The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

Malware Scanner extension for IBM Rational AppScan

Summary: The Malware Scanner extension analyzes the pages and links discovered by IBM Rational AppScan to determine whether they appear to be malicious or otherwise unwanted.

Date: 21 Apr 2009

Activity: 3087 views
Comments:

Get the download

The Malware Scanner extension analyzes the pages and links discovered by IBM Rational AppScan to determine whether they appear to be malicious or otherwise unwanted.

System requirements

Rational AppScan v7.8 or later

Background

Malicious software (known as malware) is a big and rapidly growing problem. Today, it is primarily delivered through Web applications, either through malicious content that exploits client-side vulnerabilities (such as security holes in the browser, image rendering services, or Microsoft® ActiveX® controls) or by "socially engineering" (tricking) users into downloading software that contains hidden, malicious code.

To make things worse, 70% or more of malware is served or linked from legitimate sites. These applications have been compromised through 0-day vulnerabilities, user-posted content and links, internal attackers, or through many other possible ways and are now attacking computers of those who browse them.

This means that even security-conscious users can easily be attacked and compromised, and it also means that all Web site owners must ensure that their applications are not inadvertently serving or linking to malware. Failing to do so may lead to brand damage, loss of customer trust, legal problems, and more.

The Malware Scanner helps you verify that your application is not hosting or linking to malware. The extension couples the deep-scanning capabilities of IBM Rational AppScan with ISS X-Force technology that is used to identify malicious content and links.

What it does

The Malware Scanner checks these conditions:

Files hosted on your application are malicious or not
Files that are "one click" away from your application are malicious or not
Links on your site lead to malicious domains (malware sites or phishing sites, for example)
Links on your site lead to unwanted content (illegal sites, hate sites, adult content, and so forth).

How it works

The Malware Scanner works in two phases:

It passes all of the visited links through the ISS Virus Prevention System (VPS) engine, to determine whether they are malicious or not. This is similar to browsing every page in your application, including clicking every button and downloading every file, using a machine with updated antivirus software.
It passes all of the links that lead to external domains through the ISS WebFilter SDK. This SDK then fetches the classification of each link (news site, porn site, malware site, illegal site, and so forth), based on the constantly updated online classification database. Links that are deemed malicious or unwanted are flagged for your attention.

When something needs to be brought to your attention, a security issue is created in Rational AppScan so that you can benefit from the strength of Rational AppScan results management capabilities, such as creating reports, saving and loading scans, and so forth.

How to run the scanner

After installing the Malware Scanner extension, a new Scan for Malware item will appear on the toolbar, as Figure 1 shows.

Figure 1. Item added to the toolbar
Image of toolbar with Scan for Malware highlighted

After exploring an application, just click the Scan for Malware button, and a dialog box will appear.

Note:
You can experiment by scanning this demo site:

http://demo.testfire.net/default.aspx?content=../malware/malware.htm

This demo site does not actually serve malicious content, but rather a file called Eicar, which is an antivirus test file and causes no harm.

Optionally you can open the configuration dialog through File > Configuration to tune the scanner's behavior within these areas as Figure 2 shows:

Content analysis
Link analysis
Malicious categories
Unwanted categories

All configuration changes will persist for future scans, as well.

Figure 2. Configuration options
Malware Scanning Configuration dialog box

Run the scan simply by clicking the Play button.

The scanner analyzes the content and links and displays a log of actions during the scan (see Figure 3). You can click the Pause icon to stop the scan at any time and then click it again to resume when you are ready.

Figure 3. Screen output of log actions and scan progress indicator
Image showing log actions and scan progress

All problems found during the scan are reported in Rational AppScan in order of severity, along with detailed Advisory, Fix Recommendation, and Issue Information tabs.

Figure 4. AppScan report

Recommendations and known issues

At the end of a scan, the Malware Scanner will save the scan file to a temporary location and reload it. This can be turned off in the configuration, but doing so might result in some inaccurate content in the Issue Information tab.
When you check the Analyzer External Links option, remember these limitations:
- The pages will be retrieved using the proxy configuration setup in the local Internet Explorer rather than the AppScan scan configuration
- Scanning of external SSL pages is not currently supported.
Direct (no proxy) Internet connectivity is required to perform the link analysis.
Because the Malware Scanner does not require access to the scanned application, a workaround for this limitation is to save the scan, load it in a machine that has Internet connectivity, and then scan for malware.
The Request/Response tab "Test" data shows some irrelevant data. That tab is not really needed for this type of testing, so it can be ignored.
Links that are not recognized by the ISS WebFilter are flagged as Low Severity issues, because the Malware Scanner cannot verify that they are benign, and malicious links often use short-lived domains. These links should be manually verified by domain. If the domain is known and trusted, simply mark all of the links to it as noise.
Given that the analysis will be performed only on links that were actually explored (and possibly links from the application), it is sometimes useful to modify the default exclusions in AppScan. For instance, if you'd like to analyze images in your application, be sure to remove the related file extension exclusions for those images in the Scan Configuration.

Installation

Download the Malware Scanner extension zipped package (see Downloads).
Launch Rational AppScan, and select Tools > Extensions > Extension Manager.
Choose Install, and then click the zipped file.

Support

Please post any questions, feedback, or other comments to the Rational AppScan Forum.

Download

Description	Name	Size	Download method
eXtension	MalwareScannerExtension-v1.0.zip	6830KB	HTTP

Information about download methods

Resources

Learn

In the Rational AppScan area on developerWorks, get the resources you need to advance your skills in the testing arena.

Get products and technologies

Download trial versions of IBM Rational software.
Download IBM product evaluation versions and get your hands on application development tools and middleware products from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.

Discuss