View Categories

Detecting and removing malware using VirusTotal integration

15 min read

In this use case, you use the Argus File Integrity Monitoring (FIM) module to monitor a directory for changes and the VirusTotal API to scan the files in the directory. Then, configure Argus to trigger an active response script and remove files that VirusTotal detects as malicious. We test this use case on Ubuntu and Windows endpoints.

In this use case, the Argus File Integrity Monitoring (FIM) module is configured to monitor a directory for any file changes. The files in this directory are scanned using the VirusTotal API. If VirusTotal identifies any files as malicious, Argus triggers an active response script to automatically remove them. This use case is tested on both Ubuntu and Windows endpoints.

Requirements

EndpointDescription
UbuntuThis is the Linux endpoint where you download a malicious file. Argus triggers an active response script to remove the file once VirusTotal flags it as malicious.
Windows 11This is the Windows endpoint where you download a malicious file. Argus triggers an active response script to remove the file once VirusTotal flags it as malicious.

Ubuntu endpoint

Follow these steps to configure Argus for monitoring near real-time changes in the /root directory on the Ubuntu endpoint. The process includes installing the required packages and creating an active response script to remove any detected malicious files.

  1. Search for the <syscheck> block in the Argus agent configuration file /var/ossec/etc/ossec.conf. Make sure that <disabled> is set to no. This enables the Argus FIM to monitor for directory changes.
  2. Add an entry within the <syscheck> block to configure a directory to be monitored in near real-time. In this case, you are monitoring the /root directory:

   <directories realtime=”yes”>/root</directories>

  • Install jq, a utility that processes JSON input from the active response script.

                 sudo apt update

      sudo apt -y install jq

  • Create the /var/ossec/active-response/bin/remove-threat.sh active response script to remove malicious files from the endpoint:

#!/bin/bash

LOCAL=`dirname $0`;

cd $LOCAL

cd ../

PWD=`pwd`

read INPUT_JSON

FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file)

COMMAND=$(echo $INPUT_JSON | jq -r .command)

LOG_FILE=”${PWD}/../logs/active-responses.log”

#———————— Analyze command ————————-#

if [ ${COMMAND} = “add” ]

then

 # Send control message to execd

 printf ‘{“version”:1,”origin”:{“name”:”remove-threat”,”module”:”active-response”},”command”:”check_keys”, “parameters”:{“keys”:[]}}\n’

 read RESPONSE

 COMMAND2=$(echo $RESPONSE | jq -r .command)

 if [ ${COMMAND2} != “continue” ]

 then

  echo “`date ‘+%Y/%m/%d %H:%M:%S’` $0: $INPUT_JSON Remove threat active response aborted” >> ${LOG_FILE}

  exit 0;

 fi

fi

# Removing file

rm -f $FILENAME

if [ $? -eq 0 ]; then

 echo “`date ‘+%Y/%m/%d %H:%M:%S’` $0: $INPUT_JSON Successfully removed threat” >> ${LOG_FILE}

else

 echo “`date ‘+%Y/%m/%d %H:%M:%S’` $0: $INPUT_JSON Error removing threat” >> ${LOG_FILE}

fi

exit 0;

  • Change the /var/ossec/active-response/bin/remove-threat.sh file ownership, and permissions:

 sudo chmod 750 /var/ossec/active-response/bin/remove-threat.sh

sudo chown root:wazuh /var/ossec/active-response/bin/remove-threat.sh

  • Restart the Argus agent 

sudo systemctl restart wazuh-agent

Argus server

Complete the following steps on the Argus server to configure alerts for changes in the endpoint directory and integrate with VirusTotal. This process also activates and triggers an active response script when a suspicious file is detected.

  1. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Argus server. These rules alert about changes in the /root directory that are detected by FIM scans:

              <group name=”syscheck,pci_dss_11.5,nist_800_53_SI.7,”>

                    <!– Rules for Linux systems –>

                      <rule id=”100200″ level=”7″>

           <if_sid>550</if_sid>

                      <field name=”file”>/root</field>

                     <description>File modified in /root directory.</description>

                     </rule>

          <rule id=”100201″ level=”7″>

                    <if_sid>554</if_sid>

                    <field name=”file”>/root</field>

                    <description>File added to /root directory.</description>

           </rule>

</group>

  • Add the following configuration to the Argus server /var/ossec/etc/ossec.conf file to enable the Virustotal integration. Replace <YOUR_VIRUS_TOTAL_API_KEY> with your VirusTotal API key. This allows to trigger a VirusTotal query whenever any of the rules 100200 and 100201 are triggered:

  <ossec_config>

      <integration>

      <name>virustotal</name>

      <api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key> <!– Replace with your VirusTotal API key –>

      <rule_id>100200,100201</rule_id>

      <alert_format>json</alert_format>

    </integration>

</ossec_config>

  • Append the following blocks to the Argus server /var/ossec/etc/ossec.conf file. This enables Active Response and triggers the remove-threat.sh script when VirusTotal flags a file as malicious:

    <ossec_config>

        <command>

       <name>remove-threat</name>

       <executable>remove-threat.sh</executable>

      <timeout_allowed>no</timeout_allowed>

  </command>

  <active-response>

      <disabled>no</disabled>

      <command>remove-threat</command>

     <location>local</location>

     <rules_id>87105</rules_id>

  </active-response>

</ossec_config>

  • Add the following rules to the Argus server /var/ossec/etc/rules/local_rules.xml file to alert about the Active Response results:

     <group name=”virustotal,”>

  <rule id=”100092″ level=”12″>

    <if_sid>657</if_sid>

    <match>Successfully removed threat</match>

    <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>

  </rule>

  <rule id=”100093″ level=”12″>

    <if_sid>657</if_sid>

    <match>Error removing threat</match>

    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>

  </rule>

</group>

  • Restart the Argus manager

sudo systemctl restart wazuh-manager

Attack emulation

  1. Download an EICAR test file to the /root directory on the Ubuntu endpoint:

$ sudo curl -Lo /root/eicar.com https://secure.eicar.org/eicar.com && sudo ls -lah /root/eicar.com

Monitoring the Alerts

  1. Navigate to Threat Hunting > Events
  2. Click on Add filter
  3. Filter for rule.id in the Field
  4. Filter for is one of Operator and give 553,100092,87105,100201 in the Values field
  5. Click on Save

Configuration for the Windows endpoint

Windows endpoint

Perform the following steps to configure Argus to monitor near real-time changes in the /Downloads directory. These steps also install the necessary packages and create the active response script to remove malicious files.

  1. Search for the <syscheck> block in the Argus agent C:\Program Files (x86)\ossec-agent\ossec.conf file. Make sure that <disabled> is set to no. This enables the Argus FIM module to monitor for directory changes.
  2. Add an entry within the <syscheck> block to configure a directory to be monitored in near real-time. In this use case, you configure Argus to monitor the C:\Users\<USER_NAME>\Downloads directory. Replace the <USER_NAME> variable with the appropriate user name:

<directories realtime=”yes”>C:\Users\<USER_NAME>\Downloads</directories>

  • Download the Python executable installer from the official Python website.
  • Run the Python installer once downloaded. Make sure to check the following boxes:
  • Install launcher for all users
  • Add Python 3.X to PATH (This places the interpreter in the execution path)
  • Once Python completes the installation process, open an administrator PowerShell terminal and use pip to install PyInstaller:

    pip install pyinstaller

    pyinstaller –version

  • Create an active response script remove-threat.py to remove a file from the Windows endpoint:

      #!/usr/bin/python3

# Copyright (C) 2015-2022, Wazuh Inc.

# All rights reserved.

import os

import sys

import json

import datetime

if os.name == ‘nt’:

    LOG_FILE = “C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log”

else:

    LOG_FILE = “/var/ossec/logs/active-responses.log”

ADD_COMMAND = 0

DELETE_COMMAND = 1

CONTINUE_COMMAND = 2

ABORT_COMMAND = 3

OS_SUCCESS = 0

OS_INVALID = -1

class message:

    def __init__(self):

        self.alert = “”

        self.command = 0

def write_debug_file(ar_name, msg):

    with open(LOG_FILE, mode=”a”) as log_file:

        log_file.write(str(datetime.datetime.now().strftime(‘%Y/%m/%d %H:%M:%S’)) + ” ” + ar_name + “: ” + msg +”\n”)

def setup_and_check_message(argv):

    # get alert from stdin

    input_str = “”

    for line in sys.stdin:

        input_str = line

        break

    try:

        data = json.loads(input_str)

    except ValueError:

        write_debug_file(argv[0], ‘Decoding JSON has failed, invalid input format’)

        message.command = OS_INVALID

        return message

    message.alert = data

    command = data.get(“command”)

    if command == “add”:

        message.command = ADD_COMMAND

    elif command == “delete”:

        message.command = DELETE_COMMAND

    else:

        message.command = OS_INVALID

        write_debug_file(argv[0], ‘Not valid command: ‘ + command)

    return message

def send_keys_and_check_message(argv, keys):

    # build and send message with keys

    keys_msg = json.dumps({“version”: 1,”origin”:{“name”: argv[0],”module”:”active-response”},”command”:”check_keys”,”parameters”:{“keys”:keys}})

    write_debug_file(argv[0], keys_msg)

    print(keys_msg)

    sys.stdout.flush()

    # read the response of previous message

    input_str = “”

    while True:

        line = sys.stdin.readline()

        if line:

            input_str = line

            break

    # write_debug_file(argv[0], input_str)

    try:

        data = json.loads(input_str)

    except ValueError:

        write_debug_file(argv[0], ‘Decoding JSON has failed, invalid input format’)

        return message

    action = data.get(“command”)

    if “continue” == action:

        ret = CONTINUE_COMMAND

    elif “abort” == action:

        ret = ABORT_COMMAND

    else:

        ret = OS_INVALID

        write_debug_file(argv[0], “Invalid value of ‘command'”)

    return ret

def main(argv):

    write_debug_file(argv[0], “Started”)

    # validate json and get command

    msg = setup_and_check_message(argv)

    if msg.command < 0:

        sys.exit(OS_INVALID)

    if msg.command == ADD_COMMAND:

        alert = msg.alert[“parameters”][“alert”]

        keys = [alert[“rule”][“id”]]

        action = send_keys_and_check_message(argv, keys)

        # if necessary, abort execution

        if action != CONTINUE_COMMAND:

            if action == ABORT_COMMAND:

                write_debug_file(argv[0], “Aborted”)

                sys.exit(OS_SUCCESS)

            else:

                write_debug_file(argv[0], “Invalid command”)

                sys.exit(OS_INVALID)

        try:

            file_path = msg.alert[“parameters”][“alert”][“data”][“virustotal”][“source”][“file”]

            if os.path.exists(file_path):

                os.remove(file_path)

            write_debug_file(argv[0], json.dumps(msg.alert) + ” Successfully removed threat”)

        except OSError as error:

            write_debug_file(argv[0], json.dumps(msg.alert) + “Error removing threat”)

    else:

        write_debug_file(argv[0], “Invalid command”)

    write_debug_file(argv[0], “Ended”)

    sys.exit(OS_SUCCESS)

if __name__ == “__main__”:

    main(sys.argv)

  • Convert the active response Python script remove-threat.py to a Windows executable application. Run the following PowerShell command as an administrator to create the executable:

pyinstaller -F \path_to_remove-threat.py

  • Move the executable file remove-threat.exe to the C:\Program Files (x86)\ossec-agent\active-response\bin directory.
  • Restart the Argus agent 

   Restart-Service -Name wazuh

Argus server

Perform the following steps on the Argus server to configure the VirusTotal integration. These steps also enable and trigger the active response script whenever a suspicious file is detected.

  1. Add the following configuration to the /var/ossec/etc/ossec.conf file on the Argus server to enable the VirusTotal integration. Replace <YOUR_VIRUS_TOTAL_API_KEY> with your VirusTotal API key. This allows to trigger a VirusTotal query whenever any of the rules in the FIM syscheck group are triggered:

  <ossec_config>

  <integration>

    <name>virustotal</name>

    <api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key> <!– Replace with your VirusTotal API key –>

    <group>syscheck</group>

    <alert_format>json</alert_format>

  </integration>

</ossec_config>

  • Append the following blocks to the Argus server /var/ossec/etc/ossec.conf file. This enables Active Response and trigger the remove-threat.exe executable when the VirusTotal query returns positive matches for threats:

    <ossec_config>

    <command>

    <name>remove-threat</name>

    <executable>remove-threat.exe</executable>

    <timeout_allowed>no</timeout_allowed>

  </command>

  <active-response>

    <disabled>no</disabled>

    <command>remove-threat</command>

    <location>local</location>

    <rules_id>87105</rules_id>

  </active-response>

</ossec_config>

  • Add the following rules to the Argus server /var/ossec/etc/rules/local_rules.xml file to alert about the Active Response results.

<group name=”virustotal,”>

  <rule id=”100092″ level=”12″>

      <if_sid>657</if_sid>

      <match>Successfully removed threat</match>

      <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>

  </rule>

  <rule id=”100093″ level=”12″>

    <if_sid>657</if_sid>

    <match>Error removing threat</match>

    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>

  </rule>

</group>

  • Restart the Argus manager

$ sudo systemctl restart wazuh-manager

Attack emulation

Download an EICAR test file to the C:\Users\<USER_NAME>\Downloads directory on the Windows endpoint.

Invoke-WebRequest -Uri https://secure.eicar.org/eicar.com.txt -OutFile eicar.txt

cp .\eicar.txt C:\Users\<USER_NAME>\Downloads

This triggers a VirusTotal query and generates an alert. In addition, the active response script automatically removes the file.

Monitoring the alerts

  1. Navigate to Threat Hunting > Events
  2. Click on Add filter
  3. Filter for rule.id in the Field
  4. Filter for is one of  Operator and give 554,100092,553,87105  in the Values field
  5. Click on Save

Leave a Reply

Your email address will not be published. Required fields are marked *