lib/risu/base/malware_template_helper.rb
# Copyright (c) 2010-2020 Jacob Hammack.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
module Risu
module Templates
module MalwareTemplateHelper
#
def conficker_count
begin
return Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
rescue
return 0
end
end
#
def conficker_appendix_section
if conficker_count() <= 0
return
end
heading2 "Conficker Worm Infection"
headers = ["Host"]
data = Array.new
findings = Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id)
findings.each do |finding|
host = Host.find_by_id(finding.host_id)
host_string = "#{host.name}"
host_string << " (#{host.fqdn})" if host.fqdn != nil
row = Array.new
row.push host_string
data << row
end
@output.table([headers] + data, :header => true, :width => output.bounds.width) do
row(0).style(:font_style => :bold, :background_color => 'cccccc')
cells.borders = [:top, :bottom, :left, :right]
end
text "\n"
end
#
def conficker_section
if conficker_count() <= 0
return
end
conficker_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
heading2 "Conficker Worm Infection"
text "Conficker Worm infections were found on #{conficker_count} of #{Report.title}'s computer systems. Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The systems of interest are detailed in the detailed findings report with remediation steps."
text "\n"
end
#
def known_malicious_process_count
begin
return Item.where(:plugin_id => 59275).count
rescue
return 0
end
end
#
def known_malicious_process_section
count = known_malicious_process_count()
if count <= 0
return
end
heading1 "Known Malicious Process Detected" if count == 1
heading1 "Known Malicious Processes Detected" if count > 1
text "A known malicious process was detected active on the network. This process was detected using hash binary hashing. This hash was submitted to an malware detection service that checks each hash against several different anti virus software suites. Details can be found in Appendix A."
text "\n"
end
#
def known_malicious_process_appendix_section
count = known_malicious_process_count()
if count <= 0
return
end
heading2 "Known Malicious Process" if count == 1
heading2 "Known Malicious Processes" if count > 1
findings = Item.where(:plugin_id => 59275)
plugin = Plugin.find_by_id(59275)
findings.each do |finding|
host = Host.find_by_id(finding.host_id)
text "Host", :style => :bold
host_string = "#{host.name}"
host_string << " (#{host.fqdn})" if host.fqdn != nil
text host_string
definition "Description", plugin.description.gsub(/[ ]{2,}/, " ") if plugin.description != nil
definition "Plugin output", finding.plugin_output.gsub(/Any detected files 5 MB or less are available as attachments./, "")
end
text "\n"
end
#
def malware_section
conficker_section
known_malicious_process_section
end
#
def malware_appendix_section
conficker_appendix_section
known_malicious_process_appendix_section
end
end
end
end