View Categories

Detecting Suspicious Binaries with Argus

3 min read

Malicious binaries are executable files used by attackers to automate tasks and exploit systems while evading detection. Argus’s rootcheck module can identify such suspicious binaries, trojans, and other hidden anomalies on endpoints. This use case demonstrates how to detect a trojan binary by replacing legitimate code with malicious content on an Ubuntu system.

Infrastructure

  • Ubuntu 22.04: Endpoint where the Argus rootcheck module detects and reports suspicious binaries.

Configuration

1. Enable the Rootcheck Module

The rootcheck module is enabled by default in the Argus agent’s configuration. Verify its settings in the /var/ossec/etc/ossec.conf file under the <rootcheck> block. Ensure the configuration includes the following options:

<rootcheck>

    <disabled>no</disabled>

    <check_files>yes</check_files>

    <check_trojans>yes</check_trojans>

    <check_dev>yes</check_dev>

    <check_sys>yes</check_sys>

    <check_pids>yes</check_pids>

    <check_ports>yes</check_ports>

    <check_if>yes</check_if>

    <frequency>43200</frequency> <!– Run every 12 hours –>

    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>

</rootcheck>

These settings enable trojan detection, file and process checks, and scheduled scans every 12 hours.

Attack Emulation

  1. Create a Copy of the Original Binary
    Make a backup of a system binary (e.g., /usr/bin/w):

sudo cp -p /usr/bin/w /usr/bin/w.copy

  1. Replace the Binary with Malicious Code
    Replace the original binary with a script that simulates malicious behavior:

sudo tee /usr/bin/w << EOF

#!/bin/bash

echo “\`date\` this is evil” > /tmp/trojan_created_file

echo ‘test for /usr/bin/w trojaned file’ >> /tmp/trojan_created_file

echo “Now running original binary”

/usr/bin/w.copy

EOF

This script creates a trojaned file and executes the original binary to avoid detection.

  1. Force a Rootcheck Scan
    Restart the Argus agent to trigger an immediate rootcheck scan:

sudo systemctl restart Argus-agent

Visualizing Alerts

  1. Open the Argus dashboard and navigate to the Threat Hunting module.
  2. Apply the following filters in the search bar to identify the alert:
    • location:rootcheck AND rule.id:510 AND data.title:Trojaned version of file detected
  3. Use the Filter by type search field and apply the full_log filter for detailed logs.

Summary

The Argus rootcheck module effectively detects trojaned binaries and other hidden threats by scanning system files, processes, and ports. By emulating an attack with a modified binary, you can verify the module’s detection capabilities and gain valuable insights from the alerts on the Argus dashboard. This ensures enhanced protection against malicious binaries and related threats.

Leave a Reply

Your email address will not be published. Required fields are marked *