Results 1 to 9 of 9

Thread: Creating AV Signatures Tutorial

  1. #1

    Creating AV Signatures Tutorial

    Creating AntiVirus Signatures
    by Soda_Popinsky

    Antivirus scanners work with signatures, that means they compare a file to a list of known viruses, and if the file shows up in the list, it means it is a virus and is dealt with accordingly. A signature is made of a small part of the full virus, typically a part of the file that is unique.

    The Clam Antivirus Project (http://www.clamav.net/ http://clamav.sourceforge.net) is an open source virus scanner available for free. Clam allows its users to create their own virus signatures, which is helpful if you discover a piece of malware that is not currently detected by Clam. This tutorial will show you how to create a signature file that can be used by any newer version of Clam on any platform it is used on, although I have used and written this tutorial based on my experience on the Windows port, ClamWin (http://www.clamwin.net). Necessary files to complete this tutorial are attached.

    Attached:
    virus.exe
    signatures.pdf


    1. Strings

    Strings is a tool that spits out strings contained in a file. If you are on Windows, get it from this address:
    http://www.sysinternals.com/ntw2k/source/misc.shtml
    *nix boxes should already have it. Once downloaded, make sure it is in a folder included in your path. If you have no idea what that means, put the strings.exe file in your c:/windows/system32 folder. Inside the .zip file (attached) is our virus. To make our signature, we need to find a spot inside of it that is unique. We are going to hope that our virus has a string that is unique inside of it. Open a command prompt or terminal and run this command in the folder where virus.exe lives:

    strings virus.exe > stringout.txt

    You should now have a file called stringout.txt in that folder. Open that text file in a text editor and investigate.

    Did you spot it? UltraVirus5000? If you can't find it, search for it.

    Our virus writer (me) left behind a unique trait in his file. We will use this spot to make our signature.


    2. Hex Editing
    Open a Hex Editor that will let you copy paste. I found that some hex editors do not have good copy paste functionality, I found this freeware that does:
    http://www.chmaas.handshake.de/delph...vi32/xvi32.htm
    Open virus.exe with the hex editor.

    On the far right column, you will see an ASCII representation of the file. The middle column is the hex representation of the file. If your hex editor will let you, search for the string "UltraVirus5000". That spot should now be highlighted on the right and middle columns.

    If we were only going to use the string "UltraVirus5000" for our signature, then Clam would identify every file with "UltraVirus5000" as a virus. That is called a false positive, and it is bad. We are not going to use "UltraVirus5000" as our signature, but instead use "UltraVirus5000" and the binary surrounding it.

    Highlight "UltraVirus5000" and about 10 characters before and after it. You should see the Hex being highlighted in the middle column as well. We now need to copy the hex, and this will differ between hex editing applications. Remember copy the highlighted section in the middle column, (the hex), not the ASCII on the right.

    ##Note | Do not select hex that starts in 00, or it won't work well with older versions.

    3. Building the Signature

    Copy the hex into a plain text editor like vi or notepad. Remove all the spaces using find -> replace. Now is when we name our virus. Clam has provided us with advice on naming.

    -remember about the (Clam) marker (it’s automatically removed by the parser)
    -use the most popular name of the virus/worm
    -don’t use white characters or slashes in virus names

    prefixes for particular malware
    -Worm for worms
    -Trojan for backdoor programs
    -JS for Java Script malware
    -VBS for VBS malware
    -W97M, W2000M for Word macros
    -X97M, X2000M for Excel macros
    -DoS for Denial of Service attack software
    -VirTool for virus construction kits
    -Dialer for dialers
    -Joke for hoaxes
    More info here:
    http://securityresponse.symantec.com...vnameinfo.html
    http://securityresponse.symantec.com...nerability.pdf

    ##IMPORTANT: -don’t use white characters or slashes in virus names ##

    In our text editor, here is the format for a signature
    Worm.BugBear.A (Clam)=xxxxxxxxxxxxxx
    You will replace the hex (represented as x's) above with the hex you pasted into the editor. "(Clam)" will be removed by the parser, and you can put whatever you want. You also replace the name.

    Save this file with a .db extension. In your ClamWin.conf, (Documents and Settings in Windows, probably /etc in *nix) find your database folder on the line:
    database = C:\whateverpathyourdatabaseisin

    Save your .db in the path shown on that line.

    4. Test

    Run Clam on the virus extracted from the .zip folder. If it is detected, then you have been successful in making a signature. If not, make sure you followed the steps correctly.

    False positives are dangerous. Make sure you do not use signatures widely until you test them first.

    But then again, so is malware.


    Sources:
    http://www.clamav.net/doc/0.75/signatures.pdf


    Comments, suggestions, criticisim, high fives or Chipotle burritos are welcome.

  2. #2
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    It's kind of alarming that this thread hasn't gotten any responses yet. This topic is very worthwhile and the tutorial is well done.
    Writing your own antivirus definitions is something that makes clam wonderful. You don't have to wait 6 hours for symantec to add a definition for bagle.XY because one stupid file name changed. You can add it, and move on. Nicely done Soda.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    *offers a Chipotle burrito* happy?

    Good work Soda, and on a topic that is new and fresh and hasn't been covered before. Great read, and I'm looking forward to working with this new Clam solution.
    Space For Rent.. =]

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    It is most definately a worthwhile read as hogfly has said... Until the last few days I didn't know that there was a version of Clam for Windows.... I guess I haven't paid much attention.... However... I'm a little confused... Soda: Did you forget to attach the files or am I blind? because I'm most definately not seeing it.

    I'll definately be writing by own virus defs for these ones infecting the college since no one else does anything about them....

    It leads me to many questions about Clam.... I'll do some research later but for now... Can you specify actions to take when viruses are detected?... Kill Process... Delete.. Kill Process Then Delete.. Quarentine... Clean... yada yada yada... Is there any way to specify that.. or is it just delete virus (assuming it isn't running)...

    Peace,
    HT

  5. #5
    Damnit. Attachment attached.

    It won't end the process AFAIK. Options are notify, quarintine, delete. (email notification too)

    BTW- The attached virus doesn't do jack snot.

    Imagine a open source signature development community.

    Who wants to start an [strike]adware[/strike] Virii signature team?

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    I'd say that the ability to add your own defs easily sets ClamAV apart from the other free AV software out there.
    Good tutorial Soda.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  7. #7
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    adware no. It'd be fun to create something like bleedingsnort for AV defs though. but you need to get virus submittals. I'd be in to that. Perhaps you could work something out with virustotal.com or ISC. I know they both gets lots of crap sent their way..I know I send ISC a bunch of analyzed stuff.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  8. #8
    Adware would be tough... having to read stinky license agreements. We should talk more about a AV def group... I'll see you in IRC.

  9. #9
    I forgot to add some syntax that can be used in the sigs for the current version of ClamWin, which is a wildcard.
    -----------------------------------------------------
    Wildcards

    There may be a scenario where you want to include 2 hex strings your definition.
    Although this isn't a perfect example, it is similar to this programming syntax:
    if(virus.contains(HexString1) && virus.contains(HexString2))
    virus.quarantine();
    This wildcard syntax is similar to that, however, the first hex string has to appear before the second hex string.

    So heres an example, you have :
    Hex String 1=38425053000100000000000000030000

    and...

    Hex String 2=000000000003842494D0******0000012293C3F787061636B657420626567696E3D27

    that appear in different places in the virus. Some virus are polymorphic, and their contents will change. Although, some of these so called polymorphic worms will maintain some areas that don't change. This is a scenario where a signature like this is helpful.

    The way to combine these strings is with the wildcard *. This is not the typical wildcard, where it means it can be any byte, but instead it can be any NUMBER of ANY TYPE of bytes. Here is the signature that requires those 2 strings, appearing one after another.

    The signature:

    Dork.ZC.A (Soda)=38425053000100000000000000030000*000000000003842494D0******0000012293C3F787061636B657420626567696E3D27

    This means it will need to have the hex string before the *, and the second string anywhere after the first hex string.
    ----------------------------------------------------
    ClamAV is allowing more complex signatures in version .80, and to help learn them myself, I will be writing a second tutorial to cover it. It will include more wildcards, MD5 signatures, offsets, target types, extended signatures, and some other stuff I think will help speed up scanning.

    BTW Thanks to everyone for the big response to this tutorial. Even though I got no Chipotle.

    I can't eat greenies man.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •