Malware - Perl extension for storing and manipulation malware and it's attributes
See Constructor new()
The idea of this module is to allow authors to parse different inputs that perform malware analysis and build objects that describe a piece of malware's behaviour. From here we can write detection or blocking rules based on that behavior.
For now, the parsers will live within this class as they are directly connected to the API, this may change in the future.
Object Constructor
my $m = Malware->new( -platform => 'win32', -filesize => $size, -filesizeUnits => $units, -filename => $name, -classification => $class, -md5sum => $md5, -source => $src, -sourceLoc => $srcLoc, -rawReport => $rawTextReport, -dt_found => $dt, # [see Time::Timestamp] -connections => $cons, # [see Net::Connection::Simple] -securityIssues => $si, -antiEmulation => $ae, -backdoors => $bd, # [see Net::Protocol::Simple] -malwareFiles => $mw # [hashref], );
By setting the -platform, the module will try to re-bless itself as that module (ie: Malware::Win32 for -platform => win32). This allows you to scale into specific OS's and their properties (registry for win32).
See OBJECT ACCESSORS for the i/o of these properties
Returns a blurb of the raw report in a nicer Text::Table'ish form. If you subclass (Malware::$platform) this module, you can tag into this method by creating a 'sub _blurb' function that returns a HASHREF in the form:
sub _blurb { my $self = shift; my $hr = {}; $hr->{Registry} = $self->registry(); return $hr; }
Diggs into the connections property and returns the type of connection you are looking for.
Example: We want all the url connections the malware made
my @http = $m->returnConnectionsByLayer( -type => 'url', -layer => 7, -protocol => 'http') );
Example: We want all the irc connections the malware made via dns
my @irc_dns = $m->returnConnectionsByLayer( -type => 'dns', -layer => 7, -protocol => 'IRC') );
Example: We want all the irc connections the malware made via direct IP
my @irc_dip = $m->returnConnectionsByLayer( -type => 'dip', -layer => 7, -protocol => 'IRC') );
All three params are required or it will return:
("Invalid parameters...",undef)
On success it returns an @rray of strings
Sets and returns the filesize
Sets and returns the filesizeUnits
Sets and returns the filename()
Sets and returns the malware classification
Sets and returns the md5sum
Sets and returns the date found, return is a Time::Timestamp object
$m->dt_found($timestamp,$timezone);
Timezone is optional, but the timing could get screwed up if you don't set it
Sets and returns the malware report source (where did you get it?)
Sets and returns the source location (what medium did you get it from (email, website, etc...)
Sets and returns the connection behaviour of the malware.
my $c = Net::Connection::Simple->new(...); $m->connections($c); my @cons = @{$m->connections()};
Accepts: Net::Connection::Simple or returns ($errstr,undef)
Returns: a ref to an array of Net::Connection::Simple objects
Sets and returns the malwares backdoor behavior.
my $p = Net::Protocol::Simple->new(...); $m->backdoors($p); my @bds = @{$m->backdoors};
Accepts: Net::Protocol::Simple or returns ($errstr,undef)
Returns: a ref to an array of Net::Protocol::Simple objects
Sets and returns the processInfo behavior.
Accepts: string
Returns: a ref to an array of strings
Sets and returns the filesystem behavior.
Sets and returns the raw report string
Returns: string
Sets and returns a list of other files that are found to be created or associated with this malware
Accepts: HASHREF or returns ($errstr,undef)
$m->malwareFiles({ $f1 => $md5, $f2 => $virus_sig, });
OR
$m->malwareFiles({ $f1->{md5} = $md5, $f1->{vsig} = $virus_sig, $f1->{snortSig} = $snort_sig, });
Returns: HASHREF
Sets and returns the antiEmulation behavior.
Accepts: int [undef|1|0]
Returns: whatever you put in
**Note: the blurb will translate [undef] as unknown
Sets and returns other security issues that are caused.
Time::Timestamp,Net::Connection::Simple,Net::Protocol::Simple
Wes Young, <saxguard9-cpan@yahoo.com>
Copyright (C) 2006 by Wes Young
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.7 or, at your option, any later version of Perl 5 you may have available.
To install Malware, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Malware
CPAN shell
perl -MCPAN -e shell install Malware
For more information on module installation, please visit the detailed CPAN module installation guide.