How to install Malcom on Ubuntu?

Follow the step-by-step guide in the README: install dependencies like MongoDB and Redis, set up a Python virtualenv, download Scapy, and configure the database. Docker is a simpler alternative.

Malcom vs Wireshark for malware analysis?

Malcom focuses on visualizing and cross-referencing network traffic with threat intelligence for malware-specific insights, while Wireshark is a general packet analyzer for deep protocol inspection.

Can Malcom analyze encrypted TLS traffic?

Yes, it supports TLS interception with manual key generation and IPtables port forwarding, but this requires root access and additional setup, as detailed in the README section on TLS interception.

How to add custom threat feeds to Malcom?

Use the wiki tutorial: create feed scripts that generate Evil objects, with an example in the zeustracker feed directory, allowing integration of custom intelligence sources.

Is Malcom suitable for real-time monitoring?

No, it's designed for post-capture analysis and visualization, not real-time detection. The README advises against using it on high-availability networks due to performance limitations.

What are the system requirements for Malcom?

Tested on Ubuntu Server 14.04 LTS; requires MongoDB, Redis, Python with virtualenv, and other dependencies listed in the installation section. Docker can simplify environment setup.

Open-Awesome

Malcom

NOASSERTIONPythonv1.3a

A malware communication analyzer that visualizes network traffic and cross-references it with known malware sources.

GitHub

1.2k stars217 forks0 contributors

What is Malcom?

Malcom is a malware communication analyzer that visualizes network traffic patterns and cross-references them with known malicious sources. It helps security analysts detect command and control servers, understand peer-to-peer malware networks, and identify DNS fast-flux infrastructures. The tool converts raw network data into actionable intelligence through interactive graphs and database lookups.

Target Audience

Security analysts, malware researchers, and incident responders who need to analyze network communications from potentially infected systems. It's particularly useful for those investigating advanced persistent threats (APTs) and botnet activities.

Value Proposition

Malcom provides faster malware analysis through visual representations of network traffic, eliminating the need to manually parse packet captures. Its open-source nature allows customization with custom threat feeds, and the Docker deployment makes it easy to set up in isolated analysis environments.

Overview

Malcom - Malware Communications Analyzer

Use Cases

Best For

Analyzing network traffic from suspected malware infections
Identifying command and control servers in forensic investigations
Visualizing peer-to-peer botnet communication structures
Detecting DNS fast-flux infrastructures used by attackers
Cross-referencing network artifacts with threat intelligence feeds
Educational environments for teaching malware network analysis

Not Ideal For

Real-time, high-volume network security monitoring where performance is critical
Production environments requiring stable, enterprise-grade reliability and support
Teams lacking in-house Python or system administration skills for setup and maintenance
Situations needing out-of-the-box functionality without manual dependency installation

Pros & Cons

Pros

Customizable Threat Intelligence

Allows adding custom feeds via straightforward scripts, enabling integration with proprietary or updated threat databases, as detailed in the wiki tutorial.

Interactive Network Visualization

Uses D3.js force-directed graphs to provide intuitive, human-readable representations of malware communication patterns, accelerating forensic analysis.

Docker Deployment Option

Offers a Docker image for quick setup, reducing installation complexity for users familiar with containerization, as noted in the README.

Comprehensive Analysis Features

Covers key malware communication aspects like C&C server detection, P2P network analysis, and DNS fast-flux observation, making it a versatile tool.

Cons

Complex Manual Setup

Requires installing multiple dependencies (MongoDB, Redis, Scapy, etc.), manual configuration, and downloading external databases like Maxmind, which is time-consuming.

Security and Stability Risks

The README disclaimer warns of potential security gaps, need for root privileges for TLS interception, and it's not recommended for production due to reliability issues.

Performance Limitations

Explicitly stated to not be ultra-fast or handle huge datasets easily, as it's written in Python and not optimized for high-throughput scenarios.

Frequently Asked Questions

Related Projects

Maltrail

Malicious traffic detection system

Stars8,428

Forks1,255

Last commit15 hours ago

Moloch

Arkime is an open source, large scale, full packet capturing, indexing, and database system.

FakeNet-NG - Next Generation Dynamic Network Analysis Tool

Stars2,120

Forks380

Last commit1 month ago

ngrep

ngrep is like GNU grep applied to the network layer. It's a PCAP-based tool that allows you to specify an extended regular or hexadecimal expression to match against data payloads of packets. It understands many kinds of protocols, including IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw, across a wide variety of interface types, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

Stars1,006

Forks106

Last commit2 months ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub