[clamav-users] Hint for creating signatures
Hello, from http://www.dict.cc/englisch-deutsch/from.html time http://www.dict.cc/englisch-deutsch/time.html to time http://www.dict.cc/englisch-deutsch/time.html i create some signatures from what i found in php-code of my users. Now i found some malware that worries me. Its obfuscated php-code to execute all which was sent by POST (mostly spammails). If i unencrypt the code, so i always find the same malwarecode. But code how it can be found in php-page is always variable. samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? What http://www.dict.cc/englisch-deutsch/What.html is http://www.dict.cc/englisch-deutsch/is.html your http://www.dict.cc/englisch-deutsch/your.html view http://www.dict.cc/englisch-deutsch/view.html on http://www.dict.cc/englisch-deutsch/on.html this http://www.dict.cc/englisch-deutsch/this.html subject? http://www.dict.cc/englisch-deutsch/subject%3F.html Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hint for creating signatures
Hello, sorry for links to my translator. I thought thunderbird is removing this when choosing pure-text-format. now it is readable: Am 08.09.2014 um 16:04 schrieb Hajo Locke: Hello, from time to time i create some signatures from what i found in php-code of my users. Now i found some malware that worries me. Its obfuscated php-code to execute all which was sent by POST (mostly spammails). If i unencrypt the code, so i always find the same malwarecode. But code how it can be found in php-page is always variable. samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? What is your view on this subject? Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hint for creating signatures
Hajo, Would you be interested in sharing the signatures you create with the ClamAV community? If so, please check out the process here: http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html As for signatures for obfuscated PHP, it really does depend on the code you are looking at, on a case-by-case basis. - Alain On Mon, Sep 8, 2014 at 10:04 AM, Hajo Locke hajo.lo...@gmx.de wrote: Hello, from http://www.dict.cc/englisch-deutsch/from.html time http://www.dict.cc/englisch-deutsch/time.html to time http://www.dict.cc/englisch-deutsch/time.html i create some signatures from what i found in php-code of my users. Now i found some malware that worries me. Its obfuscated php-code to execute all which was sent by POST (mostly spammails). If i unencrypt the code, so i always find the same malwarecode. But code how it can be found in php-page is always variable. samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? What http://www.dict.cc/englisch-deutsch/What.html is http://www.dict.cc/englisch-deutsch/is.html your http://www.dict.cc/englisch-deutsch/your.html view http://www.dict.cc/englisch-deutsch/view.html on http://www.dict.cc/englisch-deutsch/on.html this http://www.dict.cc/englisch-deutsch/this.html subject? http://www.dict.cc/englisch-deutsch/subject%3F.html Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Fwd: Re: clamav-milter: Failed to create temporary file
Hi, the patched version of clamav-milter is running since 5 days without problems. I can confirm that your patch solved the problem. Thanks and regards Urban Loesch Original-Nachricht Betreff: Re: [clamav-users] clamav-milter: Failed to create temporary file Datum: Thu, 04 Sep 2014 15:21:00 +0200 Von: Urban Loesch b...@enas.net An: Steven Morgan smor...@sourcefire.com, J. David Rye d@roadtech.co.uk Kopie (CC): Shawn Webb (shawebb) shaw...@cisco.com Hi, I installed the patch on one of my servers where it happens. Now I have to wait some days, because to me it does not happen very frequently. I let you know the result. Many thanks Urban Am 04.09.2014 00:57, schrieb Steven Morgan: Hi, We may have an answer. Is it possible try the following patch and see if it fixes the problem? Thanks, Steve --- a/clamav-milter/clamav-milter.c +++ b/clamav-milter/clamav-milter.c @@ -56,6 +56,8 @@ int main(int argc, char **argv) { mode_t umsk; int ret; +cl_initialize_crypto(); + memset(descr, 0, sizeof(struct smfiDesc)); descr.xxfi_name = ClamAV;/* filter name */ descr.xxfi_version = SMFI_VERSION; /* milter version */ On Tue, Sep 2, 2014 at 6:12 PM, Steven Morgan smor...@sourcefire.com mailto:smor...@sourcefire.com wrote: Hi J. David, Thanks for the additional analysis and information. I've been looking at this for a bit today. I have opened a ticket in the ClamAV bugzilla system to track the issue. The ticket number is 11089. Hope to have an answer soon. Steve On Sun, Aug 31, 2014 at 5:52 AM, J. David Rye d@roadtech.co.uk mailto:d@roadtech.co.uk wrote: On Thu, 2014-08-21 at 19:22 -0400, Steven Morgan wrote: Hi Urban, I took a look at this code. The real problem is the inability to create a temporary file. The second message just results from the return code of the function that attempts to create the temp file. We need to find out why the temp file creation fails. There should also be a clamav error message written from: cli_errmsg(cli_gentempfd: Can't create temporary file %s: %s\n, *name, strerror(errno)); Can you find this message? Otherwise, it is a memory allocation failure for space for the temp file name, which seems unlikely. Steve I am also seeing this issue. Mostly intermitant but see further down. cli_errmsg wont work if clamav-milter has daemonezed. it only writes to STDERR and the function daemonize closes standard error even if you recompile with CL_DEBUG set. Only way to get is to get the error messages from cli_gentempfd seams to be to uncomment the line #Foreground yes In clamav-milter.conf, then run in foreground from command line. As an aside I wonder why cli_gentempfd does not use the function logg() and output to file or syslog depending on configuration file. I am running clamav-milter on a VM. OS is CentoOS 6.5 VM has 4 vcpu, and 2GB RAM clamav-milter is version 0.98.4-1.el6.rf installed from rpmforge repository. Looking at he logs if time stamps in syslog for calls to clamav-milter are two seconds or more apart the problem never shows. However if 4 or more messages arrive in two seconds problem always shows up, the failure to create temp file is usually time stamped 2 seconds after the first message in the burst that triggered it. On a sustained burst of traffic pretty much all the messages trip the issue. In a 1 hour period last week when I had a lot of messages due to a different issue. I had 20,000 temp file failures, and 23 messages delivered. [root@mailhost-c6 etc]# clamav-milter --config-file=/etc/clamav-milter.conf.foreground Local socket unix:/var/run/clamav/clamd.sock added to the pool (slot 1) Probe for slot 1 returned: success LibClamAV Error: cli_gentempfd: Can't create temporary file /tmp/clamav-626683ff3a00.tmp: File exists ERROR: Failed to create temporary file ERROR: Failed to initiate streaming/fdpassing LibClamAV Error: cli_gentempfd: Can't create temporary file /tmp/clamav-626683ff3a00.tmp: File exists ERROR: Failed to create temporary file ERROR: Failed to initiate streaming/fdpassing LibClamAV Error: cli_gentempfd: Can't create temporary file /tmp/clamav-626683ff3a00.tmp: File exists ERROR: Failed to create temporary file ERROR: Failed to initiate streaming/fdpassing
Re: [clamav-users] Hint for creating signatures
On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote: What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? Hi, Tricky :( Copy this into@ not_tested.ndb test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024 test.cryptbot:7:*:3D22{12}225E22{40}3B2024 You might have to change :3: to :7: to make it work... Disclaimer: not had enough coffee, so not fully tested etc. Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hint for creating signatures
Because plugin developers do nutty things, I'd probably combine the two into a single signature to reduce possible false positives, but other than that it looks like those. I've seen non-malicious CMS plugins that use similar obfuscation techniques, though I'm certainly willing to use these as is and see how many false positives I get. --Maarten On Mon, Sep 8, 2014 at 10:58 AM, Steve Basford steveb_cla...@sanesecurity.com wrote: On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote: What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? Hi, Tricky :( Copy this into@ not_tested.ndb test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024 test.cryptbot:7:*:3D22{12}225E22{40}3B2024 You might have to change :3: to :7: to make it work... Disclaimer: not had enough coffee, so not fully tested etc. Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Maarten Broekman Endurance International Group vDeck Senior Linux Systems Administrator / PCI ISA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml