out automated inwards hereafter releases.
Environment
Malcom was designed as well as tested on a Ubuntu Server 14.04 LTS VM.
If you're used to doing malware analysis, yous likely already accept tons of virtual machines running on a host OS. Just install Malcom on a novel VM, as well as road your other VM's connections through Malcom. Use
enable_routing.sh
to activate routing / NATing on the VM Malcom is running on. You'll demand to add together an extra network carte du jour to the invitee OS.As long equally it's getting layer-3 network data, Malcom tin flame hold out deployed anywhere. Although it's non recommended to piece of employment it on high-availability networks (it wasn't designed to hold out fast, encounter disclaimer), yous tin flame accept it running at the terminate of your switch's mirror port or on your gateway.
Feeds
To launch an instance of Malcom that ONLY fetches information from feeds, run Malcom amongst the
--feeds
choice or tweak the configuration file.Your database should hold out populated automatically. If yous tin flame dig into the code, adding feeds is pretty straightforward (assuming you're generating
Evil
objects). You tin flame give away an instance feed inwards /feeds/zeustracker
. Influenza A virus subtype H5N1 to a greater extent than detailed tutorial is available here.You tin flame also piece of employment
celery
to run feeds. Make sure enough celery is installed past times running $ pip install celery
from your virtualenv. You tin flame as well as so piece of employment celery worker -E --config=celeryconfig --loglevel=DEBUG --concurrency=12
to launch the feeding procedure amongst 12 simultaneous workers.Technical specs
Malcom was written by as well as large from scratch, inwards Python. It uses the next frameworks to work:
- flask - a lightweight python spider web framework
- mongodb - a NoSQL database. It interfaces to python amongst pymongo
- redis - An advanced in-memory key-value store
- d3js - a JavaScript library that produces awesome force-directed graphs (https://github.com/mbostock/d3/wiki/Gallery)
- bootstrap - a CSS framework that volition eventually kill webdesign, but makes it extremely slowly to chop-chop "webize" applications that would only piece of employment through a command prompt.
Thus the article Malcom - Malware Communications Analyzer
That's all the article Malcom - Malware Communications Analyzer this time, hopefully can benefit you all. okay, see you in another article posting.
You are now reading the article Malcom - Malware Communications Analyzer with the link address https://mederc.blogspot.com/2019/09/malcom-malware-communications-analyzer.html