Re: [clamav-users] Difficult malwarefiles - signature too short
Hello,
Am 02.11.2015 um 19:08 schrieb Kris Deugau:
G.W. Haywood wrote:
Hi there,
On Mon, 2 Nov 2015, Hajo Locke wrote:
... It seems to be so easy for a php-programmer to generate infinite
number of malwarefiles ...
That's correct.
Any .php file sent here goes straight to /dev/null without inspection.
very luxurious life ;)
I can't say I've seen PHP randomly splattered around by email (unlike
Javascript or Windows executables, very little will even recognize it
never mind auto-execute it); I'm guessing the OP is scanning customer
webhosting content.
Customers will get very unhappy if you blindly delete all PHP files from
their webhosting account...
yes, that's correct.
There are a lot of unsecure CMS which are abused to upload php-malware
to sent spam etc.
its difficult to find correct ones and leave harmles files alone until
costumer has updated his system.
i now have a set of signatures, but iam unhappy with them. i do some
testscans on servers to check how many FP i will get. As yet no one.
tried to work without wildcards in my signature, just limited variable
spaces between significant text.
Is there a possibility to create whitespacefree normalised base-files?
its too easy for php programmers to create new files. for example this
"$aat03[11]." ist not the same like "$aat03[11] ." because of whitespace
before ".".
Hmm, with whitespacefree normalised files it would be easier to create
signatures for this chained arrayelements in small spaces or for the
significant "eval{-15}(${$" instead of "(${ $", "( ${$", "( $ {
$".. etc.
-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Thanks,
Hajo
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difficult malwarefiles - signature too short
Hello again, On Tue, 3 Nov 2015, Kris Deugau wrote: Customers will get very unhappy if you blindly delete all PHP files from their webhosting account... I don't remember suggesting that. My point is that ClamAV is designed to look for known threats. The OP is looking for unknown threats. I'm left feeling that what the OP is trying to do makes little sense, and if even it did make sense, ClamAV wouldn't be the right tool with which to attempt do it. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difficult malwarefiles - signature too short
G.W. Haywood wrote: > Hi there, > > On Mon, 2 Nov 2015, Hajo Locke wrote: > >> ... It seems to be so easy for a php-programmer to generate infinite >> number of malwarefiles ... > > That's correct. > > Any .php file sent here goes straight to /dev/null without inspection. I can't say I've seen PHP randomly splattered around by email (unlike Javascript or Windows executables, very little will even recognize it never mind auto-execute it); I'm guessing the OP is scanning customer webhosting content. Customers will get very unhappy if you blindly delete all PHP files from their webhosting account... -kgd ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difficult malwarefiles - signature too short
Hi there, On Mon, 2 Nov 2015, Hajo Locke wrote: ... It seems to be so easy for a php-programmer to generate infinite number of malwarefiles ... That's correct. Any .php file sent here goes straight to /dev/null without inspection. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Difficult malwarefiles - signature too short
Hello,
again i have to create signatures for some difficult short files. Using
this files hacked CMS do what you want.
Examples are here:
http://pastebin.com/ruxdmpNz
Number of files seems infinite, there always are different names of
variables. Also length of variables and spaces between text differs from
file to file.
I did some testing. In most files there is a "strtoupper" or
"strtolower", "isset", "eval" and a lot of arrayelements, but at all not
very significant attributes to create a good signature.
Iam afraid to kill some non-malware userfiles.
I started like this:
testing_01:0:*:737472746f6c6f776572*5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}*6973736574{-35}6576616c
VIRUS NAME: testing_01
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
strtolower{WILDCARD_ANY_STRING}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}{WILDCARD_ANY_STRING}isset{WILDCARD_ANY_STRING(LENGTH<=35)}eval
But clamscan always says:
LibClamAV Error: cli_ac_addsig: Signature for testing_01 is too short
LibClamAV Error: cli_parse_add(): Problem adding signature (1).
LibClamAV Error: cli_parseadd(): Problem adding signature (1b).
Why it is too short? Please help me creating a good set of signatures.
Thanks,
Hajo
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difficult malwarefiles - signature too short
I believe the issue is around
5d2e{-11}*6973 <6973736574>
Remove the * and try again.
-Alain
On Nov 2, 2015, at 5:24 AM, Hajo Locke wrote:
5d2e{-11}*6973
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difficult malwarefiles - signature too short
Hello,
Am 02.11.2015 um 11:54 schrieb Alain Zidouemba:
I believe the issue is around
5d2e{-11}*6973 <6973736574>
Remove the * and try again.
ahh! hmm, didnt saw this. Works now. Thank you.
do you think a signature like this is very reliable? It seems to be so
easy for a php-programmer to generate infinite number of malwarefiles
and so hard to create fitting signature.
testing_01:0:*:737472746f6c6f776572*5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}5d2e*6973736574{-35}6576616c{-10}28247b
-Alain
On Nov 2, 2015, at 5:24 AM, Hajo Locke wrote:
5d2e{-11}*6973
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Thanks,
Hajo
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
