This document discusses tools for static analysis of files, including ClamAV and YARA. ClamAV is an open-source antivirus engine that uses signatures to detect malware. Signatures can include strings, hashes, and byte patterns. YARA allows for more flexible identification of malware through rules that can detect strings, regular expressions, and byte patterns. Examples of ClamAV and YARA signatures are provided.

1. Automa'c
Tool
for
Sta'c
Analysis
2014.09.27
C.K.Chen

2. Outline
• ClamAV
• YARA

3. Signature-­‐based
Analysis
• Most
of
current
an'virus
are
based
on
signatures
to
detect
malware

4. ClamAV
• ClamAV
is
an
open
source
an'virus
engine
– Fast
and
flexible
framework
for
detec'ng
malicious
code
– Write
signatures
and
scan
a
broad
range
of
content
without
wri'ng
specific
parsers

5. Func'onali'es
of
ClamAV
• detec'on
databases
in
ClamAV
– MD5
hashes
of
known
malicious
binaries
(stored
in
.hdb)
– MD5
hashes
of
PE
sec'ons
(stored
in
.mdb)
– Hexadecimal
signatures
(stored
in
.ndb)
– Archive
metadata
signatures
(stored
in
.zmd
or
.rmd)
– White
list
database
of
known
good
files
(stored
in
.fp)
– Matching
signatures
(stored
in
.ldb)
– Icon
signatures
(stored
in
.ldb)
– PE
metadata
strings
(stored
in
.ldb
or
.ndb)
– Container
metadata
(stored
in
.cdb)

6. Database
• ClamAV
signatures
exist
in
– /usr/local/share/clamav
– /usr/lib/clamav
• Database
– The
main.cld
file
contains
the
primary
base
of
signatures
– daily.cld
contains
incremental
daily
updates

7. Signature
• SigName:Target:Offset:HexadecimalSignature
• SigName
field
is
a
unique,
descrip've
name
for
your
signature
• Target
– 0
=
Any
file
type
– 1
=
Windows
PE
– 2
=
OLE
(e.g.
Office,
VBA)
– 3
=
Normalized
HTML
– 4
=
E-­‐mail
file
(e.g.
RFC822
message,
TNEF)
– 5
=
Image
files
(e.g.
jpeg,
png)
– 6
=
ELF
– 7
=
Normalized
ASCII
file
– 8
=
Unused
– 9
=
Mach-­‐O
binaries
(new
in
v0.96)

8. SigTool
• Sigtool
– -­‐-­‐hex-­‐dump:
convert
data
from
string
to
hex
– -­‐-­‐md5:
generate
md5
cheksum
in
signature
format
– -­‐-­‐mdb:
generate
.mdb
signature
– -­‐u:
Unpack
a
CVD/CLD
signature

9. XF.Sic.E
Signature
• daily.ndb:XF.Sic.E:2:*:
– 2a2a536574204f75722056616c75657320616e64
2050
– 617468732a2a??00002a2a416464204e657720576f726b626f
6f6b
– 2c20496e66642049742c205361766520497420417320426f6f
– 312e
• Detect
a
string
in
a
file
– **Set
Our
Values
and
Paths**???**Add
New
Workbook,
Infd
It,
Save
It
As
Boo1.

10. Wildcards
• ??
-­‐
Match
any
byte
• *
-­‐
Match
any
number
of
bytes.
• {n}
–
Match
n
bytes.
• {-­‐n}
–
Match
n
or
less
bytes.
• {n-­‐}
–
Match
n
or
more
bytes.
• (a|b)
–
Match
a
and
b
(you
Can
Use
More
Alternate
characters)

11. Use
Your
own
database
• clamscan
–d
<your
database>
target_file

12. Prace'ce
• Write
signature
for
file
containing
helloworld
– If
hello
world
is
in
200~300
byte
?

13. Conficker
Signature
• Unpack
database
– Sigtool
–u
main.cvd
• Grep
for
conficker

14. Byte
Signature
• ShellcodeXOR:0:*:33c966b9????80340a??
b2??eb

15. Logical
Signatures
• Recent
versions
of
ClamAV
is
capable
to
understand
complex
signatures
based
on
logical
expressions
– SigName;Target;Expression;Sig0;Sig1;….;SigN
– The
field
consists
of
a
logical
expression
where
each
signature
is
represented
by
its
index
value
– Operators
OR
(|)
and
AND
(&).
– =,<
,>
,
you
can
control
the
number
of
occurrences
of
each
signature
that
must
be
found
in
a
file
before
producing
an
alert.

16. DLL
Injec'on
Signature

17. Sec'on
Signature
• Use
sec'on
informa'on
to
construct
signature
– More
robust
than
all
file
checksum

18. MD5
Signature
• sigtool
–md5
test.exe
>
test.hdb
• Cat
to
see
signature
format

19. Type
of
Database

20. Prac'ce
• Develop
signature
for
bot.exe
– String
– MD5
– Hash
of
Sec'on
– Else
…..

21. Yara
• Flexible
iden'fica'on
and
classifica'on
engine
– rules
that
detect
strings,
instruc'on
sequences,
regular
expressions,
byte
paxerns,
and
so
on
– scan
files
using
the
command-­‐line
u'lity
– C
or
Python
tools
with
YARA’s
API

22. What
yara
signature
looks
like?
• Clam
AV
signature
• Yara
Signature

23. The
other
example
•
Any
file
contain
$a
or
$b
or
$is
recognize
as
silent_banker

24. Reserva'on
Words

25. Condi'on
Sec'on
• Condi'on
block
must
be
exists

26. Prac'ce
• rule
dummy
{
condi'on:
true
}
• yara
my_rule
any_file

27. String
Sec'on
• The
strings
defini'on
sec'on
can
be
omixed
if
the
rule
doesn’t
rely
on
any
string
• The
strings
defini'on
sec'on
is
where
the
strings
that
will
be
part
of
the
rule
are
defined.
• Each
string
has
an
iden'fier
consis'ng
in
a
$

28. Regular
expressions
• Regular
expression
is
supported

29. String
offsets
or
virtual
addresse
• We
are
willing
to
know
if
the
associated
string
is
anywhere
within
the
file
or
process
memory

30. Executable
entry
poin
• If
file
is
a
Portable
Executable
(PE)
or
Executable
and
Linkable
Format
(ELF),
this
variable
holds
the
raw
offset
of
the
exectutable’s
entry
point
• If
we
are
scanning
a
running
process
entrypoint
will
hold
the
virtual
address
of
the
main
executable’s
entry
point.
• A
typical
use
of
this
variable
is
to
look
for
some
paxern
at
the
entry
point
to
detect
packers
or
simple
file
infectors

31. VM
Detect
Rule
•

32. Compa'ble
• ClamAV
to
yara
• Peid
to
yara

33. Prace'ce
• Write
the
rule
for
bot.exe