Rootkit Hunter alternative for suspscan
Posted 07-25-2011 at 06:16 PM by unSpawn
Tags clamav, maldetect, rootkit hunter, suspscan
I've been mulling (yes, mulling) replacements for RKH's suspscan for a while now. Suspscan was an experiment to see if there could be a more generic, less name-based way of finding malware. The resultant monstrosity is resource-intensive, impossible to configurable and rarely used. Researching something else (as usual) I came across this rather good presentation (PDF) about creating ones own AV signatures: Writing ClamAV Signatures and not long after that I found R-fx Networks' Linux Malware Detect.
While installing it may be your cup of $BEVERAGE currently I'm only interested in the databases: 'tar -C /path/to/somedir -f maldetect-current.tar.gz -x maldetect-1.4.0/files/sigs/rfxn.*'. The results of running 'clamscan --recursive --bytecode --heuristic-scan-precedence=no --algorithmic-detection --scan-elf --scan-archive /path/to/targetdir' and 'clamscan --official-db-only=no --recursive --bytecode --heuristic-scan-precedence=no --algorithmic-detection --scan-elf --scan-archive -d /path/to/rfxn.hdb -d /path/to/rfxn.ndb /path/to/targetdir' on 1336 plain files, tarballs, etc as AVAST reported them is interesting.
For reference: AVAST:
ClamAV:
ClamAV with RFX databases:
So while the used databases provide less signatures (as opposed to the "regular" ones and $DEITIES know why using "--official-db-only=no" doesn't result in using all databases) the hit rate clearly is greater (see 4.6K attached plain text report with obfuscated file names). Since the databases are focused on Linux malware this certainly is an improvement over any commercial AV (those of you been here long enough know my opinion) and as such, even if it isn't going to be updated regularly, would be a worthy addition for those of you running web servers exposed to the 'net.
Needless to say I'll be experimenting with ClamAV signatures creation.
While installing it may be your cup of $BEVERAGE currently I'm only interested in the databases: 'tar -C /path/to/somedir -f maldetect-current.tar.gz -x maldetect-1.4.0/files/sigs/rfxn.*'. The results of running 'clamscan --recursive --bytecode --heuristic-scan-precedence=no --algorithmic-detection --scan-elf --scan-archive /path/to/targetdir' and 'clamscan --official-db-only=no --recursive --bytecode --heuristic-scan-precedence=no --algorithmic-detection --scan-elf --scan-archive -d /path/to/rfxn.hdb -d /path/to/rfxn.ndb /path/to/targetdir' on 1336 plain files, tarballs, etc as AVAST reported them is interesting.
For reference: AVAST:
Code:
# scanned files: 112237 # scanned directories: 618 # infected files: 1010 # total file size: 18.0 GB # virus database: 110724-1 24.07.2011
Code:
Known viruses: 1006533 Engine version: 0.97.1 Scanned directories: 606 Scanned files: 6818 Infected files: 150 Data scanned: 3283.48 MB Time: 660.400 sec (11 m 0 s)
Code:
Known viruses: 7825 Engine version: 0.97.1 Scanned directories: 618 Scanned files: 6971 Infected files: 163 Data scanned: 3409.94 MB Time: 271.305 sec (4 m 31 s)
Needless to say I'll be experimenting with ClamAV signatures creation.