Host Indicator Grep v0.2 documentation

Host Indicator Grep

Contents   ::   Introduction  »

Host Indicator Grep

higrep is a tool for detecting malware running on a host system or over a large number of host systems. It is developed by the CERT Program at the Software Engineering Institute at Carnegie Mellon.

Host indicators are things you can easily detect on a running host that has been infected with malware. For example if a piece of malware uses a specific mutex to prevent multiple instantiations, then we can detect that mutex and thus the malware on the system.

Detections are written as short javascript programs which use a small number of primitives. For example, you might want to identify a specific module loaded into a process on the system.

// This is a rule to look for a module named "evilbad" loaded in any process
// on the system
rules.IncidentPDQ = function() {
  return IterateProcesses(function(process) {
    var modules = ProcessLoadedModules(process.id);
    for (i in modules) {
      if (modules[i].match(/evilbad/i)) {
        return true;
      }
    }
  });
}

Or maybe you want to find specific files:

// Add a rule to malware that creates two files in SYSTEM32, evil.tmp and
// ~temp???.tmp where ??? is an arbitrary number.
rules.IncidentXYZ = function() {
  return EnumerateFiles(GetWindowsDirectory() + "\\SYSTEM32", function(file_info) {
    if (file_info.name.match(/\\~temp[\d].tmp$/i)) {
      return true;
    }
    if (file_info.name.match(/\\evil.tmp$/i)) {
      return true;
    }
  });
}

Or maybe you want to find a specific mutex:

// This rule looks for a hypothetical malware sample using the default mutex
rules.FooBot = function() {
  return IsMutexHeld("IAmFooBot");
}

Contents:

Indices and tables

Contents   ::   Introduction  »