Linux Malware Detection with Maldet

Malware Detection with Maldet

Linux Malware Detection comes in the form of maldet from R-fx Networks. The author Ryan MacDonald, a security engineer, created maldet to overcome limitations in malware detection especially in shared hosting environments. With his experience he is able to use data from border routers to detect perimeter intrusion attacks.

To install this on CentOS 7 we first add the package inotify-tools. This allows notifications via the Linux kernel.

$ sudo yum install -y inotify-tools

If this is not installed then the real time monitoring service will fail to start, although other elements of maldet will run.

Next, we can download the tarball from R-FX Networks and install:

$ cd /usr/src
$ sudo wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
$ sudo tar -xzf maldetect-current.tar.gz
$ cd maldetect-1.6.2 #<version may differ>
$ sudo ./install.sh

Linux Malware Detection is now installed. We can, of course, add further configuration.

To enable the monitoring service let’s first list the service unit file, this will give us insight into what is happening and what we need to configure:

$ sudo systemctl cat maldet

# /usr/lib/systemd/system/maldet.service
[Unit]
Description=Linux Malware Detect monitoring - maldet
After=network.target

[Service]
ExecStart=/usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths
ExecStop=/usr/local/maldetect/maldet --kill-monitor
Type=forking
PIDFile=/usr/local/maldetect/tmp/inotifywait.pid
[Install]
WantedBy=multi-user.target

When we look at the ExecStart directive, maldet reads in a file for to create a list of files or directories to monitor. We should add directories to this, ensuring they are delimited with a new line. The file should also end with a new line, even if just one entry is added

$ echo -e '/home\n/var/www\n' | \
  sudo tee /usr/local/maldetect/monitor_paths

Before starting the service, we are able to test that this monitor configuration works:

$ sudo maldet /usr/local/maldetect/maldet \
    --monitor /usr/local/maldetect/monitor_paths

The output should include the 2 directories be added to the monitoring array:

maldet(8409): {mon} added /home to inotify monitoring array
maldet(8409): {mon} added /var/www to inotify monitoring array

If we are certain that this is working correctly we can kill the monitor and start the service:

$ sudo maldet -k

As is usual, the -h option will supply further help should you need.

$ sudo systemctl enable maldet --now

Adding the –now option when a service is enabled will ensure that the service is both enabled to autostart and started.

The status option to systemctl will also show the monitored directories:

$ sudo systemctl status maldet

Monitoring defaults to every 30 seconds, if required this can be modified in the configuration file, /usr/local/maldetect/conf.maldet and the directive inotify_sleep.

You may also want to consider setting these options:

email_alert="1" 
To ensure email notifications are sent
email_addr="root" 
Add your email or the address of a local user for emails to be directed
scam_clamscan="0" If you don't have ClamAV installed then set this to 0 to use the LMD scan engine.

The configuration file is well documented  but ff you prefer to keep the comments and active configuration separate, then we can easily delete empty and commented lines with sed, whilst creating a backup that maintains the comments:

$ sed -Ei.bak '/^\s*(#|$)/d' /usr/local/maldet/conf.maldet

Automation of scans and updates is also provided via cron and the file /etc/cron.daily/maldet and /etc/cron.d/ and /etc/cron.d/maldet_pub

Working with maldet at the command we should always remember to run as root, which jas been a consistent theme with these malware tools. First, we will download some example virus files. Take care on your own systems and we would strongly suggest that these files be download on a test system only that is not connected to a production network.

The virus files we download are from EICAR, the European Institute for Computer Anti-Virus Research. These files are not viruses as such but should be picked up by AV software. You can read more about these files from EICAR.

We will download these files as standard user to their home directory:

$ cd $HOME

$ wget http://www.eicar.org/download/eicar.com 
$ wget http://www.eicar.org/download/eicar.com.txt 
$ wget http://www.eicar.org/download/eicar_com.zip 
$ wget http://www.eicar.org/download/eicarcom2.zip

We can now wait for a scheduled scan or initiate a scan from the command line:

$ sudo maldet -a /home 

Once the scan is complete the report will have been emailed to root, if this was configured. Otherwise, we can read it from the CLI by looking for the maldet –report line in the output, towards the end.

maldet(6335): {scan} scan completed on /home/student/: files 95, malware hits 4, cleaned hits 0, time 5s
maldet(6335): {scan} scan report saved, to view run: maldet –report 180824-1011.6335

If we run this report we can see what has been detected:

$ sudo maldet --report 180824-1011.6335

...

FILE HIT LIST:

{MD5}EICAR.TEST.10.382 : /home/student/eicar.com.txt.1

{HEX}EICAR.TEST.3 : /home/student/eicar_com.zip

{HEX}EICAR.TEST.3 : /home/student/eicarcom2.zip

{MD5}EICAR.TEST.10.382 : /home/student/eicar.com

...

The report also details how we can quantine these files:

$ sudo maldet --quarantine 180824-1011.6335
Linux Malware Detect v1.6.2
            (C) 2002-2017, R-fx Networks <proj@rfxn.com>
            (C) 2017, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(8513): {quar} malware quarantined from '/home/student/eicar.com.txt.1' to '/usr/local/maldetect/quarantine/eicar.com.txt.1.320332984'

maldet(8513): {quar} malware quarantined from '/home/student/eicar_com.zip' to '/usr/local/maldetect/quarantine/eicar_com.zip.1713812609'

maldet(8513): {quar} malware quarantined from '/home/student/eicarcom2.zip' to '/usr/local/maldetect/quarantine/eicarcom2.zip.181162009'

maldet(8513): {quar} malware quarantined from '/home/student/eicar.com' to '/usr/local/maldetect/quarantine/eicar.com.1993814138'

If we would prefer to automatically quarantine files we can set this is the /usr/local/maldetect/conf.maldet:

quarantine_hits="1"

Setting this, and then repeating the download process followed by another scan, will show that the files are quarantined automatically.