module Risu::Templates::MalwareTemplateHelper

Public Instance Methods

conficker_appendix_section() click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 35
def conficker_appendix_section
        if conficker_count() <= 0
                return
        end

        heading2 "Conficker Worm Infection"

        headers = ["Host"]
        data = Array.new

        findings =  Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id)

        findings.each do |finding|
                host = Host.find_by_id(finding.host_id)

                host_string = "#{host.name}"
                host_string << " (#{host.fqdn})" if host.fqdn != nil

                row = Array.new
                row.push host_string

                data << row
        end

        @output.table([headers] + data, :header => true, :width => output.bounds.width) do
                row(0).style(:font_style => :bold, :background_color => 'cccccc')
                cells.borders = [:top, :bottom, :left, :right]
        end

        text "\n"
end
conficker_count() click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 26
def conficker_count
        begin
                return Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
        rescue
                return 0
        end
end
conficker_section() click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 68
def conficker_section
        if conficker_count() <= 0
                return
        end

        conficker_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
        heading2 "Conficker Worm Infection"

        text "Conficker Worm infections were found on #{conficker_count} of #{Report.title}'s computer systems. Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The systems of interest are detailed in the detailed findings report with remediation steps."

        text "\n"
end
known_malicious_process_appendix_section() click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 107
def known_malicious_process_appendix_section
        count = known_malicious_process_count()

        if count <= 0
                return
        end

        heading2 "Known Malicious Process" if count == 1
        heading2 "Known Malicious Processes" if count > 1

        findings = Item.where(:plugin_id => 59275)
        plugin = Plugin.find_by_id(59275)

        findings.each do |finding|
                host = Host.find_by_id(finding.host_id)

                text "Host", :style => :bold
                host_string = "#{host.name}"
                host_string << " (#{host.fqdn})" if host.fqdn != nil
                text host_string

                definition "Description", plugin.description.gsub(/[ ]{2,}/, " ") if plugin.description != nil
                definition "Plugin output", finding.plugin_output.gsub(/Any detected files 5 MB or less are available as attachments./, "")
        end

        text "\n"
end
known_malicious_process_count() click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 82
def known_malicious_process_count
        begin
                return Item.where(:plugin_id => 59275).count
        rescue
                return 0
        end
end
known_malicious_process_section() click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 91
def known_malicious_process_section
        count = known_malicious_process_count()

        if count <= 0
                return
        end

        heading1 "Known Malicious Process Detected" if count == 1
        heading1 "Known Malicious Processes Detected" if count > 1

        text "A known malicious process was detected active on the network. This process was detected using hash binary hashing. This hash was submitted to an malware detection service that checks each hash against several different anti virus software suites. Details can be found in Appendix A."

        text "\n"
end
malware_appendix_section() click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 142
def malware_appendix_section
        conficker_appendix_section
        known_malicious_process_appendix_section
end
malware_section() click to toggle source
# File lib/risu/base/malware_template_helper.rb, line 136
def malware_section
        conficker_section
        known_malicious_process_section
end