Creating AntiVirus Signatures
by Soda_Popinsky

Antivirus scanners work with signatures, that means they compare a file to a list of known viruses, and if the file shows up in the list, it means it is a virus and is dealt with accordingly. A signature is made of a small part of the full virus, typically a part of the file that is unique.

The Clam Antivirus Project (http://www.clamav.net/ http://clamav.sourceforge.net) is an open source virus scanner available for free. Clam allows its users to create their own virus signatures, which is helpful if you discover a piece of malware that is not currently detected by Clam. This tutorial will show you how to create a signature file that can be used by any newer version of Clam on any platform it is used on, although I have used and written this tutorial based on my experience on the Windows port, ClamWin (http://www.clamwin.net). Necessary files to complete this tutorial are attached.

Attached:
virus.exe
signatures.pdf


1. Strings

Strings is a tool that spits out strings contained in a file. If you are on Windows, get it from this address:
http://www.sysinternals.com/ntw2k/source/misc.shtml
*nix boxes should already have it. Once downloaded, make sure it is in a folder included in your path. If you have no idea what that means, put the strings.exe file in your c:/windows/system32 folder. Inside the .zip file (attached) is our virus. To make our signature, we need to find a spot inside of it that is unique. We are going to hope that our virus has a string that is unique inside of it. Open a command prompt or terminal and run this command in the folder where virus.exe lives:

strings virus.exe > stringout.txt

You should now have a file called stringout.txt in that folder. Open that text file in a text editor and investigate.

Did you spot it? UltraVirus5000? If you can't find it, search for it.

Our virus writer (me) left behind a unique trait in his file. We will use this spot to make our signature.


2. Hex Editing
Open a Hex Editor that will let you copy paste. I found that some hex editors do not have good copy paste functionality, I found this freeware that does:
http://www.chmaas.handshake.de/delph...vi32/xvi32.htm
Open virus.exe with the hex editor.

On the far right column, you will see an ASCII representation of the file. The middle column is the hex representation of the file. If your hex editor will let you, search for the string "UltraVirus5000". That spot should now be highlighted on the right and middle columns.

If we were only going to use the string "UltraVirus5000" for our signature, then Clam would identify every file with "UltraVirus5000" as a virus. That is called a false positive, and it is bad. We are not going to use "UltraVirus5000" as our signature, but instead use "UltraVirus5000" and the binary surrounding it.

Highlight "UltraVirus5000" and about 10 characters before and after it. You should see the Hex being highlighted in the middle column as well. We now need to copy the hex, and this will differ between hex editing applications. Remember copy the highlighted section in the middle column, (the hex), not the ASCII on the right.

##Note | Do not select hex that starts in 00, or it won't work well with older versions.

3. Building the Signature

Copy the hex into a plain text editor like vi or notepad. Remove all the spaces using find -> replace. Now is when we name our virus. Clam has provided us with advice on naming.

-remember about the (Clam) marker (itís automatically removed by the parser)
-use the most popular name of the virus/worm
-donít use white characters or slashes in virus names

prefixes for particular malware
-Worm for worms
-Trojan for backdoor programs
-JS for Java Script malware
-VBS for VBS malware
-W97M, W2000M for Word macros
-X97M, X2000M for Excel macros
-DoS for Denial of Service attack software
-VirTool for virus construction kits
-Dialer for dialers
-Joke for hoaxes
More info here:
http://securityresponse.symantec.com...vnameinfo.html
http://securityresponse.symantec.com...nerability.pdf

##IMPORTANT: -donít use white characters or slashes in virus names ##

In our text editor, here is the format for a signature
Worm.BugBear.A (Clam)=xxxxxxxxxxxxxx
You will replace the hex (represented as x's) above with the hex you pasted into the editor. "(Clam)" will be removed by the parser, and you can put whatever you want. You also replace the name.

Save this file with a .db extension. In your ClamWin.conf, (Documents and Settings in Windows, probably /etc in *nix) find your database folder on the line:
database = C:\whateverpathyourdatabaseisin

Save your .db in the path shown on that line.

4. Test

Run Clam on the virus extracted from the .zip folder. If it is detected, then you have been successful in making a signature. If not, make sure you followed the steps correctly.

False positives are dangerous. Make sure you do not use signatures widely until you test them first.

But then again, so is malware.


Sources:
http://www.clamav.net/doc/0.75/signatures.pdf


Comments, suggestions, criticisim, high fives or Chipotle burritos are welcome.