Obviously while learning about malware analysis it is not enough only to know how to reverse malware. I should know how to protect against them as well. So I wanted to learn how to write signatures really well - it could be useful. So I will learn how to do so using the following:
Here goes.
----
Stop updater daemon: sudo /etc/init.d/clamav-freshclam stop
Update now: freshclam
Update but run as a daemon: freshclam -d
Stop clamd daemon: sudo /etc/init.d/clamav-daemon stop/start. Don't try and start it from the CLI
Send clamd commands using socat:
- socat - /var/run/clamav/clamd.ctl. Then type command. If started in TCP mode though, you can normally telnet to a port.
- The connection to the socket times out though fairly quickly by default, so I'd have the command copied to clipboard :)
- List of all commands available in the clamav documentation on page 17
Scan files: clamscan /tmp/virus_test
Scan files using clamdscan: clamdscan - < /tmp/virus_test
Use libclamav to scan files from inside other software. Can be used with C programs only.
Info about a database file: sigtool --info
Creating signatures:
- Make sure that you unpack the binary before doing this, else it's not very useful.
Hash based signatures:
Extract sections from PE file and create a signature for each section:
Similar files but minor difference in certain bytes
Here's a sig where the {4} are the only bytes that change. Save these manually into a file with an ndb extension:
Same logic but with much more powerful signatures. These must be stored in ldb files:
Whitelist files
This is despite a BAD signature being there in the daily.cld... it'll just IGNORE the bad one
Whitelist specific signatures
This is despite a BAD signature being there in the daily.cld... it'll just IGNORE the bad one
Some nice References:
The sample files, scripts and its signatures can be found in my Git repository - https://github.com/arvinddoraiswamy/lemal
- ClamAV
- Yara
- Suricata
- Snort
Here goes.
----
Stop updater daemon: sudo /etc/init.d/clamav-freshclam stop
Update now: freshclam
Update but run as a daemon: freshclam -d
Stop clamd daemon: sudo /etc/init.d/clamav-daemon stop/start. Don't try and start it from the CLI
Send clamd commands using socat:
- socat - /var/run/clamav/clamd.ctl
- The connection to the socket times out though fairly quickly by default, so I'd have the command copied to clipboard :)
- List of all commands available in the clamav documentation on page 17
Scan files: clamscan /tmp/virus_test
Scan files using clamdscan: clamdscan - < /tmp/virus_test
Use libclamav to scan files from inside other software. Can be used with C programs only.
Info about a database file: sigtool --info
Creating signatures:
- Make sure that you unpack the binary before doing this, else it's not very useful.
Hash based signatures:
sigtool --md5 test.exe > test.hdb
clamscan -d test.hdb test.exe
The moment a single byte changes, this signature will fail
clamscan -d test.hdb test.exe
The moment a single byte changes, this signature will fail
Extract sections from PE file and create a signature for each section:
Use my hash_sections script to do this. Another option is to save all sections and use sigtool --mdb
Remember sections with a zero size will cause clamscan to break so don't add those
Also remember that this method is best used AFTER you have done all your analysis and want to detect a packer.. so here you don't necessarily have
to unpack the binary before writing a signature
Remember sections with a zero size will cause clamscan to break so don't add those
Also remember that this method is best used AFTER you have done all your analysis and want to detect a packer.. so here you don't necessarily have
to unpack the binary before writing a signature
Similar files but minor difference in certain bytes
This means that it is the same malware but hash based signature or section-hash based signatures will not work. For example:
md5sum 03*
ae831fcf5591dc0079ebfe4654f23f52 031.exe
b20a1db0a01f7a6f14f503a6fcdd6c0f 03.exe
md5sum 03*
ae831fcf5591dc0079ebfe4654f23f52 031.exe
b20a1db0a01f7a6f14f503a6fcdd6c0f 03.exe
Here's a sig where the {4} are the only bytes that change. Save these manually into a file with an ndb extension:
TestSig:1:*:8DBEEB7FF7FF57{4}10909090909090
TestSig:1:EP+6:8DBEEB7FF7FF57{4}10909090909090 [EP is entry point, and this can drastically reduce false positives]
TestSig:1:EP+6:8DBEEB7FF7FF57{4}10909090909090 [EP is entry point, and this can drastically reduce false positives]
Same logic but with much more powerful signatures. These must be stored in ldb files:
The difference here is that everything is separated by ; characters. All the patterns are right at the end. The penultimate block is the one that decides how this pattern is actually applied, the previous block decides which files the signatures is applied to. The first block is just a name..can be anything.
LogicalTestSig;Target:1;(0&1);8DBEEB7FF7FF57{4}10909090909090;88074701DB
Whitelist files
Same name as the database in which the detection signatures exist. So if all signatures are in daily.cld
The whitelisting file should be by the name daily.fp and have this line (hash : size : random name) in the same dir as daily.cld
The whitelisting file should be by the name daily.fp and have this line (hash : size : random name) in the same dir as daily.cld
5523530941c409b349ef40fa9415247e:51204:Whitelist signatures
This is despite a BAD signature being there in the daily.cld... it'll just IGNORE the bad one
Whitelist specific signatures
Same name as the database in which the detection signatures exist. So if all signatures are in daily.cld
The whitelisting file should be by the name daily.ign and have this line (goodDBname : line number : Actual signature name) in the same dir as daily.cld
The whitelisting file should be by the name daily.ign and have this line (goodDBname : line number : Actual signature name) in the same dir as daily.cld
daily.cld:1237270:Win.Trojan.Agent-807822
This is despite a BAD signature being there in the daily.cld... it'll just IGNORE the bad one
Some nice References:
http://infosec4breakfast.blogspot.com/2013/06/fun-with-clamav.html
Alain Zidouemba webinar pdf- http://www.clamav.net/doc/webinars/Webinar-Alain-2009-03-04.pdf
Clam AV documentation- https://github.com/vrtadmin/clamav-devel/raw/master/docs/signatures.pdf
Alain Zidouemba webinar pdf- http://www.clamav.net/doc/webinars/Webinar-Alain-2009-03-04.pdf
Clam AV documentation- https://github.com/vrtadmin/clamav-devel/raw/master/docs/signatures.pdf
The sample files, scripts and its signatures can be found in my Git repository - https://github.com/arvinddoraiswamy/lemal
No comments:
Post a Comment