Detecting and removing malware using VirusTotal integration

Wazuh is capable of connecting to external APIs and alerting tools such as VirusTotal. In this PoC, you scan a directory for changes and make the wazuh-integratord component query VirusTotal for threat results using the VirusTotal API. Once VirusTotal identifies a file as a threat, Wazuh is configured to trigger an active response to remove the file from the system.

For more information on this service, check the VirusTotal integration section of the documentation.

Configuration

Configure your environment as follows to test the PoC.

  1. Enable File Integrity Monitoring in /var/ossec/etc/ossec.conf at the Ubuntu 20 endpoint to monitor /root in real time.

    <syscheck>
        <directories whodata="yes">/root</directories>
    </syscheck>
    
  2. Add the following rules to /var/ossec/etc/rules/local_rules.xml at the Wazuh manager. These rules are to alert about changes in /root directories detected by FIM scans.

    <group name="syscheck,pci_dss_11.5,nist_800_53_SI.7,">
        <!-- Rules for Linux systems -->
        <rule id="100200" level="7">
            <if_sid>550</if_sid>
            <field name="file">/root</field>
            <description>File modified in /root directory.</description>
        </rule>
        <rule id="100201" level="7">
            <if_sid>554</if_sid>
            <field name="file">/root</field>
            <description>File added to /root directory.</description>
        </rule>
    </group>
    
  3. Add the following configuration to the /var/ossec/etc/ossec.conf file at the Wazuh manager, replacing YOUR_VIRUS_TOTAL_API_KEY with your own VirusTotal API key. This enables the Virustotal integration, triggering a VirusTotal query whenever any of rules ID 100200 and 100201 are tripped.

    <ossec_config>
      <integration>
        <name>virustotal</name>
        <api_key>YOUR_VIRUS_TOTAL_API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
        <rule_id>100200,100201</rule_id>
        <alert_format>json</alert_format>
      </integration>
    </ossec_config>
    

    If you have a premium VirusTotal API key, with high frequency of queries allowed, you can add more rules besides these two. You could also add to your rules more directories to monitor besides /root.

  4. Create the /var/ossec/active-response/bin/remove-threat.sh active response script at the Ubuntu 20 endpoint for the removal of a file from the system.

    #!/bin/bash
    
    LOCAL=`dirname $0`;
    cd $LOCAL
    cd ../
    
    PWD=`pwd`
    
    read INPUT_JSON
    FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file)
    COMMAND=$(echo $INPUT_JSON | jq -r .command)
    LOG_FILE="${PWD}/../logs/active-responses.log"
    
    #------------------------ Analyze command -------------------------#
    if [ ${COMMAND} = "add" ]
    then
     # Send control message to execd
     printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'
    
     read RESPONSE
     COMMAND2=$(echo $RESPONSE | jq -r .command)
     if [ ${COMMAND2} != "continue" ]
     then
      echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE}
      exit 0;
     fi
    fi
    
    # Removing file
    rm -f $FILENAME
    if [ $? -eq 0 ]; then
     echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE}
    else
     echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE}
    fi
    
    exit 0;
    
  5. Change /var/ossec/active-response/bin/remove-threat.sh owner and file permissions.

    # chmod 750 /var/ossec/active-response/bin/remove-threat.sh
    # chown root:wazuh /var/ossec/active-response/bin/remove-threat.sh
    
  6. Run apt-get install jq -y if jq is missing. This allows the remove-threat.sh script to process the JSON input.

  7. Append the following blocks to /var/ossec/etc/ossec.conf at the Wazuh manager. This enables an active response and call remove-threat.sh when VirusTotal query results for threats are positive matches.

    <ossec_config>
      <command>
        <name>remove-threat</name>
        <executable>remove-threat.sh</executable>
        <timeout_allowed>no</timeout_allowed>
      </command>
    
      <active-response>
        <disabled>no</disabled>
        <command>remove-threat</command>
        <location>local</location>
        <rules_id>87105</rules_id>
      </active-response>
    </ossec_config>
    
  8. Edit /var/ossec/etc/decoders/local_decoder.xml at the Wazuh manager and add the following active response decoder configuration.

    <decoder name="ar_log_fields">
        <parent>ar_log</parent>
        <regex offset="after_parent">^(\S+) Removed threat located at (\S+)</regex>
        <order>script_name, path</order>
    </decoder>
    
  9. Add rules to the /var/ossec/etc/rules/local_rules.xml file at the Wazuh manager to alert about the active response results.

    <group name="virustotal,">
      <rule id="100092" level="12">
          <if_sid>657</if_sid>
          <match>Successfully removed threat</match>
          <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
      </rule>
    
      <rule id="100093" level="12">
          <if_sid>657</if_sid>
          <match>Error removing threat</match>
          <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
      </rule>
    </group>
    
  10. Restart the Wazuh agent to apply local configuration changes.

    # systemctl restart wazuh-agent
    
  11. Restart the Wazuh manager to apply the configuration changes.

    # systemctl restart wazuh-manager
    

Steps to generate the alerts

  1. Download a malicious file to /root directory in the Ubuntu 20 endpoint. This triggers a VirusTotal query and generates an alert. In addition, the file will be automatically removed by the active response to this threat.

    # cd /root
    # curl -LO http://www.eicar.org/download/eicar.com && ls -lah eicar.com
    

Query the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • *eicar.com*