Re: [clamav-users] Difficult malwarefiles - signature too short
Hello, Am 02.11.2015 um 19:08 schrieb Kris Deugau: G.W. Haywood wrote: Hi there, On Mon, 2 Nov 2015, Hajo Locke wrote: ... It seems to be so easy for a php-programmer to generate infinite number of malwarefiles ... That's correct. Any .php file sent here goes straight to /dev/null without inspection. very luxurious life ;) I can't say I've seen PHP randomly splattered around by email (unlike Javascript or Windows executables, very little will even recognize it never mind auto-execute it); I'm guessing the OP is scanning customer webhosting content. Customers will get very unhappy if you blindly delete all PHP files from their webhosting account... yes, that's correct. There are a lot of unsecure CMS which are abused to upload php-malware to sent spam etc. its difficult to find correct ones and leave harmles files alone until costumer has updated his system. i now have a set of signatures, but iam unhappy with them. i do some testscans on servers to check how many FP i will get. As yet no one. tried to work without wildcards in my signature, just limited variable spaces between significant text. Is there a possibility to create whitespacefree normalised base-files? its too easy for php programmers to create new files. for example this "$aat03[11]." ist not the same like "$aat03[11] ." because of whitespace before ".". Hmm, with whitespacefree normalised files it would be easier to create signatures for this chained arrayelements in small spaces or for the significant "eval{-15}(${$" instead of "(${ $", "( ${$", "( $ { $".. etc. -kgd ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difficult malwarefiles - signature too short
Hello again, On Tue, 3 Nov 2015, Kris Deugau wrote: Customers will get very unhappy if you blindly delete all PHP files from their webhosting account... I don't remember suggesting that. My point is that ClamAV is designed to look for known threats. The OP is looking for unknown threats. I'm left feeling that what the OP is trying to do makes little sense, and if even it did make sense, ClamAV wouldn't be the right tool with which to attempt do it. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difficult malwarefiles - signature too short
G.W. Haywood wrote: > Hi there, > > On Mon, 2 Nov 2015, Hajo Locke wrote: > >> ... It seems to be so easy for a php-programmer to generate infinite >> number of malwarefiles ... > > That's correct. > > Any .php file sent here goes straight to /dev/null without inspection. I can't say I've seen PHP randomly splattered around by email (unlike Javascript or Windows executables, very little will even recognize it never mind auto-execute it); I'm guessing the OP is scanning customer webhosting content. Customers will get very unhappy if you blindly delete all PHP files from their webhosting account... -kgd ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difficult malwarefiles - signature too short
Hi there, On Mon, 2 Nov 2015, Hajo Locke wrote: ... It seems to be so easy for a php-programmer to generate infinite number of malwarefiles ... That's correct. Any .php file sent here goes straight to /dev/null without inspection. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Difficult malwarefiles - signature too short
Hello, again i have to create signatures for some difficult short files. Using this files hacked CMS do what you want. Examples are here: http://pastebin.com/ruxdmpNz Number of files seems infinite, there always are different names of variables. Also length of variables and spaces between text differs from file to file. I did some testing. In most files there is a "strtoupper" or "strtolower", "isset", "eval" and a lot of arrayelements, but at all not very significant attributes to create a good signature. Iam afraid to kill some non-malware userfiles. I started like this: testing_01:0:*:737472746f6c6f776572*5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}*6973736574{-35}6576616c VIRUS NAME: testing_01 TARGET TYPE: ANY FILE OFFSET: * DECODED SIGNATURE: strtolower{WILDCARD_ANY_STRING}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}{WILDCARD_ANY_STRING}isset{WILDCARD_ANY_STRING(LENGTH<=35)}eval But clamscan always says: LibClamAV Error: cli_ac_addsig: Signature for testing_01 is too short LibClamAV Error: cli_parse_add(): Problem adding signature (1). LibClamAV Error: cli_parseadd(): Problem adding signature (1b). Why it is too short? Please help me creating a good set of signatures. Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difficult malwarefiles - signature too short
I believe the issue is around 5d2e{-11}*6973 <6973736574> Remove the * and try again. -Alain On Nov 2, 2015, at 5:24 AM, Hajo Lockewrote: 5d2e{-11}*6973 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Difficult malwarefiles - signature too short
Hello, Am 02.11.2015 um 11:54 schrieb Alain Zidouemba: I believe the issue is around 5d2e{-11}*6973 <6973736574> Remove the * and try again. ahh! hmm, didnt saw this. Works now. Thank you. do you think a signature like this is very reliable? It seems to be so easy for a php-programmer to generate infinite number of malwarefiles and so hard to create fitting signature. testing_01:0:*:737472746f6c6f776572*5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}5d2e*6973736574{-35}6576616c{-10}28247b -Alain On Nov 2, 2015, at 5:24 AM, Hajo Lockewrote: 5d2e{-11}*6973 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml