automatic tool for static analysis
DESCRIPTION
How to use ClamAV and YaraTRANSCRIPT
ClamAV
• ClamAV is an open source an'virus engine – Fast and flexible framework for detec'ng malicious code
– Write signatures and scan a broad range of content without wri'ng specific parsers
Func'onali'es of ClamAV • detec'on databases in ClamAV – MD5 hashes of known malicious binaries (stored in .hdb)
– MD5 hashes of PE sec'ons (stored in .mdb) – Hexadecimal signatures (stored in .ndb) – Archive metadata signatures (stored in .zmd or .rmd) – White list database of known good files (stored in .fp) – Matching signatures (stored in .ldb) – Icon signatures (stored in .ldb) – PE metadata strings (stored in .ldb or .ndb) – Container metadata (stored in .cdb)
Database
• ClamAV signatures exist in – /usr/local/share/clamav – /usr/lib/clamav
• Database – The main.cld file contains the primary base of signatures
– daily.cld contains incremental daily updates
Signature • SigName:Target:Offset:HexadecimalSignature • SigName field is a unique, descrip've name for your signature • Target
– 0 = Any file type – 1 = Windows PE – 2 = OLE (e.g. Office, VBA) – 3 = Normalized HTML – 4 = E-‐mail file (e.g. RFC822 message, TNEF) – 5 = Image files (e.g. jpeg, png) – 6 = ELF – 7 = Normalized ASCII file – 8 = Unused – 9 = Mach-‐O binaries (new in v0.96)
SigTool
• Sigtool – -‐-‐hex-‐dump: convert data from string to hex – -‐-‐md5: generate md5 cheksum in signature format
– -‐-‐mdb: generate .mdb signature – -‐u: Unpack a CVD/CLD signature
XF.Sic.E Signature
• daily.ndb:XF.Sic.E:2:*: – 2a2a536574204f75722056616c75657320616e64 2050\ – 617468732a2a??00002a2a416464204e657720576f726b626f 6f6b\ – 2c20496e66642049742c205361766520497420417320426f6f\ – 312e
• Detect a string in a file – **Set Our Values and Paths**???**Add New Workbook, Infd It, Save It As Boo1.
Wildcards
• ?? -‐ Match any byte • * -‐ Match any number of bytes. • {n} – Match n bytes. • {-‐n} – Match n or less bytes. • {n-‐} – Match n or more bytes. • (a|b) – Match a and b (you Can Use More Alternate characters)
Logical Signatures
• Recent versions of ClamAV is capable to understand complex signatures based on logical expressions – SigName;Target;Expression;Sig0;Sig1;….;SigN – The field consists of a logical expression where each signature is represented by its index value
– Operators OR (|) and AND (&). – =,< ,> , you can control the number of occurrences of each signature that must be found in a file before producing an alert.
Sec'on Signature
• Use sec'on informa'on to construct signature – More robust than all file checksum
Yara
• Flexible iden'fica'on and classifica'on engine – rules that detect strings, instruc'on sequences, regular expressions, byte paxerns, and so on
– scan files using the command-‐line u'lity – C or Python tools with YARA’s API
String Sec'on • The strings defini'on sec'on can be omixed if the rule doesn’t rely on any string
• The strings defini'on sec'on is where the strings that will be part of the rule are defined.
• Each string has an iden'fier consis'ng in a $
String offsets or virtual addresse
• We are willing to know if the associated string is anywhere within the file or process memory
Executable entry poin • If file is a Portable Executable (PE) or Executable and
Linkable Format (ELF), this variable holds the raw offset of the exectutable’s entry point
• If we are scanning a running process entrypoint will hold the virtual address of the main executable’s entry point.
• A typical use of this variable is to look for some paxern at the entry point to detect packers or simple file infectors