Utilising OSSEC
for malware detection
OSSEC is a host based intrusion detection system
which collects information via agent deployment, agentless
deployments (primarily SSH based), or simply forwarding syslog
events to the OSSEC server. It is simple, it works, and best of
all it is free (GPLv2). One of the features OSSEC provides is
'syscheck', which is used for monitoring the integrity of the
system through monitoring, either periodically or real-time,
directories, specific files, and registry keys. To do this,
syscheck obtains a checksum, or contents
depending on the type of check, of the target objects. My focus
is purely on the FIM
side of syscheck. The output of syscheck is a file, per machine,
consisting of SHA1 and MD5 checksums against each file. Whenever
the content changes and syscheck runs, a new checksum will be
generated and potentially alerted upon. Additionally, OSSEC has a
rootcheck process to identify if your systems
present symptoms of a rootkit being installed, some malware,
configuration items, etc... This, again, is excellent in
identifying if the systems have been compromised, but focuses on
known signatures and behaviours at the time of scanning. So, it
uses known events and known signatures to identify if an alert
should be raised, nothing cutting edge. It maintains signatures,
updated irregularly, to identify malware. This means, to detect
malware using OSSEC you must be switched on to identify
suspicious behaviour (ie. heuristics and event correlation). A
quick search for ossec malware detection
results in
multiple
discussions about using suspicious or known behaviours (the
process of action) to detect malware. What I want is the ability
to check the detected files against malware signatures that are
constantly updated. The purpose here is to provide an extra level
of detection. This should help identify if that suspicious batch
file that appeared and then got deleted was a known malware...
providing the security analyst with little time to quickly
identify malware that has slipped past their anti-malware
software. This will not help you if syscheck has not been
configured to monitor the right folders.
Why?
Anti-malware products are essential in quick
identification of, and protection from malware... However, they
are not a be all/end all to identification of malware on computer
systems. There are some, loose and generalised, restrictions to
anti-malware software due to the manner in which they work:
-
Only
one anti-malware software should be installed on your
computer and active at any one time.
- To provide real-time protection and on-access scanning,
hooks into the kernel are used.
- Primarily
signature
based, resulting in detections only of what is already
known.
- It
can
be
bypassed
easily
- Your trust in protecting your systems is placed in a single
anti-malware vendor.
The combination of the vendor detection engine and the
signature database does not mean absolute detection of all known
viruses. Implementing malware detection into OSSEC will allow for
verification of files against other vendor databases, hopefully,
increasing the accuracy of malware detection.
My approach...Keep It
Short and Simple:
To
achieve this, we make use of the public API offered by Virus Total. This has a
limitation of four requests of any type during any given minute.
I strongly recommend paying to use their private
API for higher request rates and to support their service. Virus
Total provides a free service that analyses files against
multiple signature databases and vendor scan engines. However,
this will only be using the search function for previously
provided files only (file reports).
- Proof of concept.
- Identify how to detect malware.
- Identify complexities in storing relevant
information.
- Identify external resources required.
- Write the code.
- Verify we can get what is required.
- Determine if the concept works and then merge.
- "Translate" the code to C.
- Submit the changes for review by OSSEC Developers.
The concept...
- Collect the hashes and file names we will be checking.
- These are stored in /var/ossec/queue/syscheck/ by
default.
- Collect the system names for which the file names are
attributed.
- Check the hashes against VirusTotal's API (3 to 4 per
second)
- Record hashes we've previously checked
- Record if the hash is reported as a potential virus
- Create a basic report showing the files, systems, and
hashes of potential viruses for further investigation.
- Additional runs of the program should not recheck files.
- This will drastically reduce the run time.
- Will reduce the load on VirusTotal's free service.
- Obtaining the report repeatedly for a checksum is not overly beneficial, instead a rescan should be issued. This is out of scope... for now.
And the code
You will need to install DBD::SQLite and VT::API, and register
with Virus Total to obtain an API key. The code in the two
attached files is a first pass:
- To see if my idea is possible
- And to see if anything useful can be made of this
information
ossec-vt-query - check for
potential malware.
ossec-virus-report -
create extremely simple report of files and systems listed as
potential malware.