My personal project to scan malware / rootkit on Parrot

I’m developing a personal project but It can be on Parrot OS. The scope is to replace rkcheck / rkhunter. It combines ClamAV and Yara engine to take advantage of both projects:

  1. ClamAV: Support archived files, unpacking
  2. Yara: Readable rules with flexible syntax. It supports not only pattern matching but hash matching for file, sections, entropy calculation, and more…
  3. It uses Nim lang and C binding for easy code development / maintain.

Why I waste my time on this?

  • It is my personal hobby. When I started using a PC, I saw an old version of AV detected malicious files and I had a question: “How can they do it?” And that has been my question for years. I just want to know how to do it.
  • I want to have replacement of rkhunter / chrootkit. I didn’t read the code of rkhunter but about ckrootkit, it uses file path check method to detect malwares. It means very simple rootkit / malware changes its default file path in your system, you can’t detect it. The file paths are from ossec https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/rootkit_files.txt. There are some other methods like check for executable at /tmp/ and ofc there are many false positives
  • Do you / does anybody need it? Short answer is no. It is as same as “Do i need Antivirus on my Linux?” But the full answer is much longer than that. Malware (virus) on Linux exists, and there are more and more new threat actors targeting Linux platform. And when you really needs something to check your platform, I believe you need something works better than check file paths.
  • Why this project? Well firstly, this project uses compiled yara rules as database signatures (and all signatures are fully open sourced) so everybody can create custom rules. Secondly, ClamAV takes a lot of ram (1.2 gb from my latest run). It is not memory friendly at all. And ClamAV only uses yara’s lexer to create its pattern matching in memory so normal ClamAV can’t use advantages of Yara rules from modules. So this project aims to have better “memory friendly” than ClamAV and better accurate check than chkrootkit / rkhunter. For now, the project is having different rules for some famous botnets / coin miner / trojan and I want to have more and more rules to detect other types of malwares.

Why can’t this project detect this malware? Why it detects this file as malware?

  • This project uses signatures based detection. It shares limitations of signatures based detection. It can’t detect all malwares on Linux platform nor very new malware variants. It can have false positive results because of untested signatures / bad signatures or common strings.
  • I don’t work at malware analysis section. My reverse engineering skill is very basic. I can’t do as good as AV vendors

Real world usage?

  • Ofc. But because of my low level skills, I can’t promise it will be released soon. Actually, It can be abandoned anytime. But with current result, the rule set can detect some malware variants effective and it can detect some variants that some AV vendors can’t detect.
  • This project leas me to other must-have features like real time protection. I have more research / ideas to do and hope it can be real soon.

This project is at Nong Hoang Tu / rkcheck · GitLab. Any help on rules collections / development will be awsome!