The Malcom tool can analyze network traffic within a system and provide a graphical representation of the traffic analysis to users. The analysis results will include known malware sources, which will help security researchers analyze specific malware.
What can Malcom do?
Malcom can help us to:
1. Detect central command & control servers;
2. Identify peer-to-peer networks;
3. Recognize DNS infrastructures;
4. Quickly assess the âmaliciousnessâ of network traffic;
The goal of Malcom is to assist researchers in analyzing malware more easily through graphical network traffic information and provide more intelligent intelligence.
Below is an analysis sample graph for the host tomchop.me:
Dataset view (IP filterable)
Tool Installation
Malcom is developed in Python and provides most of the necessary code libraries, allowing you to run Malcom on any platform. I highly recommend using Pythonâs virtual environment: virtualenv, to prevent affecting the system library.
The following commands have been tested on the Ubuntu server 14.04 LTS platform:
-Install git, python, libevent library, mongodb, redis, and other dependencies:
$ sudo apt-get install build-essential git python-dev libevent-dev mongodb libxml2-dev libxslt-dev zlib1g-dev redis-server libffi-dev libssl-dev python-virtualenv-Clone the Git repository:
$ git clone https://github.com/tomchop/malcom.git malcomCreate and activate your virtualenv:
$ cd malcom $ virtualenv env-malcom $ source env-malcom/bin/activateInstall scapy:
$ cd .. $ wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz $ tar xvzf scapy-latest.tar.gz $ cd scapy-2.1.0 $ python setup.py installIn the virtualenv environment, install the necessary Python packages from the requirements.txt file:
$ cd ../malcom $ pip install -r requirements.txtIf you need IP geolocation information, you can download the Maxmind database and extract the files to the malcom/Malcom/auxiliary/geoIP directory.
The free download link for the Maxmind database: [Portal].
You can use ./malcom.py to start the web server and use ./malcom.py âhelp to listen to interfaces and ports. Here, you need to copy the malcom.conf.example file to malcom.conf and run the following command:
./malcom.py -c malcom.confConfiguration Options
Database
By default, Malcom attempts to connect to a local mongodb instance and creates its own database called malcom.
Set Malcom database name
By default, the name of Malcomâs database is malcom. You can edit the malcom.conf file and set the name attribute under the database tag:
[database] ... name = my_malcom_database...Remote Database
You can use a standalone database on the host my.mongo.server :
[database] ... hosts = my.mongo.server...You can also specify the mongodb port:
[database] ... hosts = localhost:27008...Using Authentication
You can configure the mongodb instance to enable authenticated connections, allowing you to freely set the username and password:
[database] ... username = my_user password = change_me...If you want to connect to other databases, you can set the authentication_database parameter:
[database] ... authentication_database = some_other_database...Docker Instance
You can directly get Docker images from the public Docker repository:
$ sudo docker pull tomchop/malcom-automatic$ sudo docker run -p 8080:8080 -d --name malcom tomchop/malcom-automaticNext, you can directly access http://:8080/ in your browser to use it.
Project Address
Malcom: https://github.com/tomchop/malcom
*Reference Source: malcom, FB Editor Alpha_h4ck compiled, please note that it comes from FreeBuf.COM