SHARE
Malcom

Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources.

This comes handy when analyzing how certain malware species try to communicate with the outside world. This tool can help you for the following;

  • detect central command and control (C&C) servers
  • understand peer-to-peer networks
  • observe DNS fast-flux infrastructures
  • quickly determine if a network artifact is ‘known-bad’

The aim of this tool is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Also Read:Evilginx2 : Standalone Man-In-The-Middle Attack Framework

Malcom Installation

It is written in python. Provided you have the necessary libraries, you should be able to run it on any platform. I highly recommend the use of python virtual environments (virtualenv) so as not to mess up your system libraries.

The following was tested on Ubuntu server 14.04 LTS:

Install git, python and libevent libs, mongodb, redis, and other dependencies

$ sudo apt-get install build-essential git python-dev libevent-dev mongodb libxml2-dev libxslt-dev zlib1g-dev redis-server libffi-dev libssl-dev python-virtualenv

Clone the Git repo:

$ git clone https://github.com/tomchop/malcom.git malco

Create your virtualenv and activate it:

$ cd malcom
$ virtualenv env-malcom
$ source env-malcom/bin/activate

Get and install scapy:

$ cd ..
$ wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz
$ tar xvzf scapy-latest.tar.gz
$ cd scapy-2.1.0
$ python setup.py install

Still from your virtualenv, install necessary python packages from the requirements.txt file:

$ cd ../malcom
$ pip install -r requirements.txt

For IP geolocation to work, you need to download the Maxmind database and extract the file to the malcom/Malcom/auxiliary/geoIP directory. You can get Maxmind’s free (and thus more or less accurate) database from the following link: http://dev.maxmind.com/geoip/geoip2/geolite2/:

$ cd Malcom/auxiliary/geoIP
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz
$ gunzip -d GeoLite2-City.mmdb.gz
$ mv GeoLite2-City.mmdb GeoIP2-City.mmdb

Launch the webserver from the tools directory using ./malcom.py. Check ./malcom.py –help for listen interface and ports.

For starters, you can copy the malcom.conf.example file to malcom.conf and run ./malcom.py -c malcom.conf.

Technical specs

It was written mostly from scratch, in Python. It uses the following frameworks to work:

  • flask – a lightweight python web framework
  • mongodb – a NoSQL database. It interfaces to python with pymongo
  • redis – An advanced in-memory key-value store
  • d3js – a JavaScript library that produces awesome force-directed graphs (https://github.com/mbostock/d3/wiki/Gallery)
  • bootstrap – a CSS framework that will eventually kill webdesign, but makes it extremely easy to quickly “webize” applications that would only work through a command prompt.

Disclaimer

This tool was coded during my free time. Like a huge number of tools we download and use daily, we wouldn’t recommend to use it on a production environment where data stability and reliability is a MUST.

  • It may be broken, have security gaps (running it as root in uncontrolled environments is probably not a good idea), or not work at all.
  • It’s written in python, so don’t expect it to be ultra-fast or handle huge amounts of data easily.
  • I’m no coder, so don’t expect to see beautiful pythonic code everywhere you look. Or lots of comments.

It’s in early stages of development.

Credit: Thomas Chopitea