Detecting suspicious binaries

Wazuh provides you with powerful anomaly and malware detection capabilities to detect suspicious binaries. In this PoC, you detect trojaned system binaries by using signatures in the /var/ossec/etc/shared/rootkit_trojans.txt file.

Configuration

Configure your environment as follows to test the PoC.

No additional configuration is required since trojan detection is configured out-of-the-box. Check your configuration in the /var/ossec/etc/ossec.conf file at the Ubuntu 20 monitored endpoint.

<rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>

    <!-- Line for trojans detection -->
    <check_trojans>yes</check_trojans>

    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <skip_nfs>yes</skip_nfs>
</rootcheck>
  1. Restart the Wazuh agent to apply the configuration changes if needed.

    # systemctl restart wazuh-agent
    

Steps to generate the alerts

  1. Create a copy of the original system binary.

    # cp -p /usr/bin/w /usr/bin/w.copy
    
  2. Replace the original system binary /usr/bin/w with the following shell script.

    #!/bin/bash
    echo "`date` this is evil"   > /tmp/trojan_created_file
    echo 'test for /usr/bin/w trojaned file' >> /tmp/trojan_created_file
    #Now running original binary
    /usr/bin/w.copy
    
  3. The rootcheck scan will run every 12h by default, force the scan restarting the agent to see the alert.

    # systemctl restart wazuh-agent
    

Query the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • location:rootcheck AND rule.id:510 AND data.title:Trojaned version of file detected.