IScanner
From Aldeid
Contents |
Description
iScanner is a free open source tool that detects and removes malicious codes (suspicious iframes, obfuscated javascript, dangerous eval and escape usage, ...) in web pages. It has the ability to scan remote as well as local resources.
This tool has been programmed by iSecur1ty using Ruby programming language and it's released under the terms of GNU Affero General Public License 3.0.
Installation
Dependencies
$ sudo apt-get install ruby
iScanner
Just download and uncompress the tarball:
$ cd /opt/ $ sudo wget http://iscanner.isecur1ty.org/download/iscanner-0.7.tar.gz $ tar xzvf iscanner-0.7.tar.gz $ cd /opt/iscanner-0.7/
Usage
Syntax
$ ./iscanner [options]
Options
- -R, --remote [URL]
- Scan remote web page / website
- -F, --file [FILE]
- Scan a specific file
- -f, --folder [DIRECTORY]
- Scan a specific folder
- -e, --extensions [ext:ext:ext]
- The extensions you want to scan
- -d, --database [DATABASE]
- Select database file
- -M, --malware [FILE]
- Scan for a specific malware code
- -o, --output [LOG-FILE]
- Output log file
- -m, --email [EMAIL-ADDRESS]
- Send report to email address
- -c, --clean [LOG-FILE]
- Clean infected files
- -b, --backup
- Backup infected files
- -r, --restore [BACKUP-FOLDER]
- Restore the infected files
- -a, --auto-clean
- Enable auto clean mode
- -D, --debug
- Enable debugging mode
- -q, --quiet
- Enable quiet mode
- -s, --send [MALICIOUS-FILE]
- Send malicious file for analyses
- -U, --update
- Update iScanner to latest version
- -u, --update-db
- Update signatures database only
- -v, --version
- Print version number
- -h, --help
- Show this message
Signatures file
iScanner is based on regular expressions. You can edit the file to add your own rules. Here is the syntax:
- - 5.5 - ((?:print|echo)\s*\(\s*gzinflate\s*\(.+?\)\s*\)\s*;) - PHP 'print/echo' and 'gzinflate' functions detected, possible encoded malicious code. - MU:LO - - 3.0 - (<object.+?classid.+?target.*?>.*?<\/object>) - ActiveX object 'target' detected, possible malicious code to exploit IE vulnerability. - MU:RE
Examples
Hidden iframe
$ ./iscanner -R http://washingtonfamilylaws.com/
Starting iScanner 0.7 on [localhost] at (Fri Sep 30 08:25:08 2011)
Copyright (C) 2010 iSecur1ty <http://iscanner.isecur1ty.org>
[*] Opening "http://washingtonfamilylaws.com/", please wait...
[*] Scanning "washingtonfamilylaws.com-08:25:08-30.Sep.html". (db:0.2.0 - 22/Sep/2010)
[!] Scanned file: ./washingtonfamilylaws.com-08:25:08-30.Sep.html
Signature: [id:1.0] (<iframe.+?(?:visibility\s*:\s*hidden|display\s*:\s*none|style\s*=\s*['\"]?hidden|\s(?:width|height)\s*=\s*['\"]?[01][\'"\s]).+?<\/iframe>)
Description: Hidden iframe tag detected.
[*] Scan finished in (0) seconds, [1] suspicious files found.
Please check "infected-08:25:08-30.Sep.log" for details.
The generated log file looks like this:
./washingtonfamilylaws.com-05:42:08-01.Oct.html [1.0] (<iframe.+?(?:visibility\s*:\s*hidden|display\s*:\s*none|style\s*=\s*['\"]?hidden|\s(?:width|height)\s*=\s*['\"]?[01][\'"\s]).+?<\/iframe>) Hidden iframe tag detected. --------------------------------------------------------------------------- <iframe src='http://visions7.net/' width=1 height=1 style='visibility:hidden;'></iframe> =========================================================================== Generated by iScanner 0.7 (db:0.2.0) in Sat Oct 1 05:42:08 2011 Copyright (C) 2010 iSecur1ty <http://iscanner.isecur1ty.org>
Javascript unescape function
$ ./iscanner -R http://kale008.50megs.com/
Starting iScanner 0.7 on [localhost] at (Fri Sep 30 08:28:06 2011)
Copyright (C) 2010 iSecur1ty <http://iscanner.isecur1ty.org>
[*] Opening "http://kale008.50megs.com/", please wait...
[*] Scanning "kale008.50megs.com-08:28:07-30.Sep.html". (db:0.2.0 - 22/Sep/2010)
[!] Scanned file: ./kale008.50megs.com-08:28:07-30.Sep.html
Signature: [id:2.0] (<script.+?unescape\s*\(.+?\).*?<\/script>)
Description: Javascript 'unescape' function detected, possible obfuscated malicious code.
[*] Scan finished in (1) seconds, [1] suspicious files found.
Please check "infected-08:28:06-30.Sep.log" for details.
Conclusion
Limitations
- Based on regular expressions: means that some obfuscations can't be detected unless there is a filter
- limited signatures file: the database currently contains 19 regular expressions.
Strengths
- Ability to scan remote files as well as local files
- Ability to detect and withdraw malicious code from web pages
- It's fast
- Opensource, which means you can easily maintain the database, and it's free
Final word
To conclude on this tool, despite its limitations, I like it and would recommend it as a scanning solution for websites. You can automatize the scans on a daily basis with a cron job and send the scan results via email.
Comments
Share this article • Tweet it! • Email this • Digg it • Share on Facebook
