Your strategy to check if you have Viruses

True. rkhunter is outdated & not reliable. Sure you can run scans and get approximate predictions, but that wouldn’t be reliable enough to justify that the machine is secure. Malware detection on Linux can get tricky. A lot tricky actually. And to achieve optimum detection, we need accurate signatures, which evolves everyday.

Sophos has a good database of PUPs and PUAs for linux, Kaspersky does have a good set of signatures too. But Only Sophos provides a free solution to protect linux end-users. Kaspersky offers a paid protection for linux server.

My best bet would be to induct a firewall ruleset shipped with .iso by default. And if parrot team is planning to implement a security suite (a good one), then that would (I guess) require a completely different set of hands and maintenance service since linux malware evolve too, not as quick as the ones on windows, android or MacOS, But they evolve nonetheless. Research & deployment would take quite some resources and hands.

1 Like

Yeah i would love to have default ruleset. We are having a plan to switch from iptables to nftables. I created a tool to manage rules but i want to rework and improve it.

unpopular opinion:
clamav has a very nice and well crafted database of static signatures and many companies contribute to it

btw on linux machines it is very easy to adopt protection mechanisms which are more advanced and secure than scanning the system for known vulnerabilities

let’s say you suspect that your AD domain controller was infected. is it safer to run a very powerful antimalware software, spot a potential known infection and delete/clean/quarantine/isolate/whatever the affected files, or shut everything down and restart from a clean environment?

while the windows world taught us to spot infections, kill processes and delete files. nowadays true security can only be achieved by putting intrusion detection and protection systems all over your network and design your infrastructure to be easily destroyable and re-deployable in seconds (i.e. docker)

cleaning an infected system is NEVER a safe procedure, and when you get the breach, the only clean solution is to restart from scratch, so there is very little room for virus detection systems, which are now interesting to use only when integrated in IDS systems or mail filtering systems

4 Likes

Well imo AV has to be use as real time protection shield which can block malware from file access and network access (HIPS).
ClamAV is nice but their scan engine is too old and uses so much ram.

yes, and as i said, signature checking is only a tiny part of the whole malware identification process in modern protection systems.

2 Likes

My Point :point_up_2:

1 Like

Building an opensource rtp from a scratch -> making it work in real-life scenarios & maintaining the engine would be a extensive process, mark my words.

Better solution would be to introduce a GUI network HIPs with multiple options which allows users to choose their preference (aka either set it up to automatic (default ruleset network access + manual selection from popup when a new service tries to access network) or completely manual where users have to add everything to exclusion services that wants to access network from pop-ups generated when some server tried to generate a network access request. On linux, adding few exclusion isn’t a lengthy process either. Considering this is a OS with many tools that do not come shipped with regular Linux OS, the exclusion list would take a while but as extensive as you may think. Definitely not as extensive as building an exclusive HIPs engine from scratch :slight_smile:

Parrot already have access control protection with apparmor and firejail. They are GOLD if the users know how to utilize it properly with its full potential.

Make the above two statements and you’ve got yourself a solid hardened OS.

And +1 for what @palinuro said here :

1 Like

I know that. But as you see ClamAV has the problem of database loading. Luckily i still have other idea to deal with that stupid problem.

Sadly there is no such a network HIPS on Linux. The HIPS projects are REAL host based IPS which monitor files and process and it acts like EDR or anything in host machine only. The network solutions are more like network firewall devices and it needs hardware support for capturing and blocking packets. So i guess we still have to develop new HIPS engine. A basic firewall with rules is okay but i am thinking about not only block IP but block packets base on signatures too.

The only real time protection we might have is clamAV on Access scan and i didn’t even test it.

It is good to have other layer of protection imo.

2 Likes

For Linux, True. Which is why I said “Better solution would be to introduce a GUI network HIPs”

Comodo offers a similar solution, and dare I say their HIPs is the best in the free segment for windows. Their signature database is nowhere near as good as what Kaspersky Or Bitdefender Or Sophos has to offers, But Comodo has the best HIPs module. Maybe try it out on a vm @dmknght and test it out with a bunch of malware samples, you’ll be impressed :slight_smile:

I’M IN NO WAY, SHAPE OR FORM AFFILIATED WITH THEM. They do offer a solid good free firewall and hips module for windows free of cost, check it out if you want.

I like the way of your approach to this. But wouldn’t that mean obfuscated network packets would slide right through the filter if we only rely on packet signatures? Also, I’m not so sure how would you implement such a module which actually does the job.

At the end of the day, More than two-third (If not all) of protection mechanism relies on the end user. You give a brick to a spartan and he would give you a good fight, Give a full armor and a spear to sheep and you are basically burning your resources away (I may have underestimated sheeps here but you get the point)

As long as the user knows what he or she is upto, provided that they have a decent GUI (for users who, lets be honest here, we all know most users who install parrot are not professionals but newbies who dream to be a L33T hax0r bs, we cannot just flip them off now, can we?) network HIPs that alerts them and tells them to choose “allow/block/reject” every-time a new services tries to reach out outside world & a sandboxed environment working silently in the background, security shouldn’t be a major issue on Linux. We have already achieved that by firejail and app-armor. If the users know how to work with SElinux, that’s another bonus for them!

I do agree with what @dmknght said about having a good AV for linux, at least for home users since Linux threats are rising, not by an alarming speed, but increasing nonetheless. Maintaining a good set of signature database as the threat market keeps evolving every single minute, not to mention the amount of false positives we would get from it since pentesting OS comes with tons of stuff that an AV would flag, so excluding them out. TL;DR It would be a really REALLY extensive process to implement a good AV & keep it up-to-date

What does @palinuro think about this, curious to know.

1 Like

I have used Comodo IS for years and i really love it as a free product (ofc it includes sandbox, firewall, HIPS, …). Maybe it isn’t the best but it is good enough as a free product :smiley:

Ah yeah application firewall. Thanks for remind me this. That was our plan too.

Yeah you are right. I am not thinking about present only but future (5, 10, 15 years?). And think about APT campaigns which aims Linux users (CV_SomeBody_ParrotDev.ods) to Palinuro for example? It is better to block the attack before it starts and gets limited by firejail.
BTW ClamAV has the issue of db loading but it has pretty good detection engine. I don’t know if i mentioned it in here but I helped a dude to check a Linux binary file and turned out it was unknown coin miner and clam AV is 1 of 5 AV solutions can detect that binary. So i am rebuilding clamAV db in new way to reduce RAM use (depends on users’s options).
The AV should be included by default with home edition while pentesting edition can keep it as optional idea.

1 Like

+1

At this point, preparing for wild spread campaigns & how to constrict their success chances would be a smart option since a lot of users are shifting over to opensource lifestyle since…you know…“ohhhh edward snowden hero nsa bad linux impossibel to hack” shit without understanding how things work, Linux have brought traffic like never before in last few years. Not to mention even small enterprises which relied on bootleg XP and Vista and Winservers are now mitigating to Linux when they realized they get them better options, less vulnerable environment and less resource humping set-ups for free (who would have thought of that ay) :joy:

So opensource utilities will surely be on Top 3 hit-list, followed after IoTs and “Smart” Gadgets.

Imo, my real problem of Linux is it supports many interpreters and compilers. So if the distro was installed interpreters and compilers by default, it is harder to detect malware (specially interpreters. The source codes are strings which is so much easy to do obfuscate and encrypt and hard to create signatures and rules to block). However that isn’t easy at all to not having any interpreter because there are some scripts (at least for Debian) were written in python and perl and maybe other scripting language.
The 1 more problem i am thinking about is limit command execution by user. I meant if www-data can be run every commands on system, that is sick. Firejail is a great tool to limit it but it is better if we can do it without 3rd parties tool.

Sounds good. If you are looking into malware analysis yourself going ahead, I’ll be happy to help. But trust me, Journey isn’t as easy as you may think. Especially looking at the speed that this industry is growing with

If you are seriously planning of getting into this, grab some samples like RATs [just generate via msf], start by simply visualizing the strings using IDA Pro. and hope that the developer didn’t obfuscated the strings.

If the thing is obfuscated, you’ll have to dynamically analyze the malware, and wait until the decrypted string you are searching appear on the stack.

Analyze it with PEiD & Ghidra [memory dumps, active paths and child process, especially for fileless malware (the ones that run on memory stick]

Before that, try to understand a bit how it works using static analysis. For example, If you want to replace a crypto address [lets say, XMR] in a ransomware, chances are it would be obfuscated. You need to re-encrypt the way original developer did.
It isn’t that easy to deal with malware analysis when it comes to obfuscated modules.

Its a fairly boring & elongated process, But once you get the grip of it, its fun. Just like pen-testing.

I like do malware analysis myself in my spare time [I’m boring]. I just grabbed a fairly recent version of a ransomware that uses simple crypter but its execution is lethal to all the files on local storage and NAT. Decryptor is not available yet. If you want to boot it up on a VM and Analyze it, I can hook you up with the sample.

And yes, For a fellow learner like you, the sample’s free :smile:

1 Like

Use string is a dead end. The real way is using opcode of some unique part. But it has higher false positive chance.

It is a must do. As far as i know, AV solutions can create a VM and run binary in it to check memory after deobfuscate / unpack. Memory scan is a must do in this age.

IMO it is better if i put new malware samples on virus total or any malware analysis platform so all AV solutions can get it and update signature. That is nice and simple.

Not True, Unless its obfuscated.

Aren’t you a charmer. Unfortunate enough, AV industry don’t do that. Everyone wants to be ahead in their race, If you find the sample, you identify it, process it through nomenclature and push the signature via the update. ‘You found it, its Yours.’

Much more difficult than you might assume. Individual samples have individual obfuscation methodology. Bummer fact: Developers can be fingerprinted by the ways of their obfuscation methodology in their SC. A while back [about 3 years], I got my hands on a android malware sample called ‘xiny’. I did not know much about malware analysis and pentesting stuff, the only fact that it attracted me was that this fine piece of ass actually took a step ahead and rooted the device in background without user even getting a hint, it then achieved persistance and install other third party software and booted off AV solutions from the devices as soon as their apk signature was found on storage. I had a kitkat back then and didn’t have playstore protect or anything RTP like we do now. Factory reset was of no help. The only way I could have patched my phone to get it back in original state was to take it to the Manufacturer and let them get the OEM firmware back on my device.

Since then, I’ve got my hands on same malware with different versions, A lot of common binaries but different [similar if not somewhat identical] obfuscation method, improved over the years.

BTW I did not give it a name nor did I went through the complete process of identification or analyzing, I came across an article on web and realized the fine program I came across is identified as ‘Android.Xiny.XXXX’ where XXXX is the sample number identified by Security researchers.

I regret wasting my time on it

I think obfuscate string is pretty easy and it can be encrypted with random key if malware authors want.

I believe AV companies have their source of malware collection. And I can submit the signatures to their analysis service directly.

Yeah i understand it. That is why i don’t spend time to research a new malware scanner engine (which takes a lot of time for nothing).

I am thinking about some protection method like Keystroke encryption on Linux.

p/s: A sample for ClamAV detection. An user sent me this file 2 months ago. 4 more AV solutions detect it LuL.
https://www.virustotal.com/gui/file/e4d484e53d4576750f4a20d70a009644e948790ac492b09cc23b9a24ad8a4ce5/detection

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.