Re: [clamav-users] Hint for creating signatures
Hello, Am 08.09.2014 um 16:58 schrieb Steve Basford: Hi, Tricky :( Copy this into@ not_tested.ndb test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024 test.cryptbot:7:*:3D22{12}225E22{40}3B2024 Thanks, this seems to work. I will try it. Hopefully only a few FP. Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Hint for creating signatures
Hello, from http://www.dict.cc/englisch-deutsch/from.html time http://www.dict.cc/englisch-deutsch/time.html to time http://www.dict.cc/englisch-deutsch/time.html i create some signatures from what i found in php-code of my users. Now i found some malware that worries me. Its obfuscated php-code to execute all which was sent by POST (mostly spammails). If i unencrypt the code, so i always find the same malwarecode. But code how it can be found in php-page is always variable. samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? What http://www.dict.cc/englisch-deutsch/What.html is http://www.dict.cc/englisch-deutsch/is.html your http://www.dict.cc/englisch-deutsch/your.html view http://www.dict.cc/englisch-deutsch/view.html on http://www.dict.cc/englisch-deutsch/on.html this http://www.dict.cc/englisch-deutsch/this.html subject? http://www.dict.cc/englisch-deutsch/subject%3F.html Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hint for creating signatures
Hello, sorry for links to my translator. I thought thunderbird is removing this when choosing pure-text-format. now it is readable: Am 08.09.2014 um 16:04 schrieb Hajo Locke: Hello, from time to time i create some signatures from what i found in php-code of my users. Now i found some malware that worries me. Its obfuscated php-code to execute all which was sent by POST (mostly spammails). If i unencrypt the code, so i always find the same malwarecode. But code how it can be found in php-page is always variable. samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? What is your view on this subject? Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hint for creating signatures
Hajo, Would you be interested in sharing the signatures you create with the ClamAV community? If so, please check out the process here: http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html As for signatures for obfuscated PHP, it really does depend on the code you are looking at, on a case-by-case basis. - Alain On Mon, Sep 8, 2014 at 10:04 AM, Hajo Locke hajo.lo...@gmx.de wrote: Hello, from http://www.dict.cc/englisch-deutsch/from.html time http://www.dict.cc/englisch-deutsch/time.html to time http://www.dict.cc/englisch-deutsch/time.html i create some signatures from what i found in php-code of my users. Now i found some malware that worries me. Its obfuscated php-code to execute all which was sent by POST (mostly spammails). If i unencrypt the code, so i always find the same malwarecode. But code how it can be found in php-page is always variable. samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? What http://www.dict.cc/englisch-deutsch/What.html is http://www.dict.cc/englisch-deutsch/is.html your http://www.dict.cc/englisch-deutsch/your.html view http://www.dict.cc/englisch-deutsch/view.html on http://www.dict.cc/englisch-deutsch/on.html this http://www.dict.cc/englisch-deutsch/this.html subject? http://www.dict.cc/englisch-deutsch/subject%3F.html Thanks, Hajo ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hint for creating signatures
On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote: What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? Hi, Tricky :( Copy this into@ not_tested.ndb test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024 test.cryptbot:7:*:3D22{12}225E22{40}3B2024 You might have to change :3: to :7: to make it work... Disclaimer: not had enough coffee, so not fully tested etc. Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hint for creating signatures
Because plugin developers do nutty things, I'd probably combine the two into a single signature to reduce possible false positives, but other than that it looks like those. I've seen non-malicious CMS plugins that use similar obfuscation techniques, though I'm certainly willing to use these as is and see how many false positives I get. --Maarten On Mon, Sep 8, 2014 at 10:58 AM, Steve Basford steveb_cla...@sanesecurity.com wrote: On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote: What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? Hi, Tricky :( Copy this into@ not_tested.ndb test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024 test.cryptbot:7:*:3D22{12}225E22{40}3B2024 You might have to change :3: to :7: to make it work... Disclaimer: not had enough coffee, so not fully tested etc. Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Maarten Broekman Endurance International Group vDeck Senior Linux Systems Administrator / PCI ISA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml