Malcom - Malware Communications Analyzer


Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, as well as cross-reference them amongst known malware sources. This comes handy when analyzing how sure enough malware species endeavour to communicate amongst the exterior world.

What is Malcom?
Malcom tin flame assistance you:
  • detect primal command as well as command (C&C) servers
  • understand peer-to-peer networks
  • observe DNS fast-flux infrastructures
  • quickly create upwardly one's heed if a network artifact is 'known-bad'
The aim of Malcom is to brand malware analysis as well as intel gathering faster past times providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.
Check the wiki for a Quickstart amongst closed to dainty screenshots as well as a tutorial on how to add together your ain feeds.
If yous demand closed to help, or desire to contribute, experience complimentary to bring together the mailing list or endeavour to catch mortal on IRC (#malcom on freenode.net, it's pretty tranquillity but there's ever mortal around). You tin flame also hitting upwardly on twitter @tomchop_
Here's an instance graph for host tomchop.me


Dataset persuasion (filtered to only present IPs)

Quick how-to
  • Install
  • Make sure enough mongodb as well as redis-server are running
  • Elevate your privileges to root (yeah, I know, encounter disclaimer)
  • Start the webserver using the default configuration amongst ./malcom.py -c malcom.conf (or encounter options amongst ./malcom.py --help) ** For an instance configuration file, yous tin flame re-create malcom.conf.example to malcom.conf ** Default port is 8080 ** Alternatively, run the feeds from celery. See the feeds department for details on how to to this.

Installation
Malcom is written inwards python. Provided yous accept the necessary libraries, yous should hold out able to run it on whatever platform. I highly recommend the piece of employment of python virtual environments (virtualenv) so equally non to mess upwardly your arrangement libraries.
The next was tested on Ubuntu server 14.04 LTS:
  • Install git, python as well as libevent libs, mongodb, redis, as well as other dependencies
      $ sudo apt-get install build-essential git python-dev libevent-dev mongodb libxml2-dev libxslt-dev zlib1g-dev redis-server libffi-dev libssl-dev python-virtualenv
  • Clone the Git repo:
      $ git clone https://github.com/tomchop/malcom.git malcom
  • Create your virtualenv as well as activate it:
      $ cd malcom   $ virtualenv env-malcom   $ source env-malcom/bin/activate
  • Get as well as install scapy:
      $ cd ..    $ wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz   $ tar xvzf scapy-latest.tar.gz   $ cd scapy-2.1.0   $ python setup.py install
  • Still from your virtualenv, install necessary python packages from the requirements.txt file:
      $ cd ../malcom   $ pip install -r requirements.txt
  • For IP geolocation to work, yous demand to download the Maxmind database as well as extract the file to the malcom/Malcom/auxiliary/geoIP directory. You tin flame larn Maxmind's complimentary (and hence to a greater extent than or less accurate) database from the next link: http://dev.maxmind.com/geoip/geoip2/geolite2/:
      $ cd Malcom/auxiliary/geoIP   $ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz   $ gunzip -d GeoLite2-City.mmdb.gz   $ mv GeoLite2-City.mmdb GeoIP2-City.mmdb
  • Launch the webserver from the malcom directory using ./malcom.py. Check ./malcom.py --help for hear interface as well as ports.
    • For starters, yous tin flame re-create the malcom.conf.example file to malcom.conf as well as run ./malcom.py -c malcom.conf

Configuration options

Database
By default, Malcom volition endeavour to connect to a local mongodb instance as well as create its ain database, named malcom. If this is OK for you, yous may skip the next steps. Otherwise, yous demand to edit the database department of your malcom.conf file.

Set an other advert for your Malcom database
By default, Malcom volition piece of employment a database named malcom. You tin flame alter this deportment past times editing the malcom.conf file as well as setting the name directive from the database department to your liking.
    [database]     ...     advert = my_malcom_database     ...

Remote database(s)
By default, Malcom volition endeavour to connect to localhost, but your database may hold out on closed to other server. To alter this, only laid the hosts directive. You may piece of employment hostnames or IPv4/v6 addresses (just popular off along inwards heed to enclose your IPv6 addresses betwixt [ as well as ], e.g. [::1]).
If you'd similar to piece of employment a standalone database on host my.mongo.server, only set:
    [database]     ...     hosts = my.mongo.server     ...
You tin flame also specify the port mongod is listening on past times specifying it afterwards the name/address of your server, separated amongst a :
    [database]     ...     hosts = localhost:27008     ...
And if you're using a ReplicaSet regrouping my.mongo1.server as well as my.mongo2.server, only set:
    [database]     ...     hosts = my.mongo1.server,my.mongo2.server     ...

Use authentication
You may accept configured your mongod instances to enforce authenticated connections. In that case, yous accept to laid the username the driver volition accept to piece of employment to connect to your mongod instance. To practise this, only add together a username directive to the database department inwards the malcom.conf file. You may also accept to laid the password amongst the password directive. If the user does non accept a password, only ignore (i.e. comment out) the password directive.
    [database]     ...     username = my_user     password = change_me     ...
If the user is non linked to the malcom database but to closed to other ane (for instance the admin database for a admin user), yous volition accept to laid the authentication_database directive amongst the advert of that database.
    [database]     ...     authentication_database = some_other_database     ...

Case of a replica set
When using a replica set, yous may demand to ensure yous are connected to the correct one. For that, only add together the replset directive to forcefulness the mongo driver to cheque the advert of the replicaset
    [database]     ...     replset = my_mongo_replica     ...
By default, Malcom volition endeavour to connect to the principal node of th replica set. You may need/want to alter that. In fellowship to alter that behaviour, only laid the read_preference directive. See the mongo documentation for to a greater extent than information.
    [database]     ...     read_preference = NEAREST     ...
Supported read preferences are:
  • PRIMARY
  • PRIMARY_PREFERRED
  • SECONDARY
  • SECONDARY_PREFERRED
  • NEAREST

Docker instance
The quickest means to larn yous started is to line the Docker icon from the public docker repo. To line older, to a greater extent than stable Docker builds, piece of employment tomchop/malcom instead of tomchop/malcom-automatic.
    $ sudo docker line tomchop/malcom-automatic     $ sudo docker run -p 8080:8080 -d --name malcom tomchop/malcom-automatic
Connecting to http://:8080/ should larn yous started.

Quick banking corporation notation on TLS interception
Malcom similar a shot supports TLS interception. For this to work, yous demand to generate closed to keys inwards Malcom/networking/tlsproxy/keys. See the KEYS.md file at that spot for to a greater extent than information on how to practise this.
Make sure enough yous also accept IPtables (you already should) as well as permissions to practise closed to port forwarding amongst it (you ordinarily demand to hold out root for that). You tin flame to this using the convenient forward_port.sh script. For example, to intercept all TLS communications towards port 443, piece of employment forward_port.sh 443 9999. You'll as well as so accept to say malcom to run an interception proxy on port 9999.
Expect this procedure to hold out automated inwards hereafter releases.

Environment
Malcom was designed as well as tested on a Ubuntu Server 14.04 LTS VM.
If you're used to doing malware analysis, yous likely already accept tons of virtual machines running on a host OS. Just install Malcom on a novel VM, as well as road your other VM's connections through Malcom. Use enable_routing.sh to activate routing / NATing on the VM Malcom is running on. You'll demand to add together an extra network carte du jour to the invitee OS.
As long equally it's getting layer-3 network data, Malcom tin flame hold out deployed anywhere. Although it's non recommended to piece of employment it on high-availability networks (it wasn't designed to hold out fast, encounter disclaimer), yous tin flame accept it running at the terminate of your switch's mirror port or on your gateway.

Feeds
To launch an instance of Malcom that ONLY fetches information from feeds, run Malcom amongst the --feeds choice or tweak the configuration file.
Your database should hold out populated automatically. If yous tin flame dig into the code, adding feeds is pretty straightforward (assuming you're generating Evil objects). You tin flame give away an instance feed inwards /feeds/zeustracker. Influenza A virus subtype H5N1 to a greater extent than detailed tutorial is available here.
You tin flame also piece of employment celery to run feeds. Make sure enough celery is installed past times running $ pip install celery from your virtualenv. You tin flame as well as so piece of employment celery worker -E --config=celeryconfig --loglevel=DEBUG --concurrency=12 to launch the feeding procedure amongst 12 simultaneous workers.

Technical specs
Malcom was written by as well as large from scratch, inwards Python. It uses the next frameworks to work:
  • flask - a lightweight python spider web framework
  • mongodb - a NoSQL database. It interfaces to python amongst pymongo
  • redis - An advanced in-memory key-value store
  • d3js - a JavaScript library that produces awesome force-directed graphs (https://github.com/mbostock/d3/wiki/Gallery)
  • bootstrap - a CSS framework that volition eventually kill webdesign, but makes it extremely slowly to chop-chop "webize" applications that would only piece of employment through a command prompt.