The OWASP Web Malware Scanner is a malware scanner for web applications. The goal is to be able to scan a web application using a community driven signature database. The Web Malware Scanner works by scanning each files of the web application for known malware signature.
The Web Malware Scanner is not a vulnerability scanner, it is a malware scanner used to identify compromised web application installations. It can be used to identify compromised Wordpress, Joomla and other popular web application installations.
The Web Malware Scanner will scan for both MD5 hash based signatures and malware signatures using YARA rules.
-
Python 2.7
-
YARA >= 3.0
apt-get install yara
- Python-YARA
pip install yara-python
Install the dependencies and run :
$ python wms.py /path/to/website /path/to/results/output
The scan can take a long time to complete while scanning a large folder, in order to scan a large folder through ssh it is recommended to start the WMS process as a background job like this :
$ nohup python wms.py /path/to/website /path/to/results/output &
Check out the official wiki for help.
OWASP Web Malware Scanner uses a community-driven malware signature database to detect malwares. Signatures are found under the signatures/ folder.
The signatures for YARA rules matching are under 'signatures/rules/' and must have the '.yar' extension.
OWASP Web Malware Scanner also performs MD5 file checksums. MD5 file signatures are in 'signatures/checksum/'. A MD5 signature database must be a text file that contains the following JSON object:
{
"Database_Name": "Generic malware hash database",
"Database_Hash": [
{
"Malware_Name": "Zip.Trojan.Container",
"Malware_Hash": "e27122ba785627fca79b4a19c8eea38b"
}
]
}
The 'Database_Hash' object must be an array of objects that must contain the MD5 hash (Malware_Hash) and the Malware name (Malware_Name). If the MD5 checksum of a file matches one of these MD5 hashes, it will be marked as infected.
You are welcome to contribute to this project by sending new signatures to [email protected].
OWASP Web Malware Scanner was created by Maxime Labelle
OWASP Web Malware Scanner is released under the BSD license. See the LICENSE file for details.
The GUI version has been abandoned.