Module: Risu::Templates::MalwareTemplateHelper

Included in:
TemplateHelper
Defined in:
lib/risu/base/malware_template_helper.rb

Instance Method Summary collapse

Instance Method Details

#conficker_appendix_sectionObject 



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
# File 'lib/risu/base/malware_template_helper.rb', line 35

def conficker_appendix_section
  if conficker_count() <= 0
    return
  end

  heading2 "Conficker Worm Infection"

  headers = ["Host"]
  data = Array.new

  findings =  Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id)

  findings.each do |finding|
    host = Host.find_by_id(finding.host_id)

    host_string = "#{host.name}"
    host_string << " (#{host.fqdn})" if host.fqdn != nil

    row = Array.new
    row.push host_string

    data << row
  end

  @output.table([headers] + data, :header => true, :width => output.bounds.width) do
    row(0).style(:font_style => :bold, :background_color => 'cccccc')
    cells.borders = [:top, :bottom, :left, :right]
  end

  text "\n"
end

#conficker_countObject 



26
27
28
29
30
31
32
 
# File 'lib/risu/base/malware_template_helper.rb', line 26

def conficker_count
  begin
    return Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
  rescue
    return 0
  end
end

#conficker_sectionObject 



68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'lib/risu/base/malware_template_helper.rb', line 68

def conficker_section
  if conficker_count() <= 0
    return
  end

  conficker_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
  heading2 "Conficker Worm Infection"

  text "Conficker Worm infections were found on #{conficker_count} of #{Report.title}'s computer systems. Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The systems of interest are detailed in the detailed findings report with remediation steps."

  text "\n"
end

#known_malicious_process_appendix_sectionObject 



107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
 
# File 'lib/risu/base/malware_template_helper.rb', line 107

def known_malicious_process_appendix_section
  count = known_malicious_process_count()

  if count <= 0
    return
  end

  heading2 "Known Malicious Process" if count == 1
  heading2 "Known Malicious Processes" if count > 1

  findings = Item.where(:plugin_id => 59275)
  plugin = Plugin.find_by_id(59275)

  findings.each do |finding|
    host = Host.find_by_id(finding.host_id)

    text "Host", :style => :bold
    host_string = "#{host.name}"
    host_string << " (#{host.fqdn})" if host.fqdn != nil
    text host_string

    definition "Description", plugin.description.gsub(/[ ]{2,}/, " ") if plugin.description != nil
    definition "Plugin output", finding.plugin_output.gsub(/Any detected files 5 MB or less are available as attachments./, "")
  end

  text "\n"
end

#known_malicious_process_countObject 



82
83
84
85
86
87
88
 
# File 'lib/risu/base/malware_template_helper.rb', line 82

def known_malicious_process_count
  begin
    return Item.where(:plugin_id => 59275).count
  rescue
    return 0
  end
end

#known_malicious_process_sectionObject 



91
92
93
94
95
96
97
98
99
100
101
102
103
104
 
# File 'lib/risu/base/malware_template_helper.rb', line 91

def known_malicious_process_section
  count = known_malicious_process_count()

  if count <= 0
    return
  end

  heading1 "Known Malicious Process Detected" if count == 1
  heading1 "Known Malicious Processes Detected" if count > 1

  text "A known malicious process was detected active on the network. This process was detected using hash binary hashing. This hash was submitted to an malware detection service that checks each hash against several different anti virus software suites. Details can be found in Appendix A."

  text "\n"
end

#malware_appendix_sectionObject 



142
143
144
145
 
# File 'lib/risu/base/malware_template_helper.rb', line 142

def malware_appendix_section
  conficker_appendix_section
  known_malicious_process_appendix_section
end

#malware_sectionObject 



136
137
138
139
 
# File 'lib/risu/base/malware_template_helper.rb', line 136

def malware_section
  conficker_section
  known_malicious_process_section
end