Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Malcom is a tool used for traffic and network artifact analysis of malware communications. It can also be a great source to gather intelligence on since it can easily be queried and the link between elements are visually represented.
I use Malcom for three main purposes:
Quickly determine if a host, IP, or URL is "known-bad" (i.e. it has been flagged as being malicious by other websites or sources).
Get some intelligence on what relates two different elements. For example, you could see that several different hosts are pointing to a same IP address (or small AS), which has been seen in previous attacks. Eventually, you could also see what those same hosts have been registered by three different email addresses, which have also been seen in phishing kits.
Get a detailed overview of the kind of network traffic patterns a host is displaying. Is it pinging specific IP addresses? Is it sending SMTP traffic? Is it part of a botnet? What kind of C&C infrastructure is being used?
This section displays all elements present in the database. Since you'll quickly get lots of elements in the DB, the best way to use this tab is to filter results using the search box (you can use regular expressions)
This is what the dataset looks like after importing the ZeusTracker feeds.
Clicking on an element name shows the whole graph for that element. Elements with lots of connections can be quite heavy to graph.
Graph for the host tomchop.me. Graph for a ZeuS-infected webpage.
You can highlight specific elements and their neighbors using the searchbox
Hostname tomchop.me highlighted Url highlighted
Feeds allow to gather data or intelligence from external sources to be incorporated into Malcom's engine. As of this writing, only one feed has been created into Malcom, and it gets its data from ZeusTracker. Feeds are pretty straightforward to create - a wiki article on how to create feeds will be posted soon.
Feeds can include anything from
Available feeds (only one for now!)
The sniffer tab allows to sniff traffic and add nodes to Malcom's engine. Added nodes can thus be correlated with the ones already existing in the database.
This especially useful when analyzing malware - you can see at a glance if it's communicating with known-bad hosts or what kind of network topology it's using:
Sample traffic from a computer infected with ZeuS-p2p.
The sniffer tab has a subtab called Flows, which displays all traffic flows (duh), reconstructed from the sniffed traffic.
Example of how an HTTP request to http://tomchop.me plays out.
Can come in handy when trying to recover malware configuration files, or see what kind of data is being posted / transferred. For now, it only recognizes HTTP requests and responses. More to come soon.