WebMalwareScanner - A simple malware scanner for web applications
Branch: master
Clone or download
Pull request Compare This branch is even with redteamcaliber:master.
Maxime Labelle
Maxime Labelle .
Latest commit 0a077f8 Mar 11, 2016
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
signatures . Feb 25, 2016
LICENSE . Feb 24, 2016
README.md . Mar 11, 2016
wms.py . Mar 2, 2016

README.md

OWASP Web Malware Scanner

About

OWASP Web Malware Scanner is a simple malware scanner for web applications. It can be used to identify compromised Wordpress, Joomla and other popular web application installations.

Official OWASP Project Page

Requirements

  • python >= 2.7

Installation

git clone https://github.com/maxlabelle/WebMalwareScanner.git

Usage

To scan for compromised installations :

python wms.py /path/to/web/installations/

alt tag

Signature database

OWASP Web Malware Scanner uses a community-driven malware signature database to detect malwares. Signatures are found under the signatures/ folder. Each signature must be a text file, that contains the following JSON object:

{
  "Database_Name": "Generic malware database",
  "Database_Signatures": [
    {
      "Malware_Name": "Generic PHP Malware",
      "Malware_Signatures": ["function.*for.*strlen.*isset"]
    }
  ]
}

The 'Database_Signatures' object must be an array of objects that must contains the malware name (Malware_Name) and the signature's array of regular expressions (Malware_Signatures). If the content of a file matches one of these regular expression, it will be marked as infected.

The signatures for PHP files are in 'signatures/php/'. The signatures for Javascript files are in 'signatures/js/'.

OWASP Web Malware Scanner also performs md5 file checksums. MD5 file signatures are in 'signatures/checksum/'. A MD5 signature database must be a text file that contains the following JSON object:

{
  "Database_Name": "Generic malware hash database",
  "Database_Hash": [
    {
      "Malware_Name": "Zip.Trojan.Container",
      "Malware_Hash": "e27122ba785627fca79b4a19c8eea38b"
    }
  ]
}

The 'Database_Hash' object must be an array of objects that must contain the MD5 hash (Malware_Hash) and the Malware name (Malware_Name). If the MD5 checksum of a file matches one of these MD5 hashes, it will be marked as infected.

You are welcome to contribute to this project by adding new signatures to this database.

Credits

OWASP Web Malware Scanner is written by Maxime Labelle - maxime.labelle@owasp.org

License

OWASP Web Malware Scanner is released under the BSD license. See the LICENSE file for details.