Because plugin developers do nutty things, I'd probably combine the two
into a single signature to reduce possible false positives, but other than
that it looks like those. I've seen non-malicious CMS plugins that use
similar obfuscation techniques, though I'm certainly willing to use these
as is and see how many false positives I get.
--Maarten
On Mon, Sep 8, 2014 at 10:58 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:
>
> On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote:
>
> >
> > What should i do now? Is there a trick to find a signature which fits
> > for all samples or i have to create a different signature for every
> > sample?
>
>
> Hi,
>
> Tricky :(
>
> Copy this into@ not_tested.ndb
>
> test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024
> test.cryptbot:7:*:3D22{12}225E22{40}3B2024
>
> You might have to change :3: to :7: to make it work...
>
> Disclaimer: not had enough coffee, so not fully tested etc.
>
> Cheers,
>
> Steve
> Sanesecurity.com
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
--
Maarten Broekman
Endurance International Group
vDeck Senior Linux Systems Administrator / PCI ISA
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
