How to add malware signatures to the BitNinja Malware database

You are here:
Estimated reading time: 2 min
In this article

If a malware’s signature is not in our malware signature database then BitNinja can not detect the malware. But you can easily add a malware signature to the database. And You can protect all of your servers instantly from that malware that has just been added as a signature.

After you have found the Malware you can add the signature to the BitNinja malware database.

Upload malware from the Dashboard

You can also upload files from the Dashboard to generate a malware signature. You just need to click on the + Add new Malware button at the top right at the Anti-Malware / Local malware signatures menu. The signature will be in a validating state, and the signature ID and the number of matching files on your servers will be displayed within 5 minutes in the Table of malware signatures.

Snippet and non-PHP malware, such as JavaScript malware signatures, cannot be added to the database from the BitNinja dashboard.
They can be only added from the BitNinja CLI.

Add signature via BitNinja CLI

  1. Issue this command:
    bitninjacli --module=MalwareDetection --create-signature --path=/path/to/file
  2. Press p to proceed to create the signature and then press enter.
  3. Wait for the Signature to be created.
  1. Then press y and then enter to publish the malware signature and quarantine it on all of your servers.
You can check the Malware catches with this command:
bitninjacli --module=MalwareDetection --list-signature-catches --id=<signatureId>

Create Snippet signature

Snippet signatures can clean files from the injected malware. At the moment snippet signatures cannot be created from the Dashboard.
At the moment the Malware detection module can detect injected codes written in PHP.

  1. Create a file that contains only the injected code.
  2. Run this command:
    bitninjacli --module=malwaredetection --create-signature --path=path/to/injected/code --non-interactive --name=Name_HERE --snippet
  3. Check if the signature is created.
    bitninjacli --module=MalwareDetection --list-signatures --type=sa-snippet --state=ANY
    The signature should be in validating state.
  4. Make sure that the signature does not cause false positives.
    Check the infected files menu on your dashboard matches should be in “log only”
    You can also check matches with this command:
    bitninjacli --module=MalwareDetection --list-signature-catches --id=<signatureID HERE>
  5. Publish the signature: bitninjacli --module=MalwareDetection --publish-signature --id=<signatureID HERE>

JavaScript malware signatures

An MD5 signature or a YARA rule can match JavaScript malware. As non-PHP-based malware cannot be uploaded to the BitNinja dashboard, you must create an MD5 signature using the BitNinja CLI.
We have numerous YARA rules that catch JS malware, however, we cannot automate the signature generation at the moment.

YARA rules, unfortunately, cannot be added to the database from our users’ end. However, our malware expert ninjas are happy to check out the JS malware and create a YARA rule against it if possible.

You can send Javascript malware to this email address and our malware experts.
info@bitninja.io

To make an MD5 signature for the Javascript code issue the command below:

bitninjacli --module=malwaredetection --create-signature --path=path/to/JS/malware

The CLI should detect that the malware is not PHP based, and it should create an MD5 signature, so it will only match this code.
After issuing the command, you can decide to add the signature in a published state or add it in a validating (log only) state as well.

Was this article helpful?
It was not helpful
Views: 1142