Your strategy to check if you have Viruses

Hi guys I am curious of your strategy about secure your parrot. What tools you use what method to check if you have Viruses/Rootkits/rats and other shitty stuff. How do I check if my system is clean? and How I secure more. Any information about security are welcome.

2 Likes

think ā€¦ this is a very complex thema.
there is an old post here in the forum with the same problematic.
maybe i (or you) will find it tomorrow. :slight_smile:

I check open ports and see whatā€™s itā€™s going on on my Pc. I am curious of strategy of other people. Sent then mate link if youā€™ll find it?

FIRST!!! ā€¦ YESSSSSS :wink:

2 Likes

First of all i would start with:

  • fix my connection to the i-net (a good and secure router/firewall which i own)

  • then only install verified ISOs

  • dont add strange repositories or just clone staff from github or something else you dont understand/have checked line by line)

  • classical tools like rkhunter , lynis and something else will have much false positive on parrot i think ā€¦ :slight_smile:

  • dont trust other usb devices

  • browser and mail program sandboxed
    ā€¦ etc ā€¦ etc

to be continued ā€¦ if you like?

3 Likes

Sure mate, thatā€™s good I take already one of your idea to my security collection. Sure continue, security/privacy itā€™s most important now so I like to hear that and other people also can share good ideas.

1 Like

Sounds like what you want to be assured that your system have not been modified, Your computer to be specific and not the entire company network as mentioned in the link shared by @rowie. It mentions usage of tools that need some practice to get used to and I donā€™t think home users needs to go that fare to be assured for their system integrity. Of course I would encourage someone learning new things but if someone is in emergency, Then hereā€™s what I would suggest

So let me shorten your workload effectively. There is this awesome tool called unix-privesc-check preinstalled in parrotsec. It tells you if you need to pay attention to something (aka if any crucial files have been modified, checksums are modified and giving out any sort of error, have you left any root file misconfigured or vulnerable and so on)

The useage is as simple as this, open a terminal, type sudo unix-privesc-check standard and boom! Youā€™re results start generating.

More details :


Usage: unix-privesc-check { standard | detailed }

"standard" mode: Speed-optimised check of lots of security settings.

"detailed" mode: Same as standard mode, but also checks perms of open file
                 handles and called files (e.g. parsed from shell scripts,
                 linked .so files).  This mode is slow and prone to false 
                 positives but might help you find more subtle flaws in 3rd
                 party programs.

This script checks file permissions and other settings that could allow
local users to escalate privileges.

Use of this script is only permitted on systems which you have been granted
legal permission to perform a security assessment of.  Apart from this 
condition the GPL v2 applies.

Search the output for the word 'WARNING'.  If you don't see it then this
script didn't find any problems.

Coming to your concerns regarding rootkits, you;re just in luck :stuck_out_tongue_winking_eye: There is this tool called rkhunter which, again comes preinstalled in parrotsec. Hereā€™s how to use it to hunt down known rootkits from their database : How to use rkhunter

If you wanna skip that link i shared above, hereā€™s the basic syntax for using rkhunter

sudo rkhunter --update
sudo rkhunter --propupd to update the rootkit database, the more recent database, the better for your system (aka better detection)
And finally to start system scan,
sudo rkhunter --check

Remember to run these as superuser because scanning and making sure core directories and files are manipulated by any sort of malware/rootkit.

Network scan, Port scan, running-service scan also plays a part in home network/device security assessment. :wink:

Also, Have a look at what @RedRuby have to say -> in this massive, but hella useful golden tips by her to stay secure with minimum efforts.Worth reading

6 Likes

Really appreciate your help :slight_smile: I just scanned with rkhunter and I donā€™t know how to analyse that or if that false warningsā€¦

File properties checksā€¦
Files checked: 151
Suspect files: 1

Rootkit checksā€¦
Rootkits checked : 501
Possible rootkits: 8

Applications checksā€¦
All checks skipped

1 Like

Drop the complete outcome on https://pastebin.com/ and share a link

Make sure to remove/hide any personally identifiable data or anything you may consider as private (some corporate file names, etc.)

3 Likes

I donā€™t really agree with chrootkit / rkhunter or unix-priv-check result. The authors of the tools have their ideas but the ideas are not 100% accurate in all cases.
Malware is a very huge section and identify malware is huge as well. This is very interesting because Linux could be harder to find malware if users made mistakes.
This is a very interesting topic and because i am doing something like this (check malwares, protect end users) so Iā€™ll keep tracking this.

2 Likes

Agreed. But when it comes to Linux malware, there are only a handful, most of which are known. I would have recommended using thirdparty antimalware like F-PROT or Sophos or Comodo for linux devices. All of them are free but since parrotsec has already quite a few exploits preinstalled, Installing an antimalware would seem a bad idea, may break the system in some cases. What I said above was meant just for basic home users for their monthly device security assessment.

These are just basic options for analyzing configurations and scanning for known rootkits. Of course new malware evolve everyday, but as far as Iā€™m aware of, Linux does have malware, few but nonetheless they exists, and most of them are known :slight_smile:

Unless a user is specifically targeted, I donā€™t think he should be worried about a linux malware that is not known to the AV database. rkhunter does have pretty good database for known Linux malware too.

4 Likes

When it comes to linux malware, yes. Most of them are known to the database :smiley:

1 Like

I agree with this point. APT attacks use new method so it is hard to identify the malware.

The point of basic is it is fast andā€¦ basic. So it is harder to trust. I donā€™t say it is useless or something but if you want to check the real rootkits / malwares youā€™ll need more complex methods to identify or youā€™ll see malware everywhere.

It depends on the engines and users. For example, if you generate meterpreter for Linux from msfvenom, clamAV canā€™t detect it but Clam can detect malware for Windows. That is pretty funny. The problem of Linux is it has pre-installed interpreters (or at least Parrot and some distro) so malicious codes with obfuscation methods will totally bypass signature based detection.

AV will be useful for home edition only i think

1 Like

Trust me T-T Iā€™ve had a bad experience about this in the past. Not to install any antimalware on a pentesting system.

1 Like

Exactly. I guess @Meet didnt mention clamav because ClamAV isnā€™t sufficient or anywhere as close as sufficient for protecting a device. If I had to put a bet between f-prot, comodo and sophos, My money is on Sophos for best detection, prevention and removal of all the three above mentioned. Wouldnā€™t you agree @dmknght & @Meet :smile:

3 Likes

Actually i donā€™t believe AV solutions focus on Linux system as home solutions. Theyā€™ll focus on Enterprise environments with there best techniques. For me there is +1 point for ClamAV because it supports Yara rule and it means everybody can create their own signatures and use signatures from internet.
I donā€™t remember which one use rootkit signatures (chrootkit or rkhunter) but that is a good point instead of just check file and tell users ā€œthere is something wrong with this fileā€. Like i said before, this technique gives so many false positive results.

2 Likes

Actually i donā€™t believe AV solutions focus on Linux system as home solutions. True be told there really arenā€™t any particularly

Bingo! Fact of the matter is linux desktops are at best whatā€¦??..5% of the market maybe for home computers, you donā€™t need to worry much about viruses unless youā€™re running a server thatā€™s publicly accessible. The part of the system that is universally a point of entry for malicious software is the web browser, that goes for any OS.

And that is critical point. If you are under an APT campaign, you are totally unprotected (yeah malware can bypass protection layers but there is a chance to detect it). For example, If someone send me a doc with libre office 0day and tell me that is his / her CV, i canā€™t think it is a malicious file 100%.
I believe we have to think about that. It is going to be 2020 soon and protection for Linux end users is still like 1980. Our users may not be under attack but there are naughty NSA agents out there and we have to think about protect every single user from them.

4 Likes

Have anybody tried write yara rule for detect malware?

Hi sorry for late reply. Here is results of rkhunter. I deleted all not found malwares, leave just suspicious.

https://pastebin.com/k2xvb5SH

Would be great if someone can look for it.

Thank you.

1 Like