Host Indicator Grep¶
higrep is a tool for detecting malware running on a host system or over a large number of host systems. It is developed by the CERT Program at the Software Engineering Institute at Carnegie Mellon.
Host indicators are things you can easily detect on a running host that has been infected with malware. For example if a piece of malware uses a specific mutex to prevent multiple instantiations, then we can detect that mutex and thus the malware on the system.
Detections are written as short javascript programs which use a small number of primitives. For example, you might want to identify a specific module loaded into a process on the system.
// This is a rule to look for a module named "evilbad" loaded in any process
// on the system
rules.IncidentPDQ = function() {
return IterateProcesses(function(process) {
var modules = ProcessLoadedModules(process.id);
for (i in modules) {
if (modules[i].match(/evilbad/i)) {
return true;
}
}
});
}
Or maybe you want to find specific files:
// Add a rule to malware that creates two files in SYSTEM32, evil.tmp and
// ~temp???.tmp where ??? is an arbitrary number.
rules.IncidentXYZ = function() {
return EnumerateFiles(GetWindowsDirectory() + "\\SYSTEM32", function(file_info) {
if (file_info.name.match(/\\~temp[\d].tmp$/i)) {
return true;
}
if (file_info.name.match(/\\evil.tmp$/i)) {
return true;
}
});
}
Or maybe you want to find a specific mutex:
// This rule looks for a hypothetical malware sample using the default mutex
rules.FooBot = function() {
return IsMutexHeld("IAmFooBot");
}
Contents: