Wiki
Clone wikiaiengine / ZeusMalwarePython
Zeus malware
Nowadays malware is growing fast on the networks, by the following example we could attach the engine to Cloud environment and take advantage of the functionalities that the engine provides. Lets see the following example by detecting the Zeus malware:
We define two callbacks, one for the host domain and another for the Uri. The list of host/uris are from the site https://zeustracker.abuse.ch/blocklist.php?download=compromised, but you can provide your own ones.
def callback_uri(flow): print("Zeus activity detected on flow",str(flow)) def callback_host(flow): h = flow.http_info if (h): host = str(h.host_name) if (host): print("Suspicious activity detected on flow",str(flow),host)
We use a external data of malware and load into a DomainNameManager
def loadZeusMalwareData(): data = dict() # Load the hosts and Urls on memory # The list have been download from https://zeustracker.abuse.ch/blocklist.php?download=compromised h_mng = pyaiengine.DomainNameManager() with open("zeus.dat") as f: for line in f.readlines(): l = line.strip() b = l.find("/") r_host = l[:b] r_uri = l[b:] if (not data.has_key(r_host)): h = pyaiengine.DomainName(r_host,r_host) s = pyaiengine.HTTPUriSet("Set for %s" % r_host) h.callback = callback_host h_mng.add_domain_name(h) h.http_uri_set = s s.callback = callback_uri data[r_host] = (h,s) data[r_host][1].add_uri(r_uri) return h_mng
Create a new virtual stack object used on cloud environments on the main.
st = pyaiengine.StackVirtual()
Allocate the maximum number of flows on the UDP stack.
st.tcp_flows = 500000 st.udp_flows = 163840
Load the malware data on the HTTPProtocol and assign them to the stack
st.set_domain_name_manager(loadZeusMalwareData(),"HTTPProtocol")
Open the network device, set the previous stack and run the engine
with pyaiengine.PacketDispatcher("eth0") as pd: pd.stack = st pd.run()
Updated