So, I've been creating local signatures for a variety of obfuscated
Javascript for a while.
But I've been missing a way to more precisely target malicious actions
based on surrounding variables.
With my latest sample, I want to match "[variable].[htmldomstuff]",
"function([variable])", across several nearby substrings.
But I *don't* want to hardcode any one specific normalized variable name
- this particular sample has n007, but with very little fiddling it
could well end up as n003 or n024. What I want is a metareference of
some kind to use across the substrings that will only match the same
normalized variable name in all of them.
In PCRE I would just do something like:
/(n\d+).htmldomstuff;function(\1);/
Do any of Clam's signature types support something like this? Logical
signatures or Yara rules seem likely, but I've had trouble getting some
more complex signature concepts to actually work with either.
-kgd
___
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat