Tuesday 1 December 2015

Malcom - Malware Communication Analyzer of Network Traffic

Malcom - Malware Communication Analyzer of Network Traffic.

Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. 

This comes handy when analyzing how certain malware species try to communicate with the outside world.

Malcom can help you:

  • To detect central command and control (C&C) servers
  • Understand peer-to-peer networks
  • Observe DNS fast-flux infrastructures
  • Quickly determine if a network artifact is 'known-bad'
  • The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Quick how-to Install

  • Make sure mongodb and redis-server are running
  • Elevate your privileges to root (yeah, I know, see disclaimer)
  • Start the webserver using the default configuration with ./malcom.py -c malcom.conf (or see options with ./malcom.py --help) ** For an example configuration file, you can copy malcom.conf.example to malcom.conf ** Default port is 8080 ** Alternatively, run the feeds from celery. 


Malcom is written in python. Provided you have the necessary libraries, you should be able to run it on any platform. I highly recommend the use of python virtual environments (virtualenv) so as not to mess up your system libraries.

The following was tested on Ubuntu server 14.04 LTS:

Install git, python and libevent libs, mongodb, redis, and other dependencies

$ sudo apt-get install build-essential git python-dev libevent-dev mongodb libxml2-dev libxslt-dev zlib1g-dev redis-server libffi-dev libssl-dev python-virtualenv

Clone the Git repo:

$ git clone https://github.com/tomchop/malcom.git malcom

Create your virtualenv and activate it:

$ cd malcom
$ virtualenv env-malcom
$ source env-malcom/bin/activate

Get and install scapy:

$ cd .. 
$ wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz
$ tar xvzf scapy-latest.tar.gz
$ cd scapy-2.1.0
$ python setup.py install

Still from your virtualenv, install necessary python packages from the requirements.txt file:

$ cd ../malcom
$ pip install -r requirements.txt

For IP geolocation to work, you need to download the Maxmind database and extract the file to the malcom/Malcom/auxiliary/geoIP directory. You can get Maxmind's free (and thus more or less accurate) database from the following link: http://dev.maxmind.com/geoip/geoip2/geolite2/:

$ cd Malcom/auxiliary/geoIP
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz
$ gunzip -d GeoLite2-City.mmdb.gz
$ mv GeoLite2-City.mmdb GeoIP2-City.mmdb

Launch the webserver from the malcom directory using ./malcom.py. Check ./malcom.py --help for listen interface and ports.

For starters, you can copy the malcom.conf.example file to malcom.conf and run ./malcom.py -c malcom.conf

read more



Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer