Detecting and removing malware using VirusTotal integration

Wazuh is capable of connecting to external APIs and alerting tools such as VirusTotal. In this POC, you scan a directory for changes and make the wazuh-integratord component query VirusTotal for threat results using the VirusTotal API. Once VirusTotal identifies a file as a threat, Wazuh is configured to trigger an active response to remove the file from the system.

For more information on this service, check the VirusTotal integration section of the documentation.

Configuration

Configure your environment as follows to test the POC.

  1. Enable File Integrity Monitoring in /var/ossec/etc/ossec.conf at the CentOS 8 endpoint to monitor /root in real time.

    <syscheck>
    <directories whodata="yes">/root</directories>
</syscheck>

  2. Add the following rules to /var/ossec/etc/rules/local_rules.xml at the Wazuh manager. These rules are to alert about changes in /root directories detected by FIM scans.

    <group name="syscheck,pci_dss_11.5,nist_800_53_SI.7,">
    <!-- Rules for Linux systems -->
    <rule id="100200" level="7">
        <if_sid>550</if_sid>
        <field name="file">/root</field>
        <description>File modified in /root directory.</description>
    </rule>
    <rule id="100201" level="7">
        <if_sid>554</if_sid>
        <field name="file">/root</field>
        <description>File added to /root directory.</description>
    </rule>
</group>

  3. Add the following configuration to the /var/ossec/etc/ossec.conf file at the Wazuh manager, replacing YOUR_VIRUS_TOTAL_API_KEY with your own VirusTotal API key. This enables the Virustotal integration, triggering a VirusTotal query whenever any of rules ID 100200 and 100201 are tripped.

    <ossec_config>
  <integration>
    <name>virustotal</name>
    <api_key>YOUR_VIRUS_TOTAL_API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
    <rule_id>100200,100201</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

    If you have a premium VirusTotal API key, with high frequency of queries allowed, you can add more rules besides these two. You could also add to your rules more directories to monitor besides /root.

  4. Create the /var/ossec/active-response/bin/remove-threat.sh active response script at the CentOS 8 endpoint for the removal of a file from the system.

    #!/bin/bash

LOCAL=`dirname $0`;
cd $LOCAL
cd ../

PWD=`pwd`

read INPUT_JSON
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file)
COMMAND=$(echo $INPUT_JSON | jq -r .command)
LOG_FILE="${PWD}/../logs/active-responses.log"

#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
 # Send control message to execd
 printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'

 read RESPONSE
 COMMAND2=$(echo $RESPONSE | jq -r .command)
 if [ ${COMMAND2} != "continue" ]
 then
  echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE}
  exit 0;
 fi
fi

# Removing file
rm -f $FILENAME
if [ $? -eq 0 ]; then
 echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE}
else
 echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE}
fi

exit 0;

  5. Change /var/ossec/active-response/bin/remove-threat.sh owner and file permissions.

    # chmod 750 /var/ossec/active-response/bin/remove-threat.sh
# chown root:ossec /var/ossec/active-response/bin/remove-threat.sh

  6. Run yum install jq if jq is missing. This allows the remove-threat.sh script to process the JSON input.

  7. Append the following blocks to /var/ossec/etc/ossec.conf at the Wazuh manager. This is to enable an active response and call remove-threat.sh when VirusTotal query results for threats are positive matches.

    <ossec_config>
  <command>
    <name>remove-threat</name>
    <executable>remove-threat.sh</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>remove-threat</command>
    <location>local</location>
    <rules_id>87105</rules_id>
  </active-response>
</ossec_config>

  8. Edit /var/ossec/etc/decoders/local_decoder.xml at the Wazuh manager and add the following active response decoder configuration.

    <decoder name="ar_log_fields">
    <parent>ar_log</parent>
    <regex offset="after_parent">^(\S+) Removed threat located at (\S+)</regex>
    <order>script_name, path</order>
</decoder>

  9. Add rules to the /var/ossec/etc/rules/local_rules.xml file at the Wazuh manager to alert about the active response results.

    <group name="virustotal,">
  <rule id="100092" level="12">
      <if_sid>657</if_sid>
      <match>Successfully removed threat</match>
      <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>

  <rule id="100093" level="12">
      <if_sid>657</if_sid>
      <match>Error removing threat</match>
      <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>
</group>

  10. Restart the Wazuh agent to apply local configuration changes.

    # systemctl restart wazuh-agent

  11. Restart Wazuh manager to apply the configuration changes.

    # systemctl restart wazuh-manager

Steps to generate the alerts

  1. Download a malicious file to /root directory. This triggers a VirusTotal query and generates an alert. In addition, the file will be automatically removed by the active response to this threat.

    # cd /root
# curl -LO http://www.eicar.org/download/eicar.com && ls -lah eicar.com

Query the alerts

You can visualize the alert data in the Wazuh Kibana plugin. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • *eicar.com*