Awesome

Antidoto

Brand new Linux antimalware and antirootkit tool! We know new malware :)

What is Antidoto? It's diagnostic tool for heuristic analysys of Linux machines for detecting malware, viruses and botnets.

Author: Pavel Odintsov / pavel.odintsov [at] gmail.com License: GPLv2

Contributors:

• Kovalkov Dmitrii
• Andrey Tataranovich

How to run:

wget --no-check-certificate https://raw.githubusercontent.com/FastVPSEestiOu/Antidoto/master/Antidoto.pl -OAntidoto.pl
wget --no-check-certificate https://raw.githubusercontent.com/FastVPSEestiOu/Antidoto/master/Antidoto.pm -OAntidoto.pm
perl Antidoto.pl

If you work as non-root user, you should run it with sudo:

sudo perl Antidoto.pl

If you want to use only linux_network_activity_tracker, do the following:

wget --no-check-certificate https://raw.githubusercontent.com/FastVPSEestiOu/Antidoto/master/Antidoto.pm -OAntidoto.pm
wget --no-check-certificate https://raw.githubusercontent.com/FastVPSEestiOu/Antidoto/master/linux_network_activity_tracker.pl -Olinux_network_activity_tracker.pl
perl linux_network_activity_tracker.pl

Where Antidoto can work?

• Can work either on OpenVZ VPS and Hardware Node
• CentOS 5, CentOS 6
• Debian 5, Debian 6, Debian 7
• Ubuntu 10.xx, 12.xx, 13.xx, 14.xx
• Almost any Linux distro because script written in cross platform language (Perl)

Why Antidoto is more effective than classic antivirus scanners for detecting new malware? Test results, sorry it's availible only in russian

What can Antidoto?

• Notify about absent files with last login information (/var/log/btmp, /var/log/wtmp)
• Notify about non blank crontab files for apache and www-data users (/var/spool/cron/crontabs, /var/spool/cron)
• Notify about non blank files and folders with strange names (spaces, dots) in publiс writable folders (/tmp, /var/tmp)
• Notify about processes launched from current directory (./programm_name) by non root user
• Notify about proceses with absent executable file (which was removed after program launch)
• Detect very popular malware using direct md5 executable file hashing in memory
• Notify about danger udp and tcp ports listening by software (irc, proxy, botnet controllers)
• Notify about tcp and udp connections to danger remote ports (irc, botnet controllers)
• Notify about processes with architecture different from the server (for example: 32 bit software running on 64 bit host)
• Notify about processes with statically linked executable files (with integrated libs)
• Notify about processes that were launched with LD_PRELOAD environment variable set
• Notify about processes with executable files with SUID, SGID bits
• Notify about connections to remote servers with abnormal number of threads (5 or more per process)

Antidoto also has audit mode, which works like netstat + lsof + ss and ps, you can read more here.

If you know Perl and want to develop new features for Antidoto, please read developer manual

What are system requirements of Antidoto?

• Perl interpreter with standard modules
• Standard system tools: cat, file, md5sum
• For working on OpenVZ HWN you need vzlist tool
• For using optional ClamAV scanning mode you should install clamdscan

How to enable ClamAV checks:

yum install -y clamav clamd
freshclam
wget http://www.rfxn.com/downloads/rfxn.ndb -O/var/lib/clamav/rfxn.ndb
wget http://www.rfxn.com/downloads/rfxn.hdb -O/var/lib/clamav/rfxn.hdb

/etc/init.d/clamd restart
chkconfig clamd on

• Do you have any analogues? Yes
• What is the reason of creating new software instead improving existing? Justification
• What malware types were analzed for creating Antodoto ruleset? List of analyzed malware