Module: Risu::Templates::MalwareTemplateHelper

Included in:
TemplateHelper
Defined in:
lib/risu/base/malware_template_helper.rb

Instance Method Summary collapse

Instance Method Details

#conficker_appendix_sectionObject 



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
# File 'lib/risu/base/malware_template_helper.rb', line 35

def conficker_appendix_section
	if conficker_count() <= 0
		return
	end

	heading2 "Conficker Worm Infection"

	headers = ["Host"]
	data = Array.new

	findings =  Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id)

	findings.each do |finding|
		host = Host.find_by_id(finding.host_id)

		host_string = "#{host.name}"
		host_string << " (#{host.fqdn})" if host.fqdn != nil

		row = Array.new
		row.push host_string

		data << row
	end

	@output.table([headers] + data, :header => true, :width => output.bounds.width) do
		row(0).style(:font_style => :bold, :background_color => 'cccccc')
		cells.borders = [:top, :bottom, :left, :right]
	end

	text "\n"
end

#conficker_countObject 



26
27
28
29
30
31
32
 
# File 'lib/risu/base/malware_template_helper.rb', line 26

def conficker_count
	begin
		return Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
	rescue
		return 0
	end
end

#conficker_sectionObject 



68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'lib/risu/base/malware_template_helper.rb', line 68

def conficker_section
	if conficker_count() <= 0
		return
	end

	conficker_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
	heading2 "Conficker Worm Infection"

	text "Conficker Worm infections were found on #{conficker_count} of #{Report.title}'s computer systems. Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The systems of interest are detailed in the detailed findings report with remediation steps."

	text "\n"
end

#known_malicious_process_appendix_sectionObject 



107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
 
# File 'lib/risu/base/malware_template_helper.rb', line 107

def known_malicious_process_appendix_section
	count = known_malicious_process_count()

	if count <= 0
		return
	end

	heading2 "Known Malicious Process" if count == 1
	heading2 "Known Malicious Processes" if count > 1

	findings = Item.where(:plugin_id => 59275)
	plugin = Plugin.find_by_id(59275)

	findings.each do |finding|
		host = Host.find_by_id(finding.host_id)

		text "Host", :style => :bold
		host_string = "#{host.name}"
		host_string << " (#{host.fqdn})" if host.fqdn != nil
		text host_string

		definition "Description", plugin.description.gsub(/[ ]{2,}/, " ") if plugin.description != nil
		definition "Plugin output", finding.plugin_output.gsub(/Any detected files 5 MB or less are available as attachments./, "")
	end

	text "\n"
end

#known_malicious_process_countObject 



82
83
84
85
86
87
88
 
# File 'lib/risu/base/malware_template_helper.rb', line 82

def known_malicious_process_count
	begin
		return Item.where(:plugin_id => 59275).count
	rescue
		return 0
	end
end

#known_malicious_process_sectionObject 



91
92
93
94
95
96
97
98
99
100
101
102
103
104
 
# File 'lib/risu/base/malware_template_helper.rb', line 91

def known_malicious_process_section
	count = known_malicious_process_count()

	if count <= 0
		return
	end

	heading1 "Known Malicious Process Detected" if count == 1
	heading1 "Known Malicious Processes Detected" if count > 1

	text "A known malicious process was detected active on the network. This process was detected using hash binary hashing. This hash was submitted to an malware detection service that checks each hash against several different anti virus software suites. Details can be found in Appendix A."

	text "\n"
end

#malware_appendix_sectionObject 



142
143
144
145
 
# File 'lib/risu/base/malware_template_helper.rb', line 142

def malware_appendix_section
	conficker_appendix_section
	known_malicious_process_appendix_section
end

#malware_sectionObject 



136
137
138
139
 
# File 'lib/risu/base/malware_template_helper.rb', line 136

def malware_section
	conficker_section
	known_malicious_process_section
end