Tuesday, January 07, 2014

HOWTO : Linux Malware Detect on Ubuntu 12.04 LTS 64-bit

What is Linux Malware Detect?

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

The driving force behind LMD is that there is currently limited availability of open source/restriction free tools for Linux systems that focus on malware detection and more important that get it right. Many of the AV products that perform malware detection on Linux have a very poor track record of detecting threats, especially those targeted at shared hosted environments.

The threat landscape in shared hosted environments is unique from that of the standard AV products detection suite in that they are detecting primarily OS level trojans, rootkits and traditional file-infecting viruses but missing the ever increasing variety of malware on the user account level which serves as an attack platform.

Shared Hosting Environments Only?

Although LMD is designed for Red Hat based system on shared hosting environments with Apache, it can run on Debian or Ubuntu server and desktop editions without any problem. Running Hiawatha is no problem too.

Installation

Step 1 :

sudo apt-get install libc6-i386

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xvzf maldetect-current.tar.gz
cd maldetect-*
sudo ./install.sh


Step 2 :

sudo maldet -d -u

Step 3 :

sudo nano /usr/local/maldetect/conf.maldet

change the value of the following variables :

email_alert=1
email_addr="samiux@samiux.com"

* change to your email address

quar_hits=1
maxfilesize="10240k"
string_length_scan="1"

clamav_scan=0

* if ClamAV is not installed.

clamav_scan=1
* if ClamAV is installed.

Step 4 :

sudo nano /etc/rc.local

Append one of the following lines in front of "exit 0" :

/usr/local/maldetect/maldet -m /tmp,/run/shm,/var
* if you are running server edition

/usr/local/maldetect/maldet -m /tmp,/run/shm,/home
* if you are running desktop edition

Step 5 :

sudo maldet -m /tmp,/run/shm,/var
* if you are running server edition

sudo maldet -m /tmp,/run/shm,/home
* if you are running desktop edition

Step 6 :

Make sure the LMD is running properly :

sudo ps aux | grep maldet
sudo ps aux | grep inotify


How it works?

The signature will be updated on daily basis. LMD is monitoring the directories that you entered at Step 4 or 5. Once the malware is detected, you will be informed by email if you set it at Step 3. The detected malware will be quarantine and deleted too.

If you are running Apache, you may consider to install mod_security and mod_evasive in order to enhance the security of the web server. If you installed them, you need to set "public_scan=1".

You may also consider to install ClamAV when it is necessary.

Remarks

Please note that any signature based scanner or defense can be bypassed.

That's all. See you!