Wiki

Mobile Malware

Nowadays mobile malware is growing fast on the networks, by the following example we could attach the engine to a GN interface and take advantage of the functionalities that the engine provides. Lets see how works now in Ruby:

require "ruaiengine"

Define a callback function for the detection. If the users wants to make more extensions when the malware is detected is just a matter of put more intelligence on the callback, such as integrate with a firewall, log systems and so on.

def callback_domain(flow)
    d = flow.dns_info
    if (d)
        printf "Malware on IP %s domain %s" , flow.src_ip, d.domain_name
    end
end

We use a external list of malware domains and add to a DomainNameManager class

def load_bad_domains

    d = DomainNameManager.new
    file = File.new("malwaredns.dat","r")
    while (line = file.gets)
        dom = DomainName.new("Domain %s" % line.chomp,line.chomp)
        dom.callback = method(:callback_domain)
        d.add_domain_name(dom)
    end
    file.close
    return d
end

Create a new StackMobile object and the corresponding PacketDispatcher.

s = StackMobile.new
pd = PacketDispatcher.new
pd.stack = s

Allocate the maximum number of flows on the UDP stack.

s.total_udp_flows = 500000

Load the malware domains on the DNSProtocol and assign them to the stack

d = load_bad_domains()
s.set_domain_name_manager(d,"DNSProtocol")

Open the network device and run the engine

pd.open("ens7")
begin
    pd.run()
rescue
    print "Stop capturing packets"
end

pd.close()