Malware Database is not updated

MobSF / Mobile-Security-Framework-MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

https://opensecurity.in

GNU General Public License v3.0

16.78k stars 3.17k forks source link

Malware Database is not updated #1602

Closed XmTX1994 closed 3 years ago

XmTX1994 commented 3 years ago

[INFO] 24/Nov/2020 10:45:48 - Malware Database format from malwaredomainlist.com has changed. Database is not updated. Please report to: https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues

epsleq0 commented 3 years ago

Currently the export of the malware domain list returns an empty result. I can't tell if it is temporary or permanent.

As a side effect, neither ip from domain resolution nor geolocalization are working at the moment.

ajinabraham commented 3 years ago

The third-party malware database service is down. The latest MobSF and docker uses a previous db bundled with it. Geolocation is an independent service, it's not related with Malware DB.

epsleq0 commented 3 years ago

I am working with the last tagged version (v3.1.1) and wanted to say with "neither ip from domain resolution nor geolocalization are working at the moment" that MobSF fails with an exception before executing these sub-process steps: https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/v3.1.1/MalwareAnalyzer/views/domain_check.py#L67

IP from domain resolution, geolocationing, and malware check are, of course, implemented using three different repositories (gethostbyname, IP2Location DB, and Malware DB). Nevertheless, the absence of the Malware DB leads to failure of all these sub-process steps.

I guess these two commits are the ones in order to patch older versions: https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/b81eab9781948356a1cda764274d221b77c617f1 https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/0398f9e167b86e597cec2d08653ec3184d20dc8a

ajinabraham commented 3 years ago

The latest is master, 3.1.9 at this time which has the fixes. Tagged releases are cut only after major feature changes. Also verified that the features are working as expected on the latest master and the latest docker image.

ajinabraham commented 3 years ago

Reached out to MDL for an update https://twitter.com/OpenSecurity_IN/status/1334694477407997952?s=20

ajinabraham commented 3 years ago

No update yet. We will be changing to a different source when a feed is available.

ecarlotti commented 4 months ago

I realize this is an old (and closed) issue, but recently, I found something that could help.

There is an updated list of malware domains that can be found here: https://hole.cert.pl/domains/domains.txt. This list is updated 5 minutes after a domain is flagged as malicious, and according to cert.pl, each website submission will be verified by at least two human operators from the CERT Polska team before being added to the list. A JSON version is available here that contains the insertion date for each listed domain so we can check its accuracy and update status.

This list is smaller than the original list contained in MobSF (about 187K domains versus 363K domains from MDL), but since MDL no longer exists and the available list is outdated, this probably produces better results than continuing to use the old MDL list.

ajinabraham commented 4 months ago

Thanks, I will add a feature request to track supporting this.