Hi there,
On Wed, 16 Sep 2020, Cyril AECK via lists.clamav.net wrote:
Is there a reason why the Emotet detection rate is very low for ClamAV?
The macro in the attachment is heavily disguised. See for example
https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/
It's very easy for the sender to change disguises in code. Some code
will even do it by itself, on the fly. Using a grossly oversimplified
example, I could write code like this:
void somefunc() { while(1) { something_new; } }
int abc=1; if(abc==1) { somefunc(); }
but the same effect can be achieved with different names everywhere:
void otherfunc() { while(2) { something_old; } }
int xyz=3; if(xyz==3) { otherfunc(); }
You really want to analyze the behaviour of the code but that's much
harder to do than making simple string comparisons which look for
words -- which is more or less all that signature matching does. You
need a signature for every disguise, which probably explains why there
are at the moment just shy of sixty thousand signatures in the 'daily'
database which have a name containing 'Emotet'.
On Wed, 16 Sep 2020, iulian stan via clamav-users wrote:
If you are talking about compressed files you have multiple choice to do
this as well:
1) use complicated MTA rules to unzip/untar/unrar/etc the archive and
check if executable is inside.
2) use foxhole unoficial clamav signatures (might not cover all the
situations)
3) write your own signatures like this. Please check before the manual:
https://www.clamav.net/documents/extended-signature-format
Archived_BAT:*:*:(?i)\.bat$:*:*:*:*:*:*
Archived_COM:*:*:(?i)\.com$:*:*:*:*:*:*
Archived_EXE:*:*:(?i)\.exe$:*:*:*:*:*:*
Unfortunately none of these suggestions is likely to succeed against
the current Emotet threats. The malicious email generally contains a
disguised macro, not a Windows executable. The macro downloads and
runs a payload (maybe more than one), thus avoiding a scan or perhaps
without even writing it to a file which ClamAV will be able to scan.
The foxhole signatures, the ClamAV official signatures and a couple of
dozen other third-party signatures have all failed to detect threats
in mail recevied here in the past few days.
But the messages were obvious as soon as they appeared in the greylist
queue. They posed as replies to mail abuse reports which we had sent,
but the reports were sent many years ago.
Evidently our reports have been stolen from the poorly-secured systems
at the providers to whom we were reporting abuse at the time. A neat
trick, but not nearly neat enough. We don't run Windows boxes anyway. :)
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
