LMD 1.4.1: Delivering on your requests

The release of LMD 1.4.1 is now live and with it comes a few new features. In this small update, I have tried to deliver on on a couple of common feature requests from users which were in-line with my development goals. That said, right to it…

The biggest change has come in the form of what has been dubbed public mode scanning. This is where non-root users can execute malware scans. For this to work, a new quarantine, session and temporary path directory tree needed to be created that users had write access under. This presented some challenges and in the early incarnation of this feature, the pub/ directory tree created for this feature was set world writable. The more I worked with the ideas around this feature the more I hated it, I simply could not impose upon users a world writable path. Then I flirted with the idea of simply creating the directory tree and if users wanted the feature they had to set it mode 777 themselves, though this was a fair trade it still felt like a lazy solution.

In the end, the solution I came up with was to populate the new pub directory tree with user paths based on passwd users and explicitly set ownership to each user for their pub/username path (–mkpubpaths). This meant that something was needed to regularly update the pub directory tree for new users and as such a cronjob was added that runs every 10 minutes to create said paths (cron.d/maldet_pub). This feature is controlled by conf.maldet variable public_scan which is disabled by default and when in a disabled state the cronjob simply does nothing along with user initiated scans exiting with an error that the feature is not currently enabled.

Supplementing the public mode scanning feature is the support for mod_security2 upload scanning which next to user initiated scans was one of the most requested features recently. Although the inotify real-time monitoring still works very well, it is not an option in some environments which makes mod_security2 upload scanning highly desirable. Conveniently, the only obstacle for upload scanning was simply that LMD did not support user initiated scans and with the introduction of public mode scanning there was only a few changes required to fully integrate it. That being the creation of a validation script for mod_security2’s inspectFile hook which returns an approved or denied status for uploaded files based on malware hits. This script was created as modsec.sh and is located in the LMD installation path. Full details on public mode and mod_security2 upload scanning are included in the README file.

Another highly requested feature is the ability to redefine configuration variables on the CLI on a per execution basis. This has been added through the -co|–config-option CLI flags. This was primarily requested by those creating integration interfaces for LMD along with those who create custom scan cronjobs. Likewise, this proved useful in the creation of the mod_security2 validation script. The usage of this feature is straight forward, simply append a comma spaced list of variables you would like to redefine in the format of VAR=VALUE.

For example, to change the email address for a specific scan and enable quarantining of hits:
maldet –config-option [email protected],quar_hits=1

Effectively, any LMD variable located in conf.maldet or internal.conf can be redefined in this way.

Smaller changes include added support for Plesk in the cron.daily scans, email_ignore_clean conf.maldet variable that allows for reports where all hits are cleaned to be ignored and improved accuracy of (gz)base64 injection signatures to reduce false positives.

That covers the notable changes in this release. Although this isn’t as big or feature packed of an update as the last couple of releases, I am confident it will add to the maturity and utility of the project for all users. Please check the CHANGELOG and README files for further details. This update will push out automatically to LMD installations with the default daily cronjob enabled or you can manually update using the ‘maldet -d’ command.

LMD By The Numbers:
16,036 Downloads month-to-date (includes version updates)
15,261 Malware source URL’s tracked
14,443 Active installations (by unique IP daily signature queries)
11,017 Active 1.4.x installations (by unique IP daily signature queries)
10,192 File submissions pending malware review
9,644 Updates to 1.4.1 (by unique IP signature queries)
8,579 Total malware signatures
7,300 Google references to “linux malware detect”
6,715 MD5 malware signatures
6,374 Unique malware files in the LMD malware repository
3,221 Zombie server nodes seen in the last 30d on IRC C&C networks
1,864 HEX malware signatures
1,338 New signatures since 1.4.0
261 Command & Control IRC networks tracked
226 Signature updates in the last 12 months
196 Unique malware signature classifications
112 Files on average submitted daily through checkout feature
101 GB of bandwidth used per month on average to serve LMD updates
18 Signature updates per month on average
6.3 New signatures per day on average
1.6 Days between signature updates on average

Linux Malware Detect: 2 Years Strong

As cliche as it sounds, where has the time gone? Today we celebrate two years of Linux Malware Detect, open-source (web) malware detection.

The project has seen allot of change since the first release. What was initially started as an internal project to deal with a large increase in malware activity at my job, a mid-sized web hosting company, quickly grew into a larger, established, project that proved useful for the hosting community at large. I spent nearly three months collecting malware to form the base of the initial signature set, developing the program logic and engaging people in WHT & Cpanel IRC to test the early releases. Those first releases had less than 200 signatures, it was strictly MD5 based and used technique that were less than efficient and in many ways initially flawed.

As the project matured in it’s early releases, the reality of Linux (web) malware detection became evident, there was little to no tools that existed for the job and LMD was filling an important void. The few tools that did exist were either not focused on malware or were commercial solutions that made no effort to share malware signatures or resources with the Linux community at large. This quickly lead to a litany of feature requests for LMD along with a mountain of malware submissions from early adopters, all of whom saw in LMD what I saw; an ability to become an effective and crucial tool in combating malware.

Inside of the first couple of major releases, LMD saw an explosion of features and signatures which contributed to the maturity of the project. There were major additions such as hex based pattern matching, quarantine support, reporting system, real time inotify monitoring, malware checkouts, clean & restore features and much more. The signature base grew from 200 odd to now 8,388 at the time of this writing, an average of almost 350 new signatures per month.

The project now sits at version 1.4, which was released in April of 2011. Though the current release is 6 months old, that is by no means an indicator of the projects status but rather the success of it and the maturity there-in. The project still receives near daily signature updates, the malware queue from checkouts has never been more busy with an average of 85 malware submissions per day, the manual review queue for checkouts sits at just over 3300 files and is an ever challenging task to maintain but one I do willingly. Though there is much room for improvement and many features that can be added to LMD, at the moment there are no pressing features required by LMD. Do I have plans in store for the project in the short term? Yes, of course, but like many open source projects, time commitment to the project has to be balanced with my job and personal time so the priorities often shift between signature maintenance, feature development and work on other projects.

The success of the project can be measured by the 13,051 installations ( @ time of writing ) that report in daily, the 540+ new installations per month and the over 17,000 google references to the project. I am proud of LMD, where it has come in the last 24 months and am very encouraged by where I see it going in the future. I look forward to many years of success ahead for LMD and hope you will continue to trust in LMD to combat your malware threats.

LMD 1.4: Little Something For Everyone!

The much awaited for 1.4 release of Linux Malware Detect is here! In this release there is quite literally something for everyone, from massive performance gains to FreeBSD support and everything in between :). For those who wish to dive straight into it, you can run the -d or –update-ver option to update your install to the latest build and check out the change log for full details.

I will try cover some of the highlights of this release for those with the appetite for it, here goes…

One of the more exciting changes is that Clam Anti-Virus is now supported as an optional scanner engine. When LMD detects that ClamAV is installed on the local system, through detection of the clamscan binary, it will default to using clamscan as the default scanner engine. The use of clamscan as the scanner engine leverages LMD in a couple of ways. First, it allows for ClamAV’s threat database to be used in detecting threats, over 900k strong, in addition to the LMD signatures which are ClamAV compatible. Secondly and more importantly, it improves scan performance greatly, over five times faster. Finally, it also improves the accuracy of threat detection as ClamAV is more efficient at doing hex payload analysis of files using LMD’s hex pattern match signatures. To enable this all you need to do is have ClamAV installed and LMD will detect it all on its own, if you wish to override the detection/usage of clamscan then you can set clamav_scan=0 in conf.maldet.

Another change that I am excited to announce, is that LMD 1.4 is now compatible with FreeBSD, less the inotify real-time monitoring as it is a Linux specific feature that requires me to design a new monitoring subsystem around FreeBSD’s inotify equivalent, kqueue. That said, allot of testing went into ensuring FreeBSD compatibility but it did not end there, I also went to great pains to improve Linux compatibility both with RH variants and non-RH variants alike, the officially supported set of distributions is as follows:
– RHEL/CentOS 5.6
– RHEL 6
– Fedora Core 14
– OpenSuse 11.4
– Suse Linux Enterprise Server 11 SP1
– Ubuntu Desktop/Server 10.10
– Debian 6.0.1a

This supported list is not meant as an exclusive list, it is simply a “test” set of distributions that I work with that give LMD the best expectation of working on an even wider set of Linux distributions. This improved compatibility will open up LMD to a larger community of users and there-in allow the project to grow and prosper in new and exciting ways.

The way LMD updates itself has now been improved, traditionally the daily signature updates only updated the core hex and md5 signature files but that proved to create some gaps in ensuring that all dynamic components for detecting threats are current. As such, now the update feature also pulls down the most current set of cleaner rules and LMD signatures in ClamAV format. In addition, the update process has seen an improvement in error checking; the signature files are now validated for length and missing files, if either validation checks fail then all signatures are forcibly updated.

The hex scanner (internally known as stage2 scanner) has been improved in that it now makes use of a named pipe (FIFO – first in first out) for processing file hex payload data, this allows for greater depth penetration into files and at a much lower cost in overhead. This means more accurate threat detection, fewer false positives and improved scan speeds; although it still pales in comparison to when clamscan is used as the scanner engine but nevertheless it is an improvement and an important one at that.

Further adding to the threat detection capabilities of LMD, is a new statistical analysis component that will see allot of expansion in later releases. The first feature in the statistical analysis component is called the string length test. The string length test is used to identify threats based on the length of the longest uninterrupted string within a file. This is useful as obfuscated code is often stored using encoding methods that produce very long strings without spaces (e.g: base64, gzip etc.. encoded files). This feature is presented in conf.maldet through the string_length variables, it is disabled by default as it can in some situations have a relatively high false-positive rate, especially on .js files. Future releases will see extension and file type based filtering specifically wrapped around the statistical analysis components to reduce false positives, however it is still a very powerful feature in detecting obfuscated/encoded malware.

There is a number of usage changes that have been made, the most notable and important being in ignore files, specifically the ignore_inotify and ignore_file_ext files.

The first, ignore_inotify is a specific file designed for ignoring paths from inotify real time monitoring, previous to LMD 1.4 this file only accepted absolute directory/file paths which was very limiting and created headaches for many people. The ignore_inotify file now fully supports posix extended regular expressions, meaning you can ignore absolute paths still or create regular expressions to cover specific file types or dynamic path/directory structures. An example of this is that temporary sql files may write out to /var/tmp in the format of /var/tmp/#sql_12384_4949.MYD, previously you would have to ignore /var/tmp completely which exposed the system more than it helped. Now, you can add an entry to ignore_inotify such as ^/var/tmp/#sql_.*\.MYD$ and it will properly ignore the temporary SQL files while retaining full monitoring of /var/tmp.

The second, ignore_file_ext was a feature added in the 1.3.x branch that was pulled back due to technical issues. The file speaks for itself, it allows you to ignore files from scan results based on file extensions, this has now been fixed and is working properly. The usage of the file is straight forward, simply add one extension per line to ignore_file_ext and it will be excluded from scan results (e.g: .tar.gz , .rpm , .html , .js etc…), there is no need to use an asterisk (*) in entries in the ignore file.

Further usage changes include that the -c|–checkout flags now supports directories instead of just absolute files, so you can upload threats to rfxn.com from an entire directory (please make sure all threats within the directory are actual malware, I would prefer not to sort through hundreds of html/web files). The -r|–scan-recent and -a|–scan-all flags now support single file scans, previously only directory paths were accepted. A background option has been added in the form of -b|–background that allows scans to be run in the background, the -b|–background option must come before the scan options, such as (see –help for more details):

maldet --background --scan-recent /home/?/public_html 7
maldet --background --scan-all /home/?/public_html
maldet -b -r /home/?/public_html 7
maldet -b -a /home/?/public_html

There have also been a couple of changes to the -e|–report flags allowing for the listing of available reports and emailing of previous scan reports. The usage of these changes is straight forward and is as follows:

maldet --report list
maldet --report SCANID [email protected]

That about covers things, there have been a number of smaller changes and fixes in LMD 1.4 which are detailed in the change log. To ensure you are running the latest build please run the -d or –update-ver option to have LMD auto-update or visit the project home page and download the latest build.

LMD 1.3.9r1: Hexdepth Bug

I have put up a revision to the 1.3.9 release of LMD that fixes a hexdepth bug in which malware greater than 65Kbytes would cause an error in the internal hexstring.pl script and be considered clean on the stage2 hex scanning of malware. This would mean that unless malware had a MD5 signature for it to be caught on stage1 scan, it would not be picked up by a corresponding HEX rule in stage2 scan if its file size was greater than 65Kbyte, due to the bug.

In addition, I have made the decision in this revision to enable release update checks in the default cron.daily entry installed by LMD, this can be found at /etc/cron.daily/maldet line 9 (after update) if you wish to comment it out. I would however encourage users to leave this option enabled as it will greatly improve receiving timely updates for future bugs fixes and release updates. In the past, the decision was made to not enable automatic release updates for many reasons but mostly in the interest of the software still maturing and being in early development, thereby not wanting to rock any boats with large and sweeping release updates to a version they may have got working the way they prefer. Now though, LMD has come a long way, the installer imports most options and ignore files and there are no drastically sweeping changes planned that will cause a great deal of headaches — so it seemed fitting time to enable automatic updates.

You can update your installation using the ‘maldet -d|–update-ver’ flags or download the current build for new installations.

This release update also coincides with passing 7k signatures….. We now sit at 7,106 signatures or +146 signatures added today. This is no small feat, I remember when we had just a couple hundred signatures not so long ago and I thought that was a big deal! The LMD submissions repository stays very active, it is now the source of almost 60% of the weekly signature additions and has contributed greatly to creating a vastly more accurate signature set that is representative of the threats you, the users, face day-to-day.

That said, month ending March stats recorded +1,464 installations of LMD bringing the install count to 7,157 — which puts LMD now ahead of APF in month-to-month new installation growth. Although, APF still beat LMD on raw downloads last month (3,091 vs 2,583), it is reasonable to predict that LMD will soon take the number one spot for downloads as well. It however still has a long way to go for total active installations, which APF sits at a comfortable 24,791 currently.

Till next time, happy malware hunting 🙂

LMD 1.3.9: Quietly Awesome

It has been a busy couple of weeks for the LMD project, lots of late nights and sleepless days behind me and I can say I am a ‘little’ happier with where things are in the project now 🙂

This release has no major feature changes or additions other than a modification in the default hexdepth that is used to scan malware; increased from 15,736 to 61,440 (1024*60). This enables LMD to better detect threats that it was having a little difficulty with due to the byte size of some malware. At the moment there is no byte-offset feature that would allow us to create more targeted hex signatures, which kind of fly’s in the face of my goal of improving performance — but it is what it is and for the moment things are O.K. With the new hex-depth value, the miss rate on valid malware that rules already exist for is below 1% and I can live with that till I put together a new scanner engine/logic. You can apply this update to your installations by using the -d|–update-ver flags.

In light of performance concerns with the current incarnation of LMD, I felt it prudent, and also has been requested, to create a set of signatures compatible with ClamAV. This allows those who wish to do so, to leverage the LMD signature set with ClamAV’s very impressive scanner performance. Although there are performance concerns with LMD on large file sets, it does need to be said that for day-to-day operations of the cron initiated or inotify real-time scans, there is little to no performance issues. This is strictly a situation where if you choose to scan entire home directory trees, where file lists exceed tens or hundreds of thousands, you now have an option to take advantage of our signatures within a scanner engine that can handle those large file sets.

The LMD converted ClamAV signatures ship as part of the current release of LMD and are stored at /usr/local/maldetect/sigs/ and are named rfxn.ndb and rfxn.hdb. The ClamAV signatures will not be updated with the usage of -u|–update but rather are static files placed inside the release package when it is rebuilt nightly with new signatures. As such, the latest versions of the rfxn.ndb|hdb files are always available at the following URL’s (these are updated whenever LMD base signature are updated — typically daily):

To make use of these signatures in ClamAV using the clamscan command, you would run a command similar to the following:
clamscan -d /usr/local/maldetect/sigs/rfxn.ndb -d /usr/local/maldetect/sigs/rfxn.hdb -d /var/clamav/ –infected -r /path/to/scan

The -d options specify the virus databases to use, when you use the -d option it will exclusively use those databases for virus scans and ignore the default ClamAV virus database, so we redefine -d /var/clamav/ to also have all of the default ClamAV signatures included in our scans. The –infected option will only display those files that are found to be infected and the -r option is for recursive scanning (descend directory tree’s).

That all said, the real guts of changes recently have been in the signatures themselves, we have in the last two weeks went from 6,083 to 6,769 signatures, an increase of 686 — one of the largest updates to signatures to date for a single month. A great deal of these signatures have come from the submissions queue which ended up in such a backlogged state that there was 2,317 items pending review. Currently I have managed to get the queue cut down to 1,381 and I have committed myself to eliminating the backlog by the end of the month or shortly there after (ya we’ve heard that before right ?). It should be understood that reviewing the submissions queue is an exceedingly tedious task as every file needs to be manually reviewed, assessed on its merits as malware (or deleted), then ultimately hex match patterns created, classify the malware, hash it and insert it into the signatures list. As painful of a process as it is at times, I do enjoy it, it is just very time consuming so please show patience when you submit malware with the checkout option.

Finally, I have allot in store for LMD going forward, as always time is the biggest factor but be assured the project will continue to grow and improve in the best interest of detect malware on your servers. Likewise, for any who have followed previous blogs, the dailythreats website is still a work in progress and will compliment the project once it is released, in the very near future. As always, thank you to everyone who uses my work and please consider a donation whenever possible.

Did You Know? Stats:
Active Installations (Unique IP daily update queries): 5,903
Total Downloads (Project to date): 32,749
Total Malware Signatures: 6,769
rfxn.com Malware Repository: 21,569 files / 1.6G data
Tracked Malware URL’s: 18,304
Tracked IRC C&C Botnets: 421