Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automatic tool for static analysis

How to use ClamAV and Yara

Automatic tool for static analysis

  1. 1. Automa'c Tool for Sta'c Analysis 2014.09.27 C.K.Chen
  2. 2. Outline • ClamAV • YARA
  3. 3. Signature-­‐based Analysis • Most of current an'virus are based on signatures to detect malware
  4. 4. ClamAV • ClamAV is an open source an'virus engine – Fast and flexible framework for detec'ng malicious code – Write signatures and scan a broad range of content without wri'ng specific parsers
  5. 5. Func'onali'es of ClamAV • detec'on databases in ClamAV – MD5 hashes of known malicious binaries (stored in .hdb) – MD5 hashes of PE sec'ons (stored in .mdb) – Hexadecimal signatures (stored in .ndb) – Archive metadata signatures (stored in .zmd or .rmd) – White list database of known good files (stored in .fp) – Matching signatures (stored in .ldb) – Icon signatures (stored in .ldb) – PE metadata strings (stored in .ldb or .ndb) – Container metadata (stored in .cdb)
  6. 6. Database • ClamAV signatures exist in – /usr/local/share/clamav – /usr/lib/clamav • Database – The main.cld file contains the primary base of signatures – daily.cld contains incremental daily updates
  7. 7. Signature • SigName:Target:Offset:HexadecimalSignature • SigName field is a unique, descrip've name for your signature • Target – 0 = Any file type – 1 = Windows PE – 2 = OLE (e.g. Office, VBA) – 3 = Normalized HTML – 4 = E-­‐mail file (e.g. RFC822 message, TNEF) – 5 = Image files (e.g. jpeg, png) – 6 = ELF – 7 = Normalized ASCII file – 8 = Unused – 9 = Mach-­‐O binaries (new in v0.96)
  8. 8. SigTool • Sigtool – -­‐-­‐hex-­‐dump: convert data from string to hex – -­‐-­‐md5: generate md5 cheksum in signature format – -­‐-­‐mdb: generate .mdb signature – -­‐u: Unpack a CVD/CLD signature
  9. 9. XF.Sic.E Signature • daily.ndb:XF.Sic.E:2:*: – 2a2a536574204f75722056616c75657320616e64 2050 – 617468732a2a??00002a2a416464204e657720576f726b626f 6f6b – 2c20496e66642049742c205361766520497420417320426f6f – 312e • Detect a string in a file – **Set Our Values and Paths**???**Add New Workbook, Infd It, Save It As Boo1.
  10. 10. Wildcards • ?? -­‐ Match any byte • * -­‐ Match any number of bytes. • {n} – Match n bytes. • {-­‐n} – Match n or less bytes. • {n-­‐} – Match n or more bytes. • (a|b) – Match a and b (you Can Use More Alternate characters)
  11. 11. Use Your own database • clamscan –d <your database> target_file
  12. 12. Prace'ce • Write signature for file containing helloworld – If hello world is in 200~300 byte ?
  13. 13. Conficker Signature • Unpack database – Sigtool –u main.cvd • Grep for conficker
  14. 14. Byte Signature • ShellcodeXOR:0:*:33c966b9????80340a?? b2??eb
  15. 15. Logical Signatures • Recent versions of ClamAV is capable to understand complex signatures based on logical expressions – SigName;Target;Expression;Sig0;Sig1;….;SigN – The field consists of a logical expression where each signature is represented by its index value – Operators OR (|) and AND (&). – =,< ,> , you can control the number of occurrences of each signature that must be found in a file before producing an alert.
  16. 16. DLL Injec'on Signature
  17. 17. Sec'on Signature • Use sec'on informa'on to construct signature – More robust than all file checksum
  18. 18. MD5 Signature • sigtool –md5 test.exe > test.hdb • Cat to see signature format
  19. 19. Type of Database
  20. 20. Prac'ce • Develop signature for bot.exe – String – MD5 – Hash of Sec'on – Else …..
  21. 21. Yara • Flexible iden'fica'on and classifica'on engine – rules that detect strings, instruc'on sequences, regular expressions, byte paxerns, and so on – scan files using the command-­‐line u'lity – C or Python tools with YARA’s API
  22. 22. What yara signature looks like? • Clam AV signature • Yara Signature
  23. 23. The other example • Any file contain $a or $b or $is recognize as silent_banker
  24. 24. Reserva'on Words
  25. 25. Condi'on Sec'on • Condi'on block must be exists
  26. 26. Prac'ce • rule dummy { condi'on: true } • yara my_rule any_file
  27. 27. String Sec'on • The strings defini'on sec'on can be omixed if the rule doesn’t rely on any string • The strings defini'on sec'on is where the strings that will be part of the rule are defined. • Each string has an iden'fier consis'ng in a $
  28. 28. Regular expressions • Regular expression is supported
  29. 29. String offsets or virtual addresse • We are willing to know if the associated string is anywhere within the file or process memory
  30. 30. Executable entry poin • If file is a Portable Executable (PE) or Executable and Linkable Format (ELF), this variable holds the raw offset of the exectutable’s entry point • If we are scanning a running process entrypoint will hold the virtual address of the main executable’s entry point. • A typical use of this variable is to look for some paxern at the entry point to detect packers or simple file infectors
  31. 31. VM Detect Rule •
  32. 32. Compa'ble • ClamAV to yara • Peid to yara
  33. 33. Prace'ce • Write the rule for bot.exe

    Be the first to comment

    Login to see the comments

  • nfsnfs

    Oct. 5, 2014
  • testOscar

    Jun. 15, 2015
  • wenwenou

    Jul. 16, 2015
  • mrpa

    Nov. 1, 2016

How to use ClamAV and Yara

Views

Total views

1,284

On Slideshare

0

From embeds

0

Number of embeds

12

Actions

Downloads

28

Shares

0

Comments

0

Likes

4

×