What tools are available to detect potential malware/backdoor infections?

fufukauliza

fufukauliza

Hi everyone,
Yesterday I was thinking about what integrated or third-party tools (free or otherwise) we could use to investigate whether our machine has been infected by a backdoor, malware, etc.
My reasoning doesn't start from the idea that it could be an infection resulting from the user executing something, but rather from a deeper level, taking inspiration from the past case of the XZ Utils backdoor, i.e., a flaw in the supply chain.
If something similar were to happen again, what could help us analyze the system?
I don't know of any free "home version" antimalware, except for Clamav, which isn't that great compared to other vendors.
Other tools? AIDE?
One tool that could be very useful is Thor Lite, but there's no version for FreeBSD.

Thanks everyone.
 
Have a look at security(7), audit(8) and maybe check the scripts in /usr/local/etc/periodic/security/ to get a rough overview of the built-in mechanisms.

clamav is mainly intended for e.g. file- or mailservers to scan files that are later ingested by redmonds advertising platform.



fufukauliza said:
flaw in the supply chain.
Click to expand...
That's a really nice way of saying "this toy-language sideloads random, unverified crap from all over the internet"

There's an easy fix for this kind of Problem: don't use toy languages that sideload crap from the internet... (And if you absolutely must, put that stuff in a tightly locked-down jail and treat it like the security-incident-waiting-to-happen that it is.)
 
fufukauliza said:
Hi everyone,
Yesterday I was thinking about what integrated or third-party tools (free or otherwise) we could use to investigate whether our machine has been infected by a backdoor, malware, etc.
My reasoning doesn't start from the idea that it could be an infection resulting from the user executing something, but rather from a deeper level, taking inspiration from the past case of the XZ Utils backdoor, i.e., a flaw in the supply chain.
If something similar were to happen again, what could help us analyze the system?
I don't know of any free "home version" antimalware, except for Clamav, which isn't that great compared to other vendors.
Other tools? AIDE?
One tool that could be very useful is Thor Lite, but there's no version for FreeBSD.

Thanks everyone.
Click to expand...
Security starts with YOU. There is no software that can protect YOU from YOU.
 
sko said:
Have a look at security(7), audit(8) and maybe check the scripts in /usr/local/etc/periodic/security/ to get a rough overview of the built-in mechanisms.

clamav is mainly intended for e.g. file- or mailservers to scan files that are later ingested by redmonds advertising platform.




That's a really nice way of saying "this toy-language sideloads random, unverified crap from all over the internet"

There's an easy fix for this kind of Problem: don't use toy languages that sideload crap from the internet... (And if you absolutely must, put that stuff in a tightly locked-down jail and treat it like the security-incident-waiting-to-happen that it is.)
Click to expand...

That's a really nice way of saying "this toy-language sideloads random, unverified crap from all over the internet"

I don't understand this statement, could you please explain it to me?
 
MrBSD said:
Security starts with YOU. There is no software that can protect YOU from YOU.
Click to expand...

I understand the concept you're expressing perfectly; I'm a level 2-3 SOC analyst, so let's say I know a thing or two about cybersecurity.
The problem with your statement, however, is that if I update the system via the integrated package manager and bring in a library compromised upstream, perhaps by the project maintainer, my system is compromised even if I've been careful.
The package is correctly signed, but it's still infected.
Dedicated analysis tools are also useful for identifying these problems, obviously using various technologies, from simple heuristics to machine learning, etc.
If you can point me to a document or something similar that illustrates how the security supply chain for FreeBSD works, I'd be very happy to read it.

Thanks again.
 
I usually start with security/lynis, a nice tool to check where to start to make a system more secure. For host based IDS, I prefer security/samhain, for network based IDS, security/suricata. Just the last can be pretty heavy for a server which serves a lot of network connections. There is also security/zeek, but I never tested it.

Another monitoring tool, I prefer to use it over cron, is sysutils/monit. Can also works as host based IDS.

Generally, I would look into security section of packages. Perhaps, you will find something what you need?
 
bgavin said:
It’s a shame that ESET is windows only, as it is an exceptional scanner that finds bugs Malwarebytes misses.
Click to expand...
Using proprietary antivirus software is dumb idea. If its not open like ClamAV, it should always be considered malicious. And it is.
 
MrBSD said:
Using proprietary antivirus software is dumb idea. If its not open like ClamAV, it should always be considered malicious. And it is.
Click to expand...
I see you don’t get out much.

FreeBSD has nowhere close to the attack surface as does Windows. Nor the installed base.

Malware in this arena is nothing short of staggering, so those of us who work in this arena welcome all tools we can get.
 
You must log in or register to reply here.
Back
Top