Wiki

Clone wiki

aiengine / MobileMalwarePython

Mobile Malware

Nowadays mobile malware is growing fast on the networks, by the following example we could attach the engine to a GN interface and take advantage of the functionalities that the engine provides. Lets see how works:

import pyaiengine
Define a callback function for the detection. If the users wants to make more extensions when the malware is detected is just a matter of put more intelligence on the callback, such as integrate with a firewall, log systems and so on.
def callback(flow):

    d = flow.dns_info
    if (d):
        print("Malware on ip %s domain %s" % (flow.src_ip,d.domain_name))
We use a external list of malware domains and add to a DomainNameManager class
def loadBadDomains():

    dm = pyaiengine.DomainNameManager()

    # List from http://www.malwaredomainlist.com/hostslist/hosts.txt
    # https://zeustracker.abuse.ch/blocklist.php?download=baddomains for ZeusDomains
    # Parse the file and add the domains.
    f = open("hosts.txt","r")

    lines = f.readlines()
    i = 0
    for line in lines:
        if( line[0] != "#"):
            domain = line.replace("\r\n","").split(" ")
            if(len(domain)> 2):
                name = "Bad domain %d" % i
                i = i +1
                dom = pyaiengine.DomainName(name,domain[2])
                dom.callback = callback

                dm.add_domain_name(dom)
    f.close()
    return dm
Create a new mobile stack object.
if __name__ == '__main__':

    st = pyaiengine.StackMobile()
Allocate the maximum number of flows on the UDP stack.
    st.udp_flows = 1638400
Load the malware domains on the DNSProtocol and assign them to the stack
    st.set_domain_name_manager(loadBadDomains(),"DNSProtocol")
Open the network device, set the previous stack and run the engine
    with  pyaiengine.PacketDispatcher("eth0") as pd:    
        pd.stack = st
        pd.run()

Updated