ms.py

from __future__ import division
import sys
import os
import fnmatch
import re
import stat
import json
import mimetypes
import subprocess
import string
import time
import hashlib
import math
import threading

VERSION = "0.3"

JAVASCRIPT_SIGNATURES = []
PHP_SIGNATURES = []
HASH_SIGNATURES = []
HASHTABLE = {}

def checksum(fname):
    hash = hashlib.md5()
    with open(fname, "rb") as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hash.update(chunk)
    return hash.hexdigest()

def isText(filename):
    s=open(filename).read(512)
    text_characters = "".join(map(chr, range(32, 127)) + list("\n\r\t\b"))
    _null_trans = string.maketrans("", "")
    if not s:
        # Empty files are considered text
        return True
    if "\0" in s:
        # Files with null bytes are likely binary
        return False
    # Get the non-text characters (maps a character to itself then
    # use the 'remove' option to get rid of the text characters.)
    t = s.translate(_null_trans, text_characters)
    # If more than 30% non-text characters, then
    # this is considered a binary file
    if float(len(t))/float(len(s)) > 0.30:
        return False
    return True

class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'

def pmsg(msg, code = 'info'):
    colorcode = bcolors.OKGREEN
    if code == 'warning':
        colorcode = bcolors.WARNING
    if code == 'error':
        colorcode = bcolors.FAIL
    print bcolors.OKBLUE + bcolors.UNDERLINE + ">>" + bcolors.ENDC + " " + colorcode + msg + bcolors.ENDC

def progressBar(current, total, msg):
    i = (current / total) * 100
    if i > 100:
        i = 100
    if i < 0:
        i = 0

    sys.stdout.write("\r"+bcolors.OKBLUE + bcolors.UNDERLINE + ">>" + bcolors.ENDC + " " + bcolors.OKGREEN + msg + " (%d%%)" % i)
    sys.stdout.flush()

    if i == 100:
        sys.stdout.write("\n")
        sys.stdout.flush()

def FileScan(WebPath):

    totalInfected = 0
    totalInsecure = 0
    totalFiles = 0
    totalScanned = 0

    infectedFiles = []

    for root, dirnames, filenames in os.walk(WebPath):
        for filename in filenames:
            totalFiles += 1

    pmsg("Target: " + WebPath + " ("+str(totalFiles)+" files)")

    for root, dirnames, filenames in os.walk(WebPath):
        for filename in filenames:
            # put at the end
            totalScanned += 1
            progressBar(totalScanned, totalFiles, "Scanning... please wait...")

            infected = False

            currentfile = os.path.join(root, filename)
            currentchecksum = checksum(currentfile)
            if currentchecksum in HASHTABLE:
                infected = True

            if infected:
                details = {'filename': os.path.join(root, filename), 'malware': str(HASHTABLE[currentchecksum])}
                infectedFiles.append(details)
                totalInfected += 1

            if isText(currentfile) and not infected:
                fileHandle = open(currentfile, 'r')
                fileData = fileHandle.read()

                malware = ''
                for signatureDefinition in JAVASCRIPT_SIGNATURES:
                    for signature in signatureDefinition["Database_Signatures"]:
                        for signatureExpression in signature["Malware_Signatures"]:
                            try:
                                regexp = re.compile(signatureExpression)
                                if regexp.findall(fileData, re.IGNORECASE):
                                    infected = True
                                    malware = signature["Malware_Name"]
                                    break
                            except:
                                pmsg("ERROR in signature regular expression. Aborting.", "error")
                        if infected:
                            break
                    if infected:
                        break

                if infected:
                    details = {'filename': os.path.join(root, filename), 'malware': malware}
                    infectedFiles.append(details)
                    totalInfected += 1

                if not infected:
                    THREADS = {}

                    class ScanFileThread(threading.Thread):
                        def __init__(self, fileData, signatures):
                            threading.Thread.__init__(self)
                            self.infected = False
                            self.stopped = False
                            self.fileData = fileData
                            self.signatures = signatures
                            self.malware = ''

                        def run(self):
                            for signature in self.signatures:
                                for signatureExpression in signature["Malware_Signatures"]:
                                    if self.stopped:
                                        break

                                    try:
                                        regexp = re.compile(signatureExpression)
                                        if regexp.findall(self.fileData, re.IGNORECASE):
                                            self.infected = True
                                            self.malware = signature["Malware_Name"]
                                            break
                                    except:
                                        # Needs error handling
                                        self.stopped = True
                                        break

                                if self.infected or self.stopped:
                                    break

                        def isInfected(self):
                            return self.infected

                        def getMalwareName(self):
                            return self.malware

                        def stop(self):
                            self.stopped = True

                    for signatureDefinition in PHP_SIGNATURES:
                        THREADS[signatureDefinition["Database_Name"]] = ScanFileThread(fileData, signatureDefinition["Database_Signatures"])
                        THREADS[signatureDefinition["Database_Name"]].start()

                    while(True):
                        alldone = True
                        for threadName in THREADS:
                            if THREADS[threadName].isAlive():
                                alldone = False
                            else:
                                if THREADS[threadName].isInfected():
                                    infected = True
                                    alldone = True
                                    details = {'filename': os.path.join(root, filename), 'malware': THREADS[threadName].getMalwareName()}
                                    infectedFiles.append(details)
                                    for threadName in THREADS:
                                        if THREADS[threadName].isAlive():
                                            THREADS[threadName].stop()
                                    break
                        if alldone:
                            break

                    if infected:
                        totalInfected += 1

    progressBar(1, 1, "Scanning... please wait...")
    for details in infectedFiles:
        pmsg("Infected file ("+details["malware"]+") found: "+details["filename"], "warning")

    # Scan for insecure permissions
    pmsg("Scanning for insecure permissions...")
    folders = [x[0] for x in os.walk(WebPath)]
    for folder in folders:
        if os.path.isdir(folder):
            mode = oct(stat.S_IMODE(os.stat(folder).st_mode))
            mode = str(mode)
            if mode.endswith('7') or mode.endswith('6') or mode.endswith('3') or mode.endswith('2'):
                pmsg("Insecure permission ("+str(mode)+") found on: "+folder, "warning")
                totalInsecure += 1

    colorcode = "info"
    if totalInfected > 0 or totalInsecure > 0:
        colorcode = "error"
    pmsg("Scan completed. Found "+str(totalInfected)+" infected file(s). Found "+str(totalInsecure)+" insecure permission(s).", colorcode)

def LoadSignatures(SignaturesPath):
    # Load signatures for PHP files
    totalDatabases = 0
    loadedDatabases = 0
    for root, dirnames, filenames in os.walk(SignaturesPath):
        for filename in filenames:
            totalDatabases += 1

    for root, dirnames, filenames in os.walk(SignaturesPath+"/php/"):
        for filename in fnmatch.filter(filenames, '*.json'):
            try:
                signature = json.loads(open(os.path.join(root, filename)).read())
                PHP_SIGNATURES.append(signature)
                loadedDatabases += 1
                progressBar(loadedDatabases, totalDatabases, "Loading signature database...")
            except IOError:
                pmsg("Unable to load signature file: " + filename, "error")

    # Load signatures for Javscript files
    for root, dirnames, filenames in os.walk(SignaturesPath+"/js/"):
        for filename in fnmatch.filter(filenames, '*.json'):
            try:
                signature = json.loads(open(os.path.join(root, filename)).read())
                JAVASCRIPT_SIGNATURES.append(signature)
                loadedDatabases += 1
                progressBar(loadedDatabases, totalDatabases, "Loading signature database...")
            except IOError:
                pmsg("Unable to load signature file: " + filename, "error")

    # Load signatures for MD5 hashes
    for root, dirnames, filenames in os.walk(SignaturesPath+"/checksum/"):
        for filename in fnmatch.filter(filenames, '*.json'):
            try:
                signatures = json.loads(open(os.path.join(root, filename)).read())
                HASH_SIGNATURES.append(signatures)
                loadedDatabases += 1
                progressBar(loadedDatabases, totalDatabases, "Loading signature database...")
            except IOError:
                pmsg("Unable to load signature file: " + filename, "error")

    pmsg("Building hashtable...")
    for signature in HASH_SIGNATURES:
        for signatureHash in signature["Database_Hash"]:
            HASHTABLE[signatureHash["Malware_Hash"]] = signatureHash["Malware_Name"]
    pmsg("Loaded "+str(len(HASHTABLE))+" malware hash signatures.")

if len(sys.argv) == 2:
    pmsg("Web Malware Scanner v"+VERSION)

    SignaturesPath = "./signatures/"
    if os.path.isdir(SignaturesPath):
        LoadSignatures(SignaturesPath)
    else:
        pmsg("Unable to find signatures database folder ("+SignaturesPath+"). Please check path.", "error")
        sys.exit()

    WebPath = sys.argv[1]
    if os.path.isdir(WebPath):
        FileScan(WebPath)
    else:
        pmsg("Unable to find web installation folder ("+WebPath+"). Please check path.", "error")
else:
    pmsg("Usage: python ms.py /path/to/web/installations")