cryptostalker
cryptostalker copied to clipboard
unixist
Detect and prevent crypto malware as it encrypts files
Realizes #21. The path(s) to monitor are moved into the command line arguments after the switches, so multiple paths (with subfolders) may be monitored by the same `notify` object.
``` [root@rpi3-01 ~]# $GOBIN/cryptostalker --path=/tmp/ --count 1 panic: runtime error: index out of range goroutine 38 [running]: github.com/unixist/randumb.Skewness.func2(0x104f6068, 0x17c50c, 0x0, 0x0, 0x104f6080) /root/workspace.29729/src/github.com/unixist/randumb/entropy.go:39 +0x64 created by github.com/unixist/randumb.Skewness /root/workspace.29729/src/github.com/unixist/randumb/entropy.go:41 +0x24c ```
I'm running a daemonized stalker on a fileserver. It has triggered an alert for 2 image files: ```bash $ file .../image2.JPG .../image2.JPG: JPEG image data, JFIF standard 1.01, resolution (DPI),...
After stopping the decryption process, attempt to determine the malware family and automatically decrypt the encrypted files. Maybe place the attempted decrypted files in a staging directory for the user...
The current mode of operation is to write to cryptostalker's stdout when malware is detected. It'd be nice to alert the user in a way that they'll actually notice!
cryptostalker currently detects new files and reads them from the filesystem in their entirety in order to determine randomness. We should stop doing this in favor of reading in smaller...
After stopping the process (or on Windows, before killing it), iterate over the process' memory maps and open files to detect known signatures of key material, e.g. "-----BEGIN RSA PRIVATE...