chainguard-dev / malcontent

#supply #chain #attack #detection
Apache License 2.0
458 stars 32 forks source link
binary linux macos malware-analysis no-ghaudit-default-permissions reverse-engineering

malcontent

License Latest Release OpenSSF Best Practices OpenSSF Scorecard Go Report Card

 _ _    _.  .    _   _    _  .  ___   _.   _  .  ___
( | )  (_|  |_  (_  (_)  ( \_)   |   (/_  ( \_)   |

            subtle malware discovery tool

malcontent discovers supply-chain compromises through the magic of context, differential analysis, and 14,000+ YARA rules.

 ________      ________      ________      ________
|        |    |        |    |        |    |        |
| v1.0.0 | => | v1.0.1 | => | v1.0.2 | => | v1.0.3 |
|________|    |________|    |________|    |________|

               unchanged     HIGH-RISK     decreased
               risk          increase      risk

malcontent has 3 modes of operation:

malcontent is at its best analyzing programs that run on Linux. Still, it also performs admirably for programs designed for other UNIX platforms such as macOS and, to a lesser extent, Windows.

Features

Modes

Diff

malcontent's most powerful method for discovering malware is through differential analysis against CI/CD artifacts. When used within a build system, malcontent has two significant contextual advantages over a traditional malware scanner:

Using the 3CX Compromise as an example, malcontent trivially surfaces unexpectedly high-risk changes to libffmpeg:

diff screenshot

Each line that begins with a "++" represents a newly added capability. Each capability has a risk score based on how unique it is to malware.

Like the diff(1) command it's based on, malcontent can diff between two binaries or directories. It can also diff two archive files or even two OCI images. Here are some helpful flags:

Scan

malcontent's most basic feature scans directories for possible malware. malcontent is pretty paranoid in this mode, so expect some false positives:

scan screenshot

You can also scan a container image: mal scan -i cgr.dev/chainguard/nginx:latest

Useful flags:

Analyze

To enumerate the capabilities of a program, use mal analyze. For example:

analyze screenshot

The analyze mode emits a list of capabilities often seen in malware, categorized by risk level. It works with programs in a wide variety of file formats and scripting languages.

CRITICAL findings should be considered malicious. Useful flags include:

Installation

Container

docker pull cgr.dev/chainguard/malcontent:latest

Local

Requirements:

For example, to install the YARA library on Linux or macOS:

brew install yara || sudo apt install libyara-dev \
 || sudo dnf install yara-devel || sudo pacman -S yara

Install malcontent:

go install github.com/chainguard-dev/malcontent/cmd/mal@latest

Help Wanted

malcontent is open source! If you are interested in contributing, check out our development guide. Send us a pull request, and we'll help you with the rest!