SecPro #51: Malware Detecting, Launching Reconnaissance, and Cryptomixing.
This week, the SecPro team has been playing with a couple of useful tools that make the lives of security professionals a bit easier. That’s why we’re sharing a helpful guides on how to use Maldet and ReconFTW with you all – to make your day-to-day life a bit easier and to give you something to play with in the lulls of your day.
A huge thank you to everyone that joined in with the Rafflecopter competition over the last few weeks! The winners will be contacted to get access to their free Packt membership as a thank you for joining in!
There’s no survey this week, but we will be sending out a sneak peek into one of the latest cybersecurity releases from the Packt team. Check your emails early next week and you’ll find a little treat from the SecPro team as a thank you for your continued support.
5 Steps for Installing Maldet (Linux Malware Detect)
By Nazifa Alam
Linux Malware Detect (LMD), commonly abbreviated as Maldet, is a malware scanner for Linux released under the GNU GPLv2 license. What sets Maldet apart from other malware scanners is its design around threats faced in shared hosted environments. Maldet functions by using gathered threat data from network edge intrusion detection systems to remove malware being used in real time. For each detection, a signature is generated.
In addition to this, threat data is also collected from user submissions with the LMD checkout feature and from malware community resources. The signatures by LMD include MD5 file hashes and HEX pattern matches which can be exported to any number of detection tools without too much difficulty.
How to Install Maldet
Before you can use Maldet, you will need to first download it, unpack and install it onto your server. By following the five steps laid out below, you will be running Maldet soon after.
- You will first need to login to your server with root user.
- The only place you can find the Maldet installation pack from the project’s official website in the form of combined multiple files. The tarball contains the source code needed to download the latest version.
The following command can be used to download the Maldet:
- After the tarball is downloaded, you will then need to unpack it and input the directory where it’s contents were extracted. The following command tar -xvf maldetect-current.tar.gz can be used to extract the file.
- You can then use the command Cd maldetect-1.4.2 to move to the Maldet directory:
- Once you have moved to the Maldet directory, you will then need to use the command ./install sh to perform the installation script.
You can also download Maldet using wget as followed:
- Going to the path cd /usr/local/src
- Downloading the tar file from wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
- Extracting the file using the command tar -xzf maldetect-current.tar.gz
- Going to the Maldet folder cd maldetect-*
- Then running the following command sh ./install.sh or sudo sh /install.sh
How to run a Scan using Maldet
Once Maldet has been installed, you can execute a scan upon your server to detect for corrupted files. To perform the scan on your server, you will need to enter the command maldet -a which should then give you the following display:
In order to run the process in the background, you enter b as the directory contains thousands of files which will take a while to complete. For example, a Maldet scan for a newly set up 5.7 version of WordPress which contains 2189 files will take 3 minutes to complete.
To oversee a scan in real time, you can use tail. Furthermore, to monitor the event log, the command tail -f /usr/local/maldetect/logs/event_log can be used.
You will then be presented with the following display:
Configuring the Maldet program
By default, all options are provided in the configuration file and therefore, users simply need to configure the program according to their needs. However, prior to making any changes, the following options should be reviewed.
- email_alert: If you wish to receive email alerts, it should be set to 1.
- email_subj: Where you need to set your email subject.
- email_addr: Where you need to ass your email address to receive malware alerts.
- quar_hits: This is the default quarantine process for malware hits which needs to be set as 1.
- quar_clean: This cleans the detected malware intrusions and needs to be set as 1.
- quar_susp: This is to be set depending on your requirements as it is the default suspect action for users with hits.
- quar_susp_minuid: Minimum user ID which can be suspended.
You can enter nano /usr/local/maldetect/conf.maldet to make changes depending on your needs. The commands maldet -u or maldet -d can be used to carry out updates and to scan files for a particular user, maldet -a /home/username/ can be used.
To examine all users a part of public_html paths, the command root@server [~] # maldet –scan-all /home?/?/public_html and root@server [~] -maldet –scan-all /home can be used.
To scan for modified content part of the same path, root@server [~] # maldet –scan-recent /home?/?/public_html 5 can be used. Changes from 5 days ago can be traced using this command.
If you forgot to turn on the quarantine scan whilst conducting a scan, you can use root@server [~] # maldet –quarantine SCANID to quarantine all malware results gathered from a previous scan.
To clean malware results from a previous scan for which the feature was enabled, you can use root@server [~] # maldet –clean SCANID to complete this.
If you have a file that you wish to restore after either manually cleaning it or flagging it as a false worry, you can use the following commands:
- root@server [~] # maldet –restore config.php.2384
- root@server[~] # maldet –restore
Useful Commands to keep in mind
Below are some useful commands that you may at some point need to use:
- To scan a directory: maldet -a /full/path/to/directory
- To conduct a background scan: maldet -b -a /full/path/to/directory
- To receive an email of a completed scan: maldet –report $SCANID [email protected]
- To monitor directory: maldet –monitor /full/path/to/directory/
- To monitor users: maldet –monitor users
- To receive a list of all reports: maldet -e list
Maldet is highly useful for shared hosting as it provides detailed results of scanned files, some of which may have been reported as malicious. Configuration of the program is dependent on the user, offering high flexibility. There is also no need to manually input login details to remove any detected malicious files or to disable users.
It is a program set apart by its particular design regarding threats faced in shared hosting environments through network edge intrusion detection.
ReconFTW – A swiss Army Knife for Recon and Web Pentesting
By Indrajeet Bhuyan
Today, let me introduce to you the Swiss army knife for recon and web penetration testing. Why do I call it a Swiss army knife? That’s because it can do a lot of tasks and can use a lot of tools automatically and give us results. The name of the tool is ReconFTW.
ReconFTW is a tool that automates the entire process of reconnaissance. Along with subdomain enumeration, it does vulnerability checks and obtains maximum information about the target. It installs a ton of popular tools for you and runs them one by one to get the maximum results. It saves time as you don’t need to run tools one by one and everything comes in one place.
Some of the techniques that ReconFTW uses are:
- Subdomain enumeration
- Source code scraping
- DNS record
- Web vulnerability scanning, etc
Mind map of ReconFTW
Indrajeet has much more to say about ReconFTW. Click the link below to read it!
Crypto Mixing – Laundering Cryptocurrency
Let’s take a look at crypto mixing, what it is and how it helping criminals conduct their illegal activities, be that buying or selling stolen property or goods, services, stolen data or facilitating the infrastructure to extort victims of ransomware.
Cryptocurrency has changed the landscape for cyber-criminals who have taken full advantage of the opportunity – it’s the gift that literally keeps giving! But blockchain technology can also provide a means for researchers and law enforcement to get information pertaining to illegal transactions.
Cyber criminals have responded by making use of cryptomixers to obscure & complicate investigations. In simple terms, this enables criminals to make it difficult or even almost impossible to trace the origin of their illegally gained proceeds. Just another step in the perpetual game of ‘cat & mouse’ between law enforcement, security professionals and the community against criminals and threat adversaries in the ‘virtual world’ of cyber space.
Crypto mixing – how it works
Crypto mixers are available to the general public using stand-alone services using the internet. Also known as Tumblers the service literally mixes streams of different identifiable cryptocurrency to help provide anonymity to transactions. Using these anonymous means for communication, and not keeping any logs of customer transactions, makes this a perfect tool for the Cyber Criminal to use. Whilst law enforcement agencies are making the push for crypto exchanges to incorporate financial compliance laws into their operations, we see how crypto mixers are an attractive option for criminals or criminal gangs.
Intrigued? Click the link to read the rest!
This Week’s Tutorials & Explainers
Goodbye MITRE ATT&CK Top Ten, hello Gartner’s Top Twelve Emerging Technologies! We start our journey looking at what’s new and what it means for cybersecurity. Click the link to read the article!
No news is good news, but we’ve rounded up the big events of the last week to send to you anyway. Check out the future of FIDO and other stories by clicking the link.
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
- logpresso/CVE-2021-44228-Scanner: log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch.
- AonCyberLabs/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
- Glavo/log4j-patch: This is a non-intrusive patch that allows you to block this vulnerability without modifying the program code/updating the dependent. So you can use it to patch third-party programs, such as Minecraft.
Recon and Web Pentesting
- hakluke/hakrawler: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
- r3curs1v3-pr0xy/vajra: Vajra is a highly customizable target and scope based automated web hacking framework to automate boring recon tasks and same scans for multiple target during web applications penetration testing.
- RossGeerlings/webstor: A script to quickly enumerate all websites across all of your organization’s networks, store their responses, and query for known web technologies, such as those with zero-day vulnerabilities.
- jvoisin/php-malware-finder: PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.
- dchad/malware-detection: Malware Detection and Classification Using Machine Learning
- rfxn/linux-malware-detect: Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments.