4. ClamAV
• ClamAV
is
an
open
source
an'virus
engine
– Fast
and
flexible
framework
for
detec'ng
malicious
code
– Write
signatures
and
scan
a
broad
range
of
content
without
wri'ng
specific
parsers
5. Func'onali'es
of
ClamAV
• detec'on
databases
in
ClamAV
– MD5
hashes
of
known
malicious
binaries
(stored
in
.hdb)
– MD5
hashes
of
PE
sec'ons
(stored
in
.mdb)
– Hexadecimal
signatures
(stored
in
.ndb)
– Archive
metadata
signatures
(stored
in
.zmd
or
.rmd)
– White
list
database
of
known
good
files
(stored
in
.fp)
– Matching
signatures
(stored
in
.ldb)
– Icon
signatures
(stored
in
.ldb)
– PE
metadata
strings
(stored
in
.ldb
or
.ndb)
– Container
metadata
(stored
in
.cdb)
6. Database
• ClamAV
signatures
exist
in
– /usr/local/share/clamav
– /usr/lib/clamav
• Database
– The
main.cld
file
contains
the
primary
base
of
signatures
– daily.cld
contains
incremental
daily
updates
7. Signature
• SigName:Target:Offset:HexadecimalSignature
• SigName
field
is
a
unique,
descrip've
name
for
your
signature
• Target
– 0
=
Any
file
type
– 1
=
Windows
PE
– 2
=
OLE
(e.g.
Office,
VBA)
– 3
=
Normalized
HTML
– 4
=
E-‐mail
file
(e.g.
RFC822
message,
TNEF)
– 5
=
Image
files
(e.g.
jpeg,
png)
– 6
=
ELF
– 7
=
Normalized
ASCII
file
– 8
=
Unused
– 9
=
Mach-‐O
binaries
(new
in
v0.96)
8. SigTool
• Sigtool
– -‐-‐hex-‐dump:
convert
data
from
string
to
hex
– -‐-‐md5:
generate
md5
cheksum
in
signature
format
– -‐-‐mdb:
generate
.mdb
signature
– -‐u:
Unpack
a
CVD/CLD
signature
9. XF.Sic.E
Signature
• daily.ndb:XF.Sic.E:2:*:
– 2a2a536574204f75722056616c75657320616e64
2050
– 617468732a2a??00002a2a416464204e657720576f726b626f
6f6b
– 2c20496e66642049742c205361766520497420417320426f6f
– 312e
• Detect
a
string
in
a
file
– **Set
Our
Values
and
Paths**???**Add
New
Workbook,
Infd
It,
Save
It
As
Boo1.
10. Wildcards
• ??
-‐
Match
any
byte
• *
-‐
Match
any
number
of
bytes.
• {n}
–
Match
n
bytes.
• {-‐n}
–
Match
n
or
less
bytes.
• {n-‐}
–
Match
n
or
more
bytes.
• (a|b)
–
Match
a
and
b
(you
Can
Use
More
Alternate
characters)
11. Use
Your
own
database
• clamscan
–d
<your
database>
target_file
12. Prace'ce
• Write
signature
for
file
containing
helloworld
– If
hello
world
is
in
200~300
byte
?
15. Logical
Signatures
• Recent
versions
of
ClamAV
is
capable
to
understand
complex
signatures
based
on
logical
expressions
– SigName;Target;Expression;Sig0;Sig1;….;SigN
– The
field
consists
of
a
logical
expression
where
each
signature
is
represented
by
its
index
value
– Operators
OR
(|)
and
AND
(&).
– =,<
,>
,
you
can
control
the
number
of
occurrences
of
each
signature
that
must
be
found
in
a
file
before
producing
an
alert.
20. Prac'ce
• Develop
signature
for
bot.exe
– String
– MD5
– Hash
of
Sec'on
– Else
…..
21. Yara
• Flexible
iden'fica'on
and
classifica'on
engine
– rules
that
detect
strings,
instruc'on
sequences,
regular
expressions,
byte
paxerns,
and
so
on
– scan
files
using
the
command-‐line
u'lity
– C
or
Python
tools
with
YARA’s
API
27. String
Sec'on
• The
strings
defini'on
sec'on
can
be
omixed
if
the
rule
doesn’t
rely
on
any
string
• The
strings
defini'on
sec'on
is
where
the
strings
that
will
be
part
of
the
rule
are
defined.
• Each
string
has
an
iden'fier
consis'ng
in
a
$
29. String
offsets
or
virtual
addresse
• We
are
willing
to
know
if
the
associated
string
is
anywhere
within
the
file
or
process
memory
30. Executable
entry
poin
• If
file
is
a
Portable
Executable
(PE)
or
Executable
and
Linkable
Format
(ELF),
this
variable
holds
the
raw
offset
of
the
exectutable’s
entry
point
• If
we
are
scanning
a
running
process
entrypoint
will
hold
the
virtual
address
of
the
main
executable’s
entry
point.
• A
typical
use
of
this
variable
is
to
look
for
some
paxern
at
the
entry
point
to
detect
packers
or
simple
file
infectors