Malcom - Malware Communication Analyzer of Network Traffic.
Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources.
This comes handy when analyzing how certain malware species try to communicate with the outside world.
Malcom can help you:
- detect central command and control (C&C) servers
- understand peer-to-peer networks
- observe DNS fast-flux infrastructures
- quickly determine if a network artifact is 'known-bad'
- The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.
Quick how-to Install
- Make sure mongodb and redis-server are running
- Elevate your privileges to root (yeah, I know, see disclaimer)
- Start the webserver using the default configuration with ./malcom.py -c malcom.conf (or see options with ./malcom.py --help) ** For an example configuration file, you can copy malcom.conf.example to malcom.conf ** Default port is 8080 ** Alternatively, run the feeds from celery.
Malcom is written in python. Provided you have the necessary libraries, you should be able to run it on any platform. I highly recommend the use of python virtual environments (virtualenv) so as not to mess up your system libraries.
The following was tested on Ubuntu server 14.04 LTS:
Install git, python and libevent libs, mongodb, redis, and other dependencies
$ sudo apt-get install build-essential git python-dev libevent-dev mongodb libxml2-dev libxslt-dev zlib1g-dev redis-server libffi-dev libssl-dev python-virtualenv
Clone the Git repo:
$ git clone https://github.com/tomchop/malcom.git malcom
Create your virtualenv and activate it:
$ cd malcom
$ virtualenv env-malcom
$ source env-malcom/bin/activate
Get and install scapy:
$ cd ..
$ wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz
$ tar xvzf scapy-latest.tar.gz
$ cd scapy-2.1.0
$ python setup.py install
Still from your virtualenv, install necessary python packages from the requirements.txt file:
$ cd ../malcom
$ pip install -r requirements.txt
For IP geolocation to work, you need to download the Maxmind database and extract the file to the malcom/Malcom/auxiliary/geoIP directory. You can get Maxmind's free (and thus more or less accurate) database from the following link: http://dev.maxmind.com/geoip/geoip2/geolite2/:
$ cd Malcom/auxiliary/geoIP
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz
$ gunzip -d GeoLite2-City.mmdb.gz
$ mv GeoLite2-City.mmdb GeoIP2-City.mmdb
Launch the webserver from the malcom directory using ./malcom.py. Check ./malcom.py --help for listen interface and ports.
For starters, you can copy the malcom.conf.example file to malcom.conf and run ./malcom.py -c malcom.conf