Heuristic signatures, such as Js.File.MaliciousHeuristic-6249621-1,
signature on likely malicious traits but are not tight enough to associate
with a given family or could be more FP prone.
Consider: *Js.File.MaliciousHeuristic-6249621-1*
Js.File.MaliciousHeuristic-6249621-1;Engine:51-255,Target:7;0>1&1>5&2;6576616c28;66756e6374696f6e20;2772272b2765272b2770272b276c272b2761272b2763272b276527
VIRUS NAME: Js.File.MaliciousHeuristic-6249621-1
TDB: Engine:51-255,Target:7
LOGICAL EXPRESSION: 0>1&1>5&2
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
eval(
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
function
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
'r'+'е'+'p'+'l'+'a'+'c'+'e'
This hits one any normalized text file that contains "eval(" and "function",
which helps make it likely that the file is .JS which will treat a
deobfuscated string variable as executable javascript.
The Malicious heuristic part is looking for at least 5 "function"s and
looking for "'r'+'е'+'p'+'l'+'a'+'c'+'e'".
This is attempting to identify JavaScript code that is using
concatenation as a step in string based code obfuscation to defeat
signature based detection. Note that there is noting *inherently* malicious
about this signature. No network IOCs and no evil code, but based on
previously observed JavaScript files and typical coding patterns there is a
high likelihood that the obfuscation is indicative of malicious intent.
In general, Clam AV provides static signature detection, which does contain
some static signatures that fire on things that are probably malicious and
are denoted with Heuristic in the name. True, runtime calculated,
probabilistic heuristic signatures are possible, in a limited way, through
the Clam AV bytecode engine, although the potential of the bytecode engine
has not been widely utilized in the current official signature set.
On Fri, May 5, 2017 at 5:45 AM, Al Varnell <alvarn...@mac.com> wrote:
> On Fri, May 05, 2017 at 02:17 AM, crazy thinker wrote:
> > @AI Varnell
> > Does Clam AV provides Heuristics signatures in their official db?
>
> There's a heuristics engine that uses data from the .pdb and .sfp sections
> of the database to detect messages from selected financial institutions
> that appear to be phishing attempts.
>
> Recently there have been a variety of additional signatures that contain
> "Heuristic" in the infection name, but it isn't clear why they are so
> labeled.
>
> > I heard
> > that clamAV uses md5, sha1,sha256 based virus signatures in their
> > database?
>
> Among others. If you are interested in knowing about all the other types
> you should read signatures.pdf
> <https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
> >.
>
> -Al-
PS: Sharp eyed readers may have noticed the Unicode homoglyphs being used
in the decoded signature and discussion. That was done to prevent the text
of these email from becoming a FP under the signature I was discussing.
--
Matthew Molyett
Malware Researcher
mmoly...@cisco.com
Phone: (410) 309-4834
Mobile: (410) 674-2049
Cisco.com - http://www.cisco.com
This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply email and delete all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
