POC script for Malware Hunting over the WWW
To start with Malware Hunting, execute: python3 ./lovac.py.
The script will start looking for random domain names, download first page to ./lovac_download/ folder and parse interesting strings to the ./lovac_output/ folder. After the tool is done, you can analyze output files manually and run the antivirus scan on download folder. The tool will save current status of discovery process in ./lovac_discovered.txt and ./lovac_tried.txt files.
Discover “co.rs” domains, with minimum length 2 and maximum length 6, try 10k combinations and use only letters “abvgdjezijklm”:
# python3 ./lovac.py –tld “co.rs” –min 2 –max 6 –repeat 10000 –chars “abvgdjezijklm”
Discover domains from keyword list and append “.rs”:
# python3 ./lovac.py –list LIST_KEYWORDS_OR_DOMAINS.txt –appendtld –tld “rs”
For all options run: python3 ./lovac.py -h
Tool is based on: Python3, Curl and Grep. You should probably have them in the PATH.
There is a lot that can be improved, for the start:
- Extract/Spider extracted URLs
- Add more detections/patterns
- Minimize false positives/negatives
- Improve Reporting for less technical folks
- Optimize code
- Add external interfaces/detections
This script (with help of ClamAV and little bit of HTML source investigation) already detected more then 20 compromised websites in less than of 24 hours of running.
Some examples are:
- IFRAME with malicious link
- Defaced web site
- Possible Crypto Minner traces
- Private Information Leak
Details can be found via Twitter tags #Bezbednost #Malware
Script is under heavy development and it is not tested in details. Please feel free to report any bugs, upgrades and recommendations.
Happy Hunting ?