binsnitch: Detect silent (unwanted) changes to files on your system
binsnitch can be used to detect silent unwanted changes to files on your system. It will scan a given directory recursively for files and keep track of any changes it detects, based on the SHA256 hash of the file. You have the option to either track executable files or all files.
How it works
Once binsnitch.py is running, it will scan all files in dir (provided through a required command line argument) recursively, and create a SHA256 hash of each file it finds. It then does the following:
- If a file is not known yet by binsnitch.py, its details will be added to binsnitch_data/db.json (file name, file type and hash).
- If a file is already known but the calculated hash is different from the one in binsnitch_data/db.json, an alert will be logged to data/alert.log. In addition, the new hash will be added to the appropriate entry in binsnitch_data/db.json.
- If a file is already known and the hash is identical to the one already in binsnitch_data/alert.log, nothing happens.
Malware will often settle itself by overwriting existing executable applications in order to avoid detection. Recent malware cases (May 2017) do this, including HandBrake being hacked to drop new variant of the Proton malware and the WannaCry ransomware overwriting C:\WINDOWS\system32\tasksche.exe. This triggered us to write a simple tool that could be used to detect this.
binsnitch can also be used during malware analysis, to detect silent changes to files (i.e. replacement of a trusted Windows executable by a trojaned version).
git clone https://github.com/NVISO-BE/binsnitch.git
Running and usage
Example: monitor all executable files on the system and enable verbose logging
python3.5 binsnitch.py -v /
Example: monitor all files in the current directory and enable verbose logging
python3.5 binsnitch.py -v -a .
Checking if a file is executable is done by checking it against a fixed list of dangerous file extensions (check binsnitch.py source for details).
In its current version, binsnitch.py eats up a lot of CPU. This is caused by the recursive walk through the filesystem and the calculation of SHA256 hashes for each and every file it encounters.
binsnitch is developed and maintained by Daan Raman (@daanraman).