Home

Awesome

malcontent

License Latest Release OpenSSF Best Practices OpenSSF Scorecard Go Report Card

 _ _    _.  .    _   _    _  .  ___   _.   _  .  ___
( | )  (_|  |_  (_  (_)  ( \_)   |   (/_  ( \_)   |

            subtle malware discovery tool

malcontent detects supply-chain compromises and other malicious software. It has 3 modes of operation:

malcontent is a bit paranoid and prone to false positives. It is currently focused on finding threats that impact Linux and macOS platforms, but malcontent can also detect threats that impact other platforms.

Features

Modes

Scan

Scan directories for possible malware. This is our simplest feature, but not particularly novel either. malcontent is pretty paranoid in this mode, so expect some false positives:

scan screenshot

You can also scan a container image: mal scan -i cgr.dev/chainguard/nginx:latest

Useful flags:

Analyze

To analyze the capabilities of a program, use mal analyze. For example:

analyze screenshot

The analyze mode emits a list of capabilities often seen in malware, categorized by risk level. It works with programs in a wide variety of file formats and scripting languages.

CRITICAL findings should be considered malicious. Useful flags include:

Diff

To detect unexpected capability changes, try diff mode. This allows you to find far more subtle attacks than a general scan, as you generally have both a baseline "known good" version and the context to understand what capabilities a program needs to operate.

Using the 3CX Compromise as an example, we're able to use malcontent to detect malicious code inserted in an otherwise harmless library:

diff screenshot

Each line that begins with a "++" represents a newly added capability. You can use it to diff entire directories recursively, even if they contain programs written in a variety of languages.

For use in CI/CD pipelines, you may find the following flags helpful:

Installation

Container

docker pull cgr.dev/chainguard/malcontent:latest

Local

Requirements:

For example, to install the YARA library on Linux or macOS:

brew install yara || sudo apt install libyara-dev \
 || sudo dnf install yara-devel || sudo pacman -S yara

Install malcontent:

go install github.com/chainguard-dev/malcontent/cmd/mal@latest

Help Wanted

malcontent is an honest-to-goodness open-source project. If you are interested in contributing, check out DEVELOPMENT.md. Send us a pull request, and we'll help you with the rest!