This article is from Open Source Tools and their Developers edition, that you can download for free if you have an account on our website.
BLAZESCAN - digital forensic open source tool
Today when you look at the market of malware you will find an overwhelming domination of malicious windows software. When looking for security products, you can find many that exist for Windows, and write up after write up on Windows malware. This makes sense as the vast majority of malware is created for the Windows OS. Here's an example of uploads to VirusTotal over a 7 day period recently:
Windows executables number over a million and you have to go down 14 file types until you reach the ELF binaries used more commonly on Linux systems; 26 slots down you reach PHP files. On web servers, the vast majority of threats tend to be written in PHP. These threats tend to be webshells, spam mailers, and phishing kits. While working at a web hosting company we used both an Open Source malware scanner called maldet, as well as a another internal tool.
What I was finding was that far too many times obvious malware was being missed and other techniques used often in a standard DFIR playbook were not being used. I began to try and resolve this issue by creating new signatures utilizing yara and clamAV to increase our detection rates, but before long found this unwieldy and began work on a tool to make it easier to use these custom rules. After a little while, what started as a side project to use yara malware signatures became a full featured Linux DFIR tool set, incorporating the things that I found lacking in our standard investigative tools.
So let’s take a look at the tool and its use cases.
First of all, this tool looks to take advantage of existing tools when they are present. Those included here are yara, clamAV, wpcli, maldet, and many standard Linux utilities,
Yara - Open source tool created and maintained by VirusTotal(Google) that allows you to create rules to match against patterns, often used for malware signatures, or threat-hunting.
ClamAV - Open source antivirus scanner around since the early 2000's currently maintained by the Cisco Talos
WP-CLI - Command line interface for managing WordPress CMS Software
Maldet - Open source malware scanner and web server specific malware rule set
as well. In the environment this tool was built in, we catered to many small/medium businesses and platform resellers. The environment was heavily built around servers running the cPanel server management software. CPanel's software allows you to easily multi-home a server for dozens of sites and provide additional services like email, and statistics gathering.
To aide investigations, one of the first integrations was to enable compatibility in cPanel environments, allowing for quick and easy scans on individual cPanel accounts or entire servers.
After that came the real table stakes of a good DFIR tool. Let's do a walk through. At current writing, the tool has the following options available to the user:
-a will scan all cpanel accounts -A will use Aggressive mode to scan all cpanel accounts uses clamd to run multicore scans, can increase load -u will scan the specified cpanel user -l will show the results of the last scan -t will display ctime of the hits in the last scan -d scan a directory of your choosing -w will run a scan on the directory of your choosing with wordpress checks included -f will run search for all files in the directory given and record ctime of all files -i provide a file to pull vital stats about the file -m will email the list of hits from the last scan, set email in blazscand.conf Mailtoaddress -n will provide an overview of logged in users and network traffi -N will run a tcpdump for a specified time period and write the data to a file for later analysis -U will check for updates, and allow you to perform any available updates -R will allow you to report a malicious file back to add a signature - use this if you encounter new malicious code that is not detected -h will display the help menu
Our candidate for the demo will be a VM I've used in the past I call Malware.lan. It's a Ubuntu server with a standard LAMP setup hosting a WordPress site.
Let's set a scenario: the site’s been acting strange, the server’s running slow, and a user has reported their AV is warning them about traveling to the site due to phishing. The responder logs into the server to investigate. First, let's take a snapshot of the site as it exists to preserve vital timestamp evidence that may be altered. Blazescan allows us to do so with the following command:
[email protected]:~# blazescan -f Already up-to-date. What path would you like to collect forensic change timestamps? /home/webuser/public_html Provide your username: responder1 Log can be found here: /usr/local/scan/forensic-responder1-2018-08-09-1950.log
Now let's check to see what users may be logged in and current traffic.
Here we can confirm only a single remote user, in this case us. However, we know this is a small server with a single CPU core, and we note the load on the server is unusually high. Next, we can note the pattern of previously logged-in users, nothing standing out here yet.
Reviewing the listening services, it’s a similar story, nothing out of the ordinary for this server yet.
Active connections though, that's a different story; here we see an anomaly.
The traffic making connections to port 6666 and the user phpViT7U_4xie5 do not match what we expect to see on a web server. Our responder decides to capture some traffic from the anomaly.
Now our responder can look at this or keep it for later review. Our responder now decides it’s time to scan, and knows the site is using WordPress so uses the -w flag to run a signature based scan, which includes a check of the WordPress core files using the wpcli feature.
Here we can see that we received both malware signature hits and WordPress core files that do not match the core file hash check.
Our responder decides they want to look more closely at the phpoViT7U_4xie5u7jkmyvugag file that looked to be active based on the earlier network traffic. Using the -i flag they pull up the vital stats on the file and can choose to search the hash against VirusTotal.
[email protected]:~# blazescan -i /home/webuser/public_html/phpoViT7U_4xie5u7jkmyvugag
Next we will want to determine when the files arrived to try to discover the vector that was exploited.
Here we can see roughly two different time periods. This probably means that the malware placed in the first compromise was likely reused in the following compromise, either by the same actors or just found by others in the wild.
Our responder decides to use the time stamps associated with the phpoViT7U_4xie5u7jkmyvugag file, again based on the earlier network traffic. They start with the Apache web server logs and are able to quickly find logs matching the timestamps of the phpoViT7U_4xie5u7jkmyvugag file.
The responder can now see traffic directed at the z.php file that was also identified earlier in the malware scan. With malicious intent all but confirmed, our responder kills the process earlier identified and the load on the server begins to drop immediately. After that, the responder confirms the z.php is a webshell with upload and command execution functionality.
Tracking the other files in the apache web logs, the responder finds the following phishing kit being run on the server impersonating the European Telecom company Orange.
This kit was not flagged in the malware scan so the responder decides to report the file back for further analysis and signature creation.
Then the responder emails the results of the malware scan to the responsible owner for cleanup of the site.
Should the analyst need to refer to any data captured from the investigation, in this case, malware scan results, network traffic captures, or the file timestamps, they are all stored if they need to be re-examined.
In the future, I am planning to continue updates to the signature database and look into ways to make it easier for the analyst to link together file timestamps and log events, as well as other quality of life features. Pull requests and issues can be opened at the project github:
Did you liked the article? If you want to read more similar tutorials check the full free edition:Open Source Tools Issue >>