Brand new Linux antimalware and antirootkit tool! We know new malware :)
What is Antidoto? It's diagnostic tool for heuristic analysys of Linux machines for detecting malware, viruses and botnets.
How to run:
wget --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pl -OAntidoto.pl
wget --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pm -OAntidoto.pm
perl Antidoto.pl
If you work from non-root user you should run it with sudo:
sudo perl Antidoto.pl
If you want to use only linux_network_activity_tracker do following:
wget --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pm -OAntidoto.pm
wget --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/linux_network_activity_tracker.pl -Olinux_network_activity_tracker.pl
perl linux_network_activity_tracker.pl
Where Antidoto can work?
- Can work either on OpenVZ VPS and Hardware Node
- CentOS 5, CentOS 6
- Debian 5, Debian 6, Debian 7
- Ubuntu 10.xx, 12.xx, 13.xx, 14.xx
- Almost any Linux distro because script written in cross platform language (Perl)
Why Antidoto is more effective than classic antivirus scanners for detecting new malware? Test results, sorry it's availible only in russian
What can Antidoto?
- Notify about absent files with last login information (/var/log/btmp, /var/log/wtmp)
- Notify about non blank crontab files for apache and www-data users (/var/spool/cron/crontabs, /var/spool/cron)
- Notify about non blank files and folders with strange names (spaces, dots) in publiс writable folders (/tmp, /var/tmp)
- Notify about processes launched from current directory (./programm_name) from non root user
- Notify about proceses with absent executable file (which rempved after programm launch)
- Detect very popular malware using direct md5 executable file hashing in memory
- Notify about danger udp and tcp ports listening by software (irc, proxy, botnet controllers)
- Notify about tcp and udp connections to danger remote ports (irc, botnet controllers)
- Notify about processes with architecture different from the server (for example: 32 bit software running on 64 bit host)
- Notify about processes with statically linked executable files (with integrated libs)
- Notify about processes which was launched with using LD_PRELOAD
- Notify about processes with executable files with SUID, SGID bits
- Notify about connections to remote servers with abnormal number if threads (5 or more per process)
Antidoto also has audit mode, which works like netstat + lsof + ss and ps, you can read more here.
If you know Perl and want to develop new features for Antidoto, please read developer manual
What system requirements of Antidoto?
- Perl interpreter with standard modules
- Standard system tools: cat, file, md5sum
- For working on OpenVZ HWN you need vzlist tool
- For using optional ClamAV scanning mode you should install clamdscan
How to enable ClamAV checks:
yum install -y clamav clamd
freshclam
wget http://www.rfxn.com/downloads/rfxn.ndb -O/var/lib/clamav/rfxn.ndb
wget http://www.rfxn.com/downloads/rfxn.hdb -O/var/lib/clamav/rfxn.hdb
/etc/init.d/clamd restart
chkconfig clamd on
- Do you have any analogues? Yes
- What reason of creating new software instead improving existing? Justification
- What malware types was analzed for creating Antodoto ruleset? List of analyzed malware