Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources.
This comes handy when analyzing how certain malware species try to communicate with the outside world. This tool can help you for the following;
- detect central command and control (C&C) servers
- understand peer-to-peer networks
- observe DNS fast-flux infrastructures
- quickly determine if a network artifact is ‘known-bad’
The aim of this tool is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.
Also Read:Evilginx2 : Standalone Man-In-The-Middle Attack Framework
Malcom Installation
It is written in python. Provided you have the necessary libraries, you should be able to run it on any platform. I highly recommend the use of python virtual environments (virtualenv) so as not to mess up your system libraries.
The following was tested on Ubuntu server 14.04 LTS:
Install git, python and libevent libs, mongodb, redis, and other dependencies
$ sudo apt-get install build-essential git python-dev libevent-dev mongodb libxml2-dev libxslt-dev zlib1g-dev redis-server libffi-dev libssl-dev python-virtualenv
Clone the Git repo:
$ git clone https://github.com/tomchop/malcom.git malco
Create your virtualenv and activate it:
$ cd malcom
$ virtualenv env-malcom
$ source env-malcom/bin/activate
Get and install scapy:
$ cd ..
$ wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz
$ tar xvzf scapy-latest.tar.gz
$ cd scapy-2.1.0
$ python setup.py install
Still from your virtualenv, install necessary python packages from the requirements.txt file:
$ cd ../malcom
$ pip install -r requirements.txt
For IP geolocation to work, you need to download the Maxmind database and extract the file to the malcom/Malcom/auxiliary/geoIP directory. You can get Maxmind’s free (and thus more or less accurate) database from the following link: http://dev.maxmind.com/geoip/geoip2/geolite2/:
$ cd Malcom/auxiliary/geoIP
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz
$ gunzip -d GeoLite2-City.mmdb.gz
$ mv GeoLite2-City.mmdb GeoIP2-City.mmdb
Launch the webserver from the tools directory using ./malcom.py. Check ./malcom.py –help for listen interface and ports.
For starters, you can copy the malcom.conf.example file to malcom.conf and run ./malcom.py -c malcom.conf.
Technical specs
It was written mostly from scratch, in Python. It uses the following frameworks to work:
- flask – a lightweight python web framework
- mongodb – a NoSQL database. It interfaces to python with pymongo
- redis – An advanced in-memory key-value store
- d3js – a JavaScript library that produces awesome force-directed graphs (https://github.com/mbostock/d3/wiki/Gallery)
- bootstrap – a CSS framework that will eventually kill webdesign, but makes it extremely easy to quickly “webize” applications that would only work through a command prompt.
Disclaimer
This tool was coded during my free time. Like a huge number of tools we download and use daily, we wouldn’t recommend to use it on a production environment where data stability and reliability is a MUST.
- It may be broken, have security gaps (running it as root in uncontrolled environments is probably not a good idea), or not work at all.
- It’s written in python, so don’t expect it to be ultra-fast or handle huge amounts of data easily.
- I’m no coder, so don’t expect to see beautiful pythonic code everywhere you look. Or lots of comments.
It’s in early stages of development.
Credit: Thomas Chopitea