Intro to Mal4s video (transcript) - secure411dotorg/mal4s GitHub Wiki

Mal4s is a data visualization program designed to make it easy to see clusters of related internet resources.

The basic idea behind Mal4s is to bring data in, display it in a way that makes it easy for people to see, provide clarifying details about each item using the Mal4s interface to examine or select certain data, and then taking action and sharing that data outward. In the Mal4s configuration files, you can define any external program that you would like to have handle the items you select. You can also sort them into different buckets. For example, a few of the ways that I’m using Mal4s include pressing F7 to automatically create a DNS firewall rule. You can assign different keys to different types of rule creation. You can also click on one of these items (DING!) and bring up a ZoneCruncher page pertaining to that item. And again, you can define any browser command that you prefer. A handy feature that we’ve added to Mal4s is when hovering the mouse over an item you can press "c" to copy all of the details about that item, and then you can paste the text into another window, such as an email, sharing what you’ve found with others.

Once you’ve formatted your data for use with mal4s, you can do things like “Show me today’s data for a particular country” (screen shows: .$ ./mal4s-searcher.sh “Colombia”). In this case, I’m looking at one country, Colombia, and you can see a few supposedly different actors creating new nameserver hosts. Yet Mal4s reveals to us that they’re all using tightly clustered resources.

So how do you get data to try with Mal4s? Visit the Dissectcyber.com website. We keep some sample files for Mal4s users. Go to this page: dissectcyber.com/mal4s, and you can get sample files for each of these global regions: ARIN, RIPE, LACNIC, AFRINIC, and APNIC. Here you see what the finished diagram would look like for today for this region (RIPE). You can also click “View in Mal4s” link to run Mal4s for yourself with this dataset. To have Mal4s files open automatically from your browser, follow the steps in the Mal4s wiki here: (secure411dotorg/mal4s on github.com). The other way to get your data in, of course, is to format it in this plain text format. If you don’t like playing with this much textual data yourself, you’re probably just the kind of person that would love Mal4s. We’re creating a service for you where you can paste in or upload your own list of domain names and we’ll send back to you a Mal4s-formatted file with all the attendant data.

You might be wondering what type of data can be used with Mal4s. So far we’ve shown you internet hosts. Mal4s can also be used with all types of data where you want to see clustering. Some examples include: searching for clusters of related fraudulent purchase activity, vetting new customers, and detecting malicious activity on a mobile network. Mal4s is free and open source. Along with the installation, we’ve included two additional types of configuration files which we’ve been using with packet captures (pcaps). These files are designed to present the data for HTTP traffic and DNS resolver traffic from packet captures. We’ll soon offer a service where you can upload a pcap and get back the Mal4s files representing the DNS and HTTP traffic.

To get started with Mal4s, visit the installation page: github.com/secure411dotorg/mal4s/wiki