Author Topic: Nomalua -- GMod/Lua malware scanner (v1.20)  (Read 8304 times)

0 Members and 1 Guest are viewing this topic.

Offline Buzzkill

  • Respected Community Member
  • Full Member
  • *****
  • Posts: 176
  • Karma: 58
    • View Profile
    • The Hundred Acre Bloodbath
Nomalua -- GMod/Lua malware scanner (v1.20)
« on: April 19, 2015, 09:54:02 AM »
Nomalua v1.20 (released 2015-04-21)


Nomalua is a malware scanner for GMod Lua files.  It scans Lua files on the server (including those mounted through Steam Workshop GMA files) and reports on any suspicious code or code patterns that may warrant further invesitgation.

IT IS IMPORTANT to understand that detection by Nomalua does NOT necessarily mean you have a problem -- simply that a code construct or pattern exists that meets Nomalua's critera for reporting.  **The vast majority of alerts will be false positives**.  However, when you run an addon you are trusting that author to be a good citizen. Addons can harbor backdoors and other nefarious code.  It's better to trust but verify rather than simply trust blindly. Nomalua allows server administrators to have better insight into what's running without having to analyze every addon line-by-line. This is especially true as more server administrators use addons through the Steam Workshop, which makes it harder for admins to review code and track updates.


----------  DEVELOPER & SUPPORT  ----------

Nomalua was developed by "BuzzKill".  Visit http://forums.ulyssesmod.net/index.php/topic,8477.0.html for support and release info.



----------  REQUIREMENTS  ----------

Nomalua has no requirements.



----------  INSTALLATION  ----------

To install Nomalua, simply extract the files from the archive to your garrysmod/addons folder.
When you've done this, you should have a file structure like this--
   <garrysmod>/addons/nomalua/lua/autorun/init.lua
   <garrysmod>/addons/nomalua/lua/sv_nomalua.lua
etc..


Please note that installation is the same on dedicated servers. Installation requires a server restart.



----------  USAGE  ----------

Once installed and the server restarted, you can run the scanner by opening console and issuing the "nomalua_scan" command.  If running directly on the server, you should immediately begin to see output (sample below).  If running through a client, you must have superadmin priviledges. When running through a client console there may be a delay before output is rendered. Nomalua is rather resource-intensive, so it's not recommended that you run it when the server is particularly busy.

Nomalua reports back the following (sample):

Code: [Select]
2 - AUTHENT (Presence of Steam ID) gamemodes/jailbreak/gamemode/core/cl_menu_help_options.lua:218 : Excl (STEAM_0:0:19441588) - Lead developer in charge of Jail Break since version 1
4 - NETWORK (HTTP server call) addons/hatschat2/lua/hatschat/cl_init.lua:196 http.Fetch( FUrl, function( body, len, header, code)
2 - BANMGMT (Ban by IP address) addons/customcommands_onecategory/lua/ulx/modules/sh/cc_util.lua:283 local banip = ulx.command( "Custom", "ulx banip", ulx.banip )
2 - DYNCODE (Dynamic code execution) lua/autorun/luapad.lua:152 RunString(file.Read("luapad/_server_globals.txt", "DATA"));
2 - FILESYS (File deletion) addons/customcommands_onecategory/lua/ulx/modules/sh/cc_util.lua:909 file.Delete( "watchlist/" .. id .. ".txt" )
3 - OBFUSC (Obfuscated / encrypted code) lua/includes/extensions/string.lua:34 str = str:gsub( "\226\128\168", "\\\226\128\168" )

The first column contains the risk rating, check type and description.  Currently, Nomalua detects dynamic code (code that executes dynamically, using compilestring, etc), authentication checks (references to Steam IDs), network activity (calls to http.Post and Fetch), ban related items (changes in ban status), obfuscated code (bytecode, encryption) and file system calls (file deletions). The risk rating is from 1 through 5, 5 being the highest.  Currently the rating system is rather arbitrary -- it will be firmed up over time.

The second column points to the file and line number of the detection.  Note that if this addon is contained within in a GMA, you will need to manually decompress the .gma file in order to view the file directly.

The third column shows the line itself, with the detection phrase highlighted in yellow.



----------  CONFIGURATION  ----------

Whitelisting (beta):  Whitelisting is currently managed in the sv_nomalua_whitelist.lua file, specifically via calls to NOMALUA.AddWhiteListElement, which takes 3 parameters.  The first parameter in the call is a Lua pattern  (see http://lua-users.org/wiki/PatternsTutorial for a tutorial in Lua patterns).  The second parameter is the line number (0 to match all), and the third is the detection group ("*" to match all). Whitelisting is currently Beta and will be moved to a proper data file in a future release.

Whitelist samples:

Code: Lua
  1.         NOMALUA.AddWhiteListElement("addons/nomalua/lua/sv_nomalua.lua", 0, "*")                -- prevents Nomalua from reporting on its own pattern checks
  2.         NOMALUA.AddWhiteListElement("addons/cac%-release%-.*.lua", 0, "*")                      -- ignores Cake Anti-cheat
  3.         NOMALUA.AddWhiteListElement("addons/ulib/lua/ulib/server/player.lua", 0, "BANMGMT")     -- Ignores ban related items in ULib's player.lua
  4.  



----------  CHANGELOG  ----------

v1.20 - *(2015-04-21)*
-- * Added risk rank (currently 1 - 5, 5 highest.  Rather arbitrary for now.  Still beta. <censor>, the whole thing is still beta)
-- * Optimized check type and pattern check definition code
-- * Fixed bug in directory recursion code
-- * misc minor optimizations
-- * Added additional pattern checks

v1.11 - *(2015-04-20)*
   * Bug fix.  AddLuaFiles returning nil under certain conditions, causing scan to error out.
   
v1.10 - *(2015-04-20)*
   * Adjusted directory recursion logic to prepend root search directory
   * Added whitelisting and some default whitelist items
   * Restructured lua file search so that matching files in addons/<addonname>/lua/... and lua/... purposely collide in storage table (de-dupe)
   * Refactored scan to queue output, eliminating need to pass ply var around.

v1.00 - *(2015-04-19)*
   * Initial version

   

----------  LICENSE  ----------

This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to
Creative Commons
543 Howard Street
5th Floor
San Francisco, California 94105
USA



(what the heck does "nomalua" mean?  No-Mal-Lua. Get it?  Don't worry - the code is better than the name.  :)  )
« Last Edit: April 22, 2015, 09:24:53 AM by Buzzkill »

Offline Buzzkill

  • Respected Community Member
  • Full Member
  • *****
  • Posts: 176
  • Karma: 58
    • View Profile
    • The Hundred Acre Bloodbath
Re: Nomalua -- GMod Lua malware scanner
« Reply #1 on: April 19, 2015, 09:59:39 AM »
FYI... Roadmap:

* More pattern detections
* Default and extensible white-list
* Chunked execution so the server doesn't freeze for the duration of the scan.
* Output to file
* In-game UI

Offline Bite That Apple

  • Hero Member
  • *****
  • Posts: 848
  • Karma: 388
  • Apple Innovations 2010®
    • View Profile
    • Fun 4 Everyone Gaming
Re: Nomalua -- GMod Lua malware scanner
« Reply #2 on: April 19, 2015, 01:25:26 PM »
out of my own curiosity, what type of suspicious lua files can there even be? Like what are the types of things it can detect?
Quote from: John F. Kennedy 1963
A man may die, nations may rise and fall, but an idea lives on.
In most cases I do not make addons for people. You may ask, and I may or may not accept, paying me will not change the answer if it was no. Feel free to try.
4-8-15-16-23-42


My Created Addons:
> Player Connect/Disconnect Message < ---- > URL Playsound Addon < ---------- > Leaderboards Records < ----------------
> Player Chat Tags < ----------------------------- > Last Joined Checker < ------------- > Workshop Dupes Permissions < ------
> Utime Hour Changer Addon < ---------------- > Autopromote XGUI Version < ---- > UtimeMOO Server/Global Edition < --
> Give Weapon Addon < ------------------------- > Player Force Spawn < ------------- >
> Set Modelany Addon < ------------------------- > Set Spawn Points < ---------------- >
> Apple H.U.D. < ----------------------------------- > Advanced Anti Noclip Killing < -- >

Offline Buzzkill

  • Respected Community Member
  • Full Member
  • *****
  • Posts: 176
  • Karma: 58
    • View Profile
    • The Hundred Acre Bloodbath
Re: Nomalua -- GMod Lua malware scanner
« Reply #3 on: April 19, 2015, 01:36:34 PM »
Quote

The first column is the detection group.  Currently, Nomalua detects DYNCODE (code that executes dynamically, using compilestring, etc), AUTHENT (references to Steam IDs), NETWORK (calls to http.Post and Fetch), BANMGMT (changes in ban status) and FILESYS (file deletions).


So it'll look for code that
* tries to retrieve and/or execute a payload (using http calls to retrieve a payload and dynamic execution to run it)
* tries to "phone home"  (I'd want to know why the addon was calling mommy.  I don't even like version checks, to be honest.)
* tries to skirt bans by unbanning the author
* tries to delete files, though to be honest I'll probably pull this check, since addons can only delete from their own /data subdirectory.

I'm also in the process of adding an encrypted code check.

Offline MrPresident

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 2554
  • Karma: 391
    • View Profile
    • |G4P| Gman4President
Re: Nomalua -- GMod Lua malware scanner
« Reply #4 on: April 19, 2015, 11:05:23 PM »
hidden back doors are quite common in some addons out there.
Tricky coders can find ways to write in all kinds of crazy stuff.

There are the obvious ones where an addon simply gives admin to someone using their SteamID and if you look you'd see it, but with most addons being on Workshop, it's harder to look at the addons to make sure they're playing nicely.
There are also more covert ways of doing things too. For instance, you could use http.fetch to get a string of lua that you could compile and run on a server. To someone looking at the code, it would just be an http.fetch command which has legitimate uses, but it could be used maliciously.
There are ways to obfuscate things too, so basically having a script that alerted you (the server owner) when addons you have installed are doing things that could potentially be dangerous is a great idea!

Offline MrPresident

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 2554
  • Karma: 391
    • View Profile
    • |G4P| Gman4President
Re: Nomalua -- GMod Lua malware scanner
« Reply #5 on: April 19, 2015, 11:07:53 PM »
* tries to delete files, though to be honest I'll probably pull this check, since addons can only delete from their own /data subdirectory.

I don't believe that's true. I'm pretty sure lua has full control over anything in the data directory. If I wanted to, I could write an addon that recursively checked the data folder and removed all .txt files from it as well as directories. As long as your script here doesn't block and only reports, I think you should definitely leave this in.

*idea* Maybe you could weigh the different things it detects kind of like malware scanners do.

Risk Levels:
Low
Medium
High

Then you could report them out to the administrators and they'd have a better idea of what kind of risk it is. Things like the file deletion thing above would still be reported, but you could mark it as low risk so people don't flip out.
« Last Edit: April 19, 2015, 11:09:29 PM by MrPresident »

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1251
  • Karma: 162
  • open(my $file, "<README") or die;
    • View Profile
    • XGUI
Re: Nomalua -- GMod Lua malware scanner
« Reply #6 on: April 20, 2015, 08:59:26 AM »
Lookin good! I can see this being a very useful release for server owners  ;D
"The stupidity of an individual on the Internet is generally matched only the by size of their ego, unless the individual in question is unaware of both." - Me

Offline Buzzkill

  • Respected Community Member
  • Full Member
  • *****
  • Posts: 176
  • Karma: 58
    • View Profile
    • The Hundred Acre Bloodbath
Re: Nomalua -- GMod Lua malware scanner
« Reply #7 on: April 20, 2015, 10:39:27 AM »
Thanks guys.  Will definitely implement a risk level element, especially as I add more checks. Great idea.


v1.10 Changelog - *(2015-04-20)*
   * Adjusted directory recursion logic to prepend root search directory
   * Added whitelisting and some default whitelist items
   * Restructured lua file search so that matching files in addons/<addonname>/lua/... and lua/... purposely collide in storage table (de-dupe)
   * Refactored scan to queue output, eliminating need to pass ply var around.
 
« Last Edit: April 20, 2015, 10:56:15 AM by Buzzkill »

Offline Buzzkill

  • Respected Community Member
  • Full Member
  • *****
  • Posts: 176
  • Karma: 58
    • View Profile
    • The Hundred Acre Bloodbath
Re: Nomalua -- GMod/Lua malware scanner (v1.11)
« Reply #8 on: April 20, 2015, 12:12:50 PM »
v1.11 Changelog - *(2015-04-20)*
   * Bug fix.  AddLuaFiles returning nil under certain conditions, causing scan to error out.
   

Offline Buzzkill

  • Respected Community Member
  • Full Member
  • *****
  • Posts: 176
  • Karma: 58
    • View Profile
    • The Hundred Acre Bloodbath
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #9 on: April 21, 2015, 09:23:21 AM »
v1.20 Changelog - *(2015-04-21)*
* Added risk rank (currently 1 - 5, 5 highest.  Rather arbitrary for now.  Still beta. , the whole thing is still beta)
* Optimized check type and pattern check definition code
* Fixed bug in directory recursion code
* misc minor optimizations
* Added additional pattern checks

Offline Buzzkill

  • Respected Community Member
  • Full Member
  • *****
  • Posts: 176
  • Karma: 58
    • View Profile
    • The Hundred Acre Bloodbath
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #10 on: April 22, 2015, 08:38:26 AM »

Offline auskfc

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #11 on: January 31, 2016, 02:34:04 AM »
How do I stop it from crashing the server?

Online Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6178
  • Karma: 390
  • Project Lead
    • View Profile
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #12 on: January 31, 2016, 05:13:21 AM »
Sorry for being late to the party -- there was a period where I gave up checking the forums due to other life commitments.

That being said, I love your work here. We always advocate people be careful with what they install on the server, and this goes a long way to help provide peace of mind for those who aren't familiar with Lua.

Now, too bad finding the legitimate addons with poor programming/security practices is much more difficult. :)
Experiencing God's grace one day at a time.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 7707
  • Karma: 350
  • Sertafide Ulysses Jenius
    • View Profile
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #13 on: January 31, 2016, 10:33:59 AM »
How do I stop it from crashing the server?
No one would be able to help you, other than saying "remove it", without more detail.
Lua errors?
What type of server you're running?
Operating system?
When does it crash? What commands? How does one replicate your issue?

The price one pays for pursuing any profession or calling is an intimate knowledge of its ugly side. - James Baldwin

Offline beeperdp

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Nomalua -- GMod/Lua malware scanner (v1.20)
« Reply #14 on: February 18, 2016, 03:36:11 PM »
Thanks for this, I found a backdoor right away.