/ 
Malware-1.02
River stage zero No dependents
/ Malware

NAME

Malware - Perl extension for storing and manipulation malware and it's attributes

SYNOPSIS

See Constructor new()

DESCRIPTION

The idea of this module is to allow authors to parse different inputs that perform malware analysis and build objects that describe a piece of malware's behaviour. From here we can write detection or blocking rules based on that behavior.

For now, the parsers will live within this class as they are directly connected to the API, this may change in the future.

OBJECT METHODS

new()

Object Constructor

my $m = Malware->new(
	-platform => 'win32',
	-filesize => $size,
	-filesizeUnits => $units,
	-filename => $name,
	-classification => $class,
	-md5sum => $md5,
	-source => $src,
	-sourceLoc => $srcLoc,
	-rawReport => $rawTextReport,
	-dt_found => $dt, # [see Time::Timestamp]
	-connections => $cons, # [see Net::Connection::Simple]
	-securityIssues => $si,
	-antiEmulation => $ae,
	-backdoors => $bd, # [see Net::Protocol::Simple]
	-malwareFiles => $mw # [hashref],
);

By setting the -platform, the module will try to re-bless itself as that module (ie: Malware::Win32 for -platform => win32). This allows you to scale into specific OS's and their properties (registry for win32).

See OBJECT ACCESSORS for the i/o of these properties

blurb()

Returns a blurb of the raw report in a nicer Text::Table'ish form. If you subclass (Malware::$platform) this module, you can tag into this method by creating a 'sub _blurb' function that returns a HASHREF in the form:

sub _blurb {
	my $self = shift;
	my $hr = {};
	$hr->{Registry} = $self->registry();
	return $hr;
}

returnConnectionsByLayer_array()

Diggs into the connections property and returns the type of connection you are looking for.

Example: We want all the url connections the malware made

my @http = $m->returnConnectionsByLayer(
	-type => 'url',
	-layer => 7,
	-protocol => 'http')
);

Example: We want all the irc connections the malware made via dns

my @irc_dns = $m->returnConnectionsByLayer(
	-type => 'dns',
	-layer => 7,
	-protocol => 'IRC')
);

Example: We want all the irc connections the malware made via direct IP

my @irc_dip = $m->returnConnectionsByLayer(
	-type => 'dip',
	-layer => 7,
	-protocol => 'IRC')
);

All three params are required or it will return:

("Invalid parameters...",undef)

On success it returns an @rray of strings

ACCESSORS / MODIFIERS

filesize()

Sets and returns the filesize

filesizeUnits()

Sets and returns the filesizeUnits

filename()

Sets and returns the filename()

classification()

Sets and returns the malware classification

md5sum()

Sets and returns the md5sum

dt_found()

Sets and returns the date found, return is a Time::Timestamp object

$m->dt_found($timestamp,$timezone);

Timezone is optional, but the timing could get screwed up if you don't set it

source()

Sets and returns the malware report source (where did you get it?)

sourceLoc()

Sets and returns the source location (what medium did you get it from (email, website, etc...)

connections()

Sets and returns the connection behaviour of the malware.

my $c = Net::Connection::Simple->new(...);
$m->connections($c);

my @cons = @{$m->connections()};

Accepts: Net::Connection::Simple or returns ($errstr,undef)

Returns: a ref to an array of Net::Connection::Simple objects

backdoors()

Sets and returns the malwares backdoor behavior.

my $p = Net::Protocol::Simple->new(...);
$m->backdoors($p);

my @bds = @{$m->backdoors};

Accepts: Net::Protocol::Simple or returns ($errstr,undef)

Returns: a ref to an array of Net::Protocol::Simple objects

processInfo()

Sets and returns the processInfo behavior.

Accepts: string

Returns: a ref to an array of strings

filesystem()

Sets and returns the filesystem behavior.

Accepts: string

Returns: a ref to an array of strings

rawReport()

Sets and returns the raw report string

Accepts: string

Returns: string

malwareFiles()

Sets and returns a list of other files that are found to be created or associated with this malware

Accepts: HASHREF or returns ($errstr,undef)

$m->malwareFiles({
	$f1 => $md5,
	$f2 => $virus_sig,
});

OR

$m->malwareFiles({
	$f1->{md5} = $md5,
	$f1->{vsig} = $virus_sig,
	$f1->{snortSig} = $snort_sig,
});

Returns: HASHREF

antiEmulation()

Sets and returns the antiEmulation behavior.

Accepts: int [undef|1|0]

Returns: whatever you put in

**Note: the blurb will translate [undef] as unknown

securityIssues()

Sets and returns other security issues that are caused.

Accepts: string

Returns: a ref to an array of strings

SEE ALSO

Time::Timestamp,Net::Connection::Simple,Net::Protocol::Simple

AUTHOR

Wes Young, <saxguard9-cpan@yahoo.com>

COPYRIGHT AND LICENSE

Copyright (C) 2006 by Wes Young

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.7 or, at your option, any later version of Perl 5 you may have available.