Malware Detection

I install lots of software, but Build-essential does not ring any bells in my memory.

That's really only needed when you are building software from source.

One 'common' use would be the VirtualBox tools. If you get into virtualizing OSes, you may run into that.
 


That's really only needed when you are building software from source.

One 'common' use would be the VirtualBox tools. If you get into virtualizing OSes, you may run into that.
And none of that is on my radar either. I avoid VM stuff of all types, and building soiftware from source is definitely not gonna happen.

I uninstalled it.

Unsure whether to chase it or let it go
 
Unsure whether to chase it or let it go

Any remnants will be harmless.

I avoid VM stuff of all types

I like VMs, at least when they're useful. They let me test. They let me try other OSes. In fact, they even let me check the validity of solutions that I propose (from time to time). So, they're useful for me.

They do take up some resources. So, yeah, I could understand not using them. They can also have a learning curve. For that, I see VirtualBox or VMware as the best options. They're fairly intuitive, have a handy GUI, and they make features easily available.

I doubt that most people need either of those things. They don't need virtualization, and they don't need to build software from source. Building software from source can be fun. I have a weird fascination with watching the process, as text scrolls by in the terminal.
 
I mostly used Virtualbox to run Windows in Linux. But we no longer have a need for Windows.

Windows XP Pro was actually faster in that VM than when running as the sole OS!
 
https://github.com/VirusTotal/yara-x can be installed using rust/cargo
Code:
cargo install yara-x-cli

Then the executable is yr.
Code:
yr --help
YARA-X 1.19.0, the pattern matching swiss army knife.

Victor M. Alvarez <[email protected]>

Usage:
  yr [OPTIONS] <COMMAND>

Commands:
  scan        Scan a file or directory
  compile     Compile rules to binary form
  dump        Show the data produced by YARA modules for a file
  fmt         Format YARA source files
  fix         Utilities for fixing source code
  completion  Output shell completion code for the specified shell
  deps        Show rule dependencies
  help        Print this message or the help of the given subcommand(s)

Options:
  -C, --config <CONFIG_FILE>
          Config file for YARA-X
          
          Specifies a config file which controls the behavior of YARA-X. If config file is not
          specified, ${HOME}/.yara-x.toml is used. If it does not exist the default options are
          applied.
          
          See https://virustotal.github.io/yara-x/docs/cli/config-file/ for supported options.

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version
 
If you're hitting detection issues, weird behavior, or loading errors with custom rules after a recent update, it's due to major internal changes in compiler semantics regarding string pattern flags (ab6ed6ff & 0305089c)
A repo update and a rebuild resolve the issue.

Code:
git log -n 6 --oneline
818af03f (HEAD -> main, origin/main, origin/HEAD) feat: add support for OLECF version 4 files.
4fc35c7b refactor: optimize OLECF stream data retrieval. (#700)
cf9f986b style: fix clippy warnings.
0cc1fc5e tests: fix broken tests.
0305089c chore: bump SERIALIZATION_VERSION as the semantics of pattern flags has changed.
ab6ed6ff refactor: replace the `Ascii` and `Wide` pattern flags with `WideOnly` and `WideAndAscii`
 
here is interesting autopsy of Linux RAT.
Thanks. Really interesting, but also pretty alarming stuff. The dropper mechanism via AppImage is especially nasty, since the malware is statically "clean," traditional signature scans (like VirusTotal or static Yara) are completely blind to it.

Since dropper has to phone home to grab payload, strict egress filtering is the way to go. I’ve configured my nftables to clamp down on large uploads to kill potential data exfiltration and session hijacking attempts.
Here is a quick rule example for dealing with AppImage..

groupadd block-internet

Code:
table inet filter {
    chain output {
        type filter hook output priority filter; policy accept;
        skgid block-internet reject with icmp type admin-prohibited
    }
}

Then just run it like this > sg block-internet -c "./malware-2.7.4.AppImage"
Or even easier > firejail --net=none "./malware-2.7.4.AppImage"

I’d be curious to hear how everyone else here handles this. Personally, I run Arch, but I keep it strictly to official repos and tools/scripts I’ve developed myself. No AUR, no Flatpak, no AppImages, and absolutely no third-party scripts.
 
I’d be curious to hear how everyone else here handles this. Personally, I run Arch, but I keep it strictly to official repos and tools/scripts I’ve developed myself. No AUR, no Flatpak, no AppImages, and absolutely no third-party scripts.

same here, no AUR, no Flatpak, no AppImages.

i use blocklists, like :

Perl:
my @BLOCKLIST_FEEDS = (
    { label => 'FireHOL Level 1',  type => 'ipset',
      url   => 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset' },
    { label => 'HaGeZi TIF',       type => 'ipset',
      url   => 'https://raw.githubusercontent.com/hagezi/dns-blocklists/refs/heads/main/ips/tif.txt' },
    { label => 'Feodo Tracker C2', type => 'ipset', auth => 1,
      url   => 'https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt' },
    { label => 'URLhaus IP URLs',  type => 'urls', auth => 1,
      url   => 'https://urlhaus.abuse.ch/downloads/text_online/' },
    { label => 'Spamhaus DROP',    type => 'spamhaus_json',
      url   => 'https://www.spamhaus.org/drop/drop_v4.json' },
    { label => 'Spamhaus DROPv6',  type => 'spamhaus_json',
      url   => 'https://www.spamhaus.org/drop/drop_v6.json' },
    { label => 'ThreatFox ip:port', type => 'threatfox_csv', auth => 1,
      url   => 'https://threatfox.abuse.ch/export/csv/ip-port/recent/' },
);

and those are sort / uniq and added to nftables blackhole4 / blackhole6 + i have geoblock also, top 10 malware / etc countries.

US and GB arent blocked cus it would interfere with web browsing too much.

i have few highports allowed for gaming. i need to fine tune my outbound ports to add ip-addresses that are allowed.
 
I’d be curious to hear how everyone else here handles this. Personally, I run Arch, but I keep it strictly to official repos and tools/scripts I’ve developed myself. No AUR, no Flatpak, no AppImages, and absolutely no third-party scripts.
Since the AUR problem I switched to only using the official repos, a few verified Flatpaks and a few Appimages straight from the the source where the developer has them for people to download.
 


Follow Linux.org

Staff online


Top