Results 1 to 2 of 2

Thread: Advanced ClamAV Signatures

  1. #1

    Advanced ClamAV Signatures

    Advanced ClamAV Signatures
    by Soda_Popinsky
    sources: http://www.clamav.net/doc/0.80rc/signatures.pdf


    This tutorial is a continuation of the the basics located here:
    http://www.antionline.com/showthread...hreadid=262455

    It will cover new signature syntax included in ClamAV .80rc 1,2, and 3. New features include extended wildcards, MD5 signatures, and an extended signature format. Stable versions of .80 are not released at the time of this tutorial, so this serves as a preview and may not be identical to the signature syntax at the time of its release.

    The Clam Antivirus Project (http://www.clamav.net/ http://clamav.sourceforge.net) is an open source virus scanner available for free. Clam allows its users to create their own virus signatures, which is helpful if you discover a piece of malware that is not currently detected by Clam. This tutorial will show you how to create an advanced signature file that can be used by any virus scanner based on the ClamAV .80 engine, with methods to detect minimal polymorphism. Necessary files to complete this tutorial are attached.

    Attached (none of which are actually virii):
    polymorphicworm.A.1.exe
    polymorphicworm.A.2.exe
    polymorphicworm.A.3.exe

    polymorphicworm.B.1.exe
    polymorphicworm.B.2.exe
    polymorphicworm.B.3.exe

    polymorphicworm.C.1.exe
    polymorphicworm.C.2.exe
    polymorphicworm.C.3.exe

    signatures.pdf

    Extended Wildcards

    New wildcards will be included in new versions of ClamAV. These include ?, {n}, {-n}, {n-}, and (a|b).

    Wildcard- ?
    We will be using the polymorphicworm.A series for this section (A series). The A series is a mass mailing worm, using a randomly generated subject line that is changed in each sent binary(i.e. g3t s8m5 v7ag28 , get some viagra). We will create a signature that will target all 3 in the A series.The ? mark is simple, it is like a regular wildcard that you will find anywhere else. Run the A series through strings, and you will see a similarity in the subject line. "g3t s8m5 v7ag28", "g6t s2m7 v8ag65", "g9t s7m3 v6ag18" are all very similar. Only parts of them are polymorphic, not the whole subject line. We will be able to a create a signature that replaces the numbers with the "?" wildcard.
    The hex string is:
    67 33 74 20 73 38 6D 35 20 76 37 61 67 32 38
    When we apply the "?" wildcard for that string, it is:
    67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 67 ?? ??

    Add some binary before and after to prevent false positives, remove spaces and format:
    Hoax.Series.A (Soda)=C30000000000000067??742073??6D??2076??6167????005589E583EC3453

    This can get a bit buggy when you use a lot of wildcards. When in doubt, add more binary to the sig.

    Wildcard- {n}

    We will be using the polymorphicworm.B series for this section (B series). The B series has polymorphic code, but the 2 polymorphic hex strings always maintain a certain length between eachother. We will create a signature that will target all 3 in the B series.

    Run through the series in strings, you will see "polymorphiccodex" twice in each virus. Notice that the second string is 18 bytes away from the first in each instance. Here is the signature:
    Hoax.Series.B (Soda)=E583EC0883C4F46A02A120724100FFD0E879FFFFFFC9C300000000000000706F6C796D6F7270686963636F6465??{18}706F6C796D6F7270686963636F6465??0089F65589E583EC5453E8

    The first hex string starts with binary, ends with hex for "polymorphiccode" and ?? for the random number. {18} means the next string will appear 18 bytes away from the first. The second string begins with "polymorphiccode, ?? for the random number, and binary to avoid a false positive.

    You can also use {-n}, which means the next string will appear less than n bytes away, or {n-}, which is more than n bytes away.

    Wildcard- (a|b)

    We will be using the polymorphicworm.C series for this section (C series). The C series has polymorphic code, but the polymorphic hex string only changes a certain character. We will create a signature that will target all 3 in the C series. This wildcard allows us to specify specific values to look for, instead of all values, like the ? wildcard. Run the C series through strings. You will see "Hello Rod", "Hello Tod", and "Hello Nod". Instead of using a "?" wildcard, we can specify the values we want to detect. The only difference in the string is the beginning of the name. Our signature will look like this:

    Hoax.Series.C (Soda)=FFC9C30000000000000048656C6C6F20(4E|54|52)6F640089F65589E583EC3453E864

    (4E|54|52) Translates to R, T, or N, the beginning of Rod, Tod, and Nod. This helps minimize a false positive in bigger situations. That signature also begins and ends with binary.

    Extended Signature Format

    New Clam versions will allow an extended signature format, which should allow more targeted and faster performance. They must be saved as *.ndb files. Here is the syntax:

    MalwareName:TargetType:Offset:HexSignature

    MalwareName

    Anything you want, just don't include colons or bad characters.

    TargetType

    TargetType is the type of file you want to appy the hex signature to.
    0- Any file
    1- Portable Executable Format
    2- OLE2 Component (i.e vb script)
    3- Normalised HTML (Will decode javascript)
    4- Mail
    5- Graphics


    Offset

    Where does the signature appear in the file (similar to {n} wildcard)
    *- anywhere
    n- n bytes from start of file
    EOF - n- End of file, minus n bytes.

    HexSignature

    Same as the old format.

    MD5 Signatures
    There is a tool included called sigtool.exe. You can use the command:
    sigtool --md5 virus.exe > signature.hdb

    to output the MD5 hash of the file. The output will look like this:
    48c4533230e1ae1c118c741c0db19dfb:17387:virus.exe

    This is a very static signature, any ounce of polymorphism in the virus will avoid the MD5 hash.

    ---------------------------------------------------
    FYI- None of the attached files are actually viruses. The examples shown are not typical signature examples, but they demonstrate the syntax.

    sources: http://www.clamav.net/doc/0.80rc/signatures.pdf

    False positives are dangerous. Make sure you do not use signatures widely until you test them first.

    But then again, so is malware.

    Comments, suggestions, criticisim, high fives or Chipotle burritos are welcome.

  2. #2
    Attached is a final version of this tutorial combining tut 1 and 2 with a better explanation of the MD5 signatures.

    Sorry about the bump.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •