[clamav-users] Hint for creating signatures

[Hajo Locke]

Hello,

from  time 
 to time 
 i create some signatures 
from what i found in php-code of my users.
Now i found some malware that worries me. Its obfuscated php-code to 
execute all which was sent by POST (mostly spammails). If i unencrypt 
the code, so i always find the same malwarecode. But code how it can be 
found in php-page is always variable.


samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK

What should i do now? Is there a trick to find a signature which fits 
for all samples or i have to create a different signature for every sample?
What  is 
 your 
 view 
 on 
 this 
 subject? 



Thanks,
Hajo


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Hint for creating signatures

[Hajo Locke]

Hello,

sorry for links to my translator. I thought thunderbird is removing this 
when choosing pure-text-format.

now it is readable:

Am 08.09.2014 um 16:04 schrieb Hajo Locke:

Hello,

from time to time  i create some signatures from what i found in 
php-code of my users.
Now i found some malware that worries me. Its obfuscated php-code to 
execute all which was sent by POST (mostly spammails). If i unencrypt 
the code, so i always find the same malwarecode. But code how it can 
be found in php-page is always variable.


samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK

What should i do now? Is there a trick to find a signature which fits 
for all samples or i have to create a different signature for every 
sample?

What  is  your  view  on this  subject?

Thanks,
Hajo


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Hint for creating signatures

[Alain Zidouemba]

Hajo,

Would you be interested in sharing the signatures you create with the
ClamAV community? If so, please check out the process here:
http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html

As for signatures for obfuscated PHP, it really does depend on the code you
are looking at, on a case-by-case basis.

- Alain


On Mon, Sep 8, 2014 at 10:04 AM, Hajo Locke  wrote:

> Hello,
>
> from  time <
> http://www.dict.cc/englisch-deutsch/time.html> to time <
> http://www.dict.cc/englisch-deutsch/time.html> i create some signatures
> from what i found in php-code of my users.
> Now i found some malware that worries me. Its obfuscated php-code to
> execute all which was sent by POST (mostly spammails). If i unencrypt the
> code, so i always find the same malwarecode. But code how it can be found
> in php-page is always variable.
>
> samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK
>
> What should i do now? Is there a trick to find a signature which fits for
> all samples or i have to create a different signature for every sample?
> What  is <
> http://www.dict.cc/englisch-deutsch/is.html> your <
> http://www.dict.cc/englisch-deutsch/your.html> view <
> http://www.dict.cc/englisch-deutsch/view.html> on <
> http://www.dict.cc/englisch-deutsch/on.html> this <
> http://www.dict.cc/englisch-deutsch/this.html> subject? <
> http://www.dict.cc/englisch-deutsch/subject%3F.html>
>
> Thanks,
> Hajo
>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: Re: clamav-milter: Failed to create temporary file

[Urban Loesch]

Hi,

the patched version of clamav-milter is running since 5 days without problems.
I can confirm that your patch solved the problem.

Thanks and regards
Urban Loesch

 Original-Nachricht 
Betreff: Re: [clamav-users] clamav-milter: Failed to create temporary file
Datum: Thu, 04 Sep 2014 15:21:00 +0200
Von: Urban Loesch 
An: Steven Morgan ,  "J. David Rye" 

Kopie (CC): Shawn Webb (shawebb) 

Hi,

I installed the patch on one of my servers where it happens.
Now I have to wait some days, because to me it does not happen very frequently.

I let you know the result.

Many thanks
Urban


Am 04.09.2014 00:57, schrieb Steven Morgan:
> Hi,
> 
> We may have an answer. Is it possible try the following patch and see if it 
> fixes the problem?
> 
> Thanks,
> Steve
> 
> --- a/clamav-milter/clamav-milter.c
> +++ b/clamav-milter/clamav-milter.c
> @@ -56,6 +56,8 @@ int main(int argc, char **argv) {
>  mode_t umsk;
>  int ret;
>  
> +cl_initialize_crypto();
> +
>  memset(&descr, 0, sizeof(struct smfiDesc));
>  descr.xxfi_name = "ClamAV";/* filter name */
>  descr.xxfi_version = SMFI_VERSION; /* milter version */
> 
> 
> On Tue, Sep 2, 2014 at 6:12 PM, Steven Morgan  > wrote:
> 
> Hi J. David,
> 
> Thanks for the additional analysis and information. I've been looking at 
> this for a bit today. I have opened a ticket in the ClamAV bugzilla
> system to track the issue. The ticket number is 11089. Hope to have an 
> answer soon.
> 
> Steve
> 
> 
> On Sun, Aug 31, 2014 at 5:52 AM, J. David Rye  > wrote:
> 
> On Thu, 2014-08-21 at 19:22 -0400, Steven Morgan wrote:
> > Hi Urban,
> >
> > I took a look at this code. The real problem is the inability to
> > create a
> > temporary file. The second message just results from the return code
> > of the
> > function that attempts to create the temp file. We need to find out
> > why the
> > temp file creation fails. There should also be a clamav error 
> message
> > written from:  cli_errmsg("cli_gentempfd: Can't create temporary 
> file
> > %s:
> > %s\n", *name, strerror(errno)); Can you find this message?
> >
> > Otherwise, it is a memory allocation failure for space for the temp
> > file
> > name, which seems unlikely.
> >
> > Steve
> 
> I am also seeing this issue. Mostly intermitant but see further down.
> 
> cli_errmsg wont work if clamav-milter has daemonezed.
> it only writes to STDERR and the function daemonize closes standard
> error even if you recompile with CL_DEBUG set.
> 
> Only way to get is to get the error messages from  cli_gentempfd seams
> to be to uncomment the line
> 
> "#Foreground yes"
> 
> In clamav-milter.conf, then run in foreground from command line.
> 
> As an aside I wonder why cli_gentempfd does not use the function 
> logg()
> and output to file or syslog depending on configuration file.
> 
> I am running clamav-milter on a VM. OS is CentoOS 6.5
> VM has 4 vcpu, and 2GB RAM
> clamav-milter is version 0.98.4-1.el6.rf installed from rpmforge
> repository.
> 
> Looking at he logs if time stamps in syslog for calls to clamav-milter
> are two seconds or more apart the problem never shows.
> 
> However if 4 or more messages arrive in two seconds problem always 
> shows
> up, the failure to create temp file is usually time stamped 2 seconds
> after the first message in the burst that triggered it.
> 
> On a sustained burst of traffic pretty much all the messages trip the
> issue.
> In a 1 hour period last week when I had a lot of messages due to a
> different issue. I had 20,000 temp file failures, and 23 messages
> delivered.
> 
> [root@mailhost-c6 etc]# clamav-milter
> --config-file=/etc/clamav-milter.conf.foreground
> Local socket unix:/var/run/clamav/clamd.sock added to the pool (slot 
> 1)
> Probe for slot 1 returned: success
> LibClamAV Error: cli_gentempfd: Can't create temporary
> file /tmp/clamav-626683ff3a00.tmp: File exists
> ERROR: Failed to create temporary file
> ERROR: Failed to initiate streaming/fdpassing
> LibClamAV Error: cli_gentempfd: Can't create temporary
> file /tmp/clamav-626683ff3a00.tmp: File exists
> ERROR: Failed to create temporary file
> ERROR: Failed to initiate streaming/fdpassing
> LibClamAV Error: cli_gentempfd: Can't create temporary
> file /tmp/clamav-626683ff3a00.tmp: File exists
> ERROR: Failed to create temporary file
> ERROR: Failed to initiate stre

Re: [clamav-users] Hint for creating signatures

[Steve Basford]

On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote:

>
> What should i do now? Is there a trick to find a signature which fits
> for all samples or i have to create a different signature for every
> sample?


Hi,

Tricky :(

Copy this into@ not_tested.ndb

test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024
test.cryptbot:7:*:3D22{12}225E22{40}3B2024

You might have to change :3: to :7: to make it work...

Disclaimer: not had enough coffee, so not fully tested etc.

Cheers,

Steve
Sanesecurity.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Hint for creating signatures

[Maarten Broekman]

Because plugin developers do nutty things, I'd probably combine the two
into a single signature to reduce possible false positives, but other than
that it looks like those.  I've seen non-malicious CMS plugins that use
similar obfuscation techniques, though I'm certainly willing to use these
as is and see how many false positives I get.

--Maarten

On Mon, Sep 8, 2014 at 10:58 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:

>
> On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote:
>
> >
> > What should i do now? Is there a trick to find a signature which fits
> > for all samples or i have to create a different signature for every
> > sample?
>
>
> Hi,
>
> Tricky :(
>
> Copy this into@ not_tested.ndb
>
> test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024
> test.cryptbot:7:*:3D22{12}225E22{40}3B2024
>
> You might have to change :3: to :7: to make it work...
>
> Disclaimer: not had enough coffee, so not fully tested etc.
>
> Cheers,
>
> Steve
> Sanesecurity.com
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



-- 
Maarten Broekman
Endurance International Group
vDeck Senior Linux Systems Administrator / PCI ISA
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml