Re: [clamav-users] Hint for creating signatures

2014-09-09 Thread Hajo Locke 

Hello,

Am 08.09.2014 um 16:58 schrieb Steve Basford:


Hi,

Tricky :(

Copy this into@ not_tested.ndb

test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024
test.cryptbot:7:*:3D22{12}225E22{40}3B2024



Thanks, this seems to work. I will try it. Hopefully only a few FP.

Thanks,
Hajo
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Hint for creating signatures

2014-09-08 Thread Maarten Broekman 
Because plugin developers do nutty things, I'd probably combine the two
into a single signature to reduce possible false positives, but other than
that it looks like those.  I've seen non-malicious CMS plugins that use
similar obfuscation techniques, though I'm certainly willing to use these
as is and see how many false positives I get.

--Maarten

On Mon, Sep 8, 2014 at 10:58 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:

>
> On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote:
>
> >
> > What should i do now? Is there a trick to find a signature which fits
> > for all samples or i have to create a different signature for every
> > sample?
>
>
> Hi,
>
> Tricky :(
>
> Copy this into@ not_tested.ndb
>
> test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024
> test.cryptbot:7:*:3D22{12}225E22{40}3B2024
>
> You might have to change :3: to :7: to make it work...
>
> Disclaimer: not had enough coffee, so not fully tested etc.
>
> Cheers,
>
> Steve
> Sanesecurity.com
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



-- 
Maarten Broekman
Endurance International Group
vDeck Senior Linux Systems Administrator / PCI ISA
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Hint for creating signatures

2014-09-08 Thread Steve Basford 

On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote:

>
> What should i do now? Is there a trick to find a signature which fits
> for all samples or i have to create a different signature for every
> sample?


Hi,

Tricky :(

Copy this into@ not_tested.ndb

test.ercynpr:7:*:3D7374725F726F74313328??636572745F657263796E7072??293B2024
test.cryptbot:7:*:3D22{12}225E22{40}3B2024

You might have to change :3: to :7: to make it work...

Disclaimer: not had enough coffee, so not fully tested etc.

Cheers,

Steve
Sanesecurity.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Hint for creating signatures

2014-09-08 Thread Alain Zidouemba 
Hajo,

Would you be interested in sharing the signatures you create with the
ClamAV community? If so, please check out the process here:
http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html

As for signatures for obfuscated PHP, it really does depend on the code you
are looking at, on a case-by-case basis.

- Alain


On Mon, Sep 8, 2014 at 10:04 AM, Hajo Locke  wrote:

> Hello,
>
> from  time <
> http://www.dict.cc/englisch-deutsch/time.html> to time <
> http://www.dict.cc/englisch-deutsch/time.html> i create some signatures
> from what i found in php-code of my users.
> Now i found some malware that worries me. Its obfuscated php-code to
> execute all which was sent by POST (mostly spammails). If i unencrypt the
> code, so i always find the same malwarecode. But code how it can be found
> in php-page is always variable.
>
> samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK
>
> What should i do now? Is there a trick to find a signature which fits for
> all samples or i have to create a different signature for every sample?
> What  is <
> http://www.dict.cc/englisch-deutsch/is.html> your <
> http://www.dict.cc/englisch-deutsch/your.html> view <
> http://www.dict.cc/englisch-deutsch/view.html> on <
> http://www.dict.cc/englisch-deutsch/on.html> this <
> http://www.dict.cc/englisch-deutsch/this.html> subject? <
> http://www.dict.cc/englisch-deutsch/subject%3F.html>
>
> Thanks,
> Hajo
>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Hint for creating signatures

2014-09-08 Thread Hajo Locke 

Hello,

sorry for links to my translator. I thought thunderbird is removing this 
when choosing pure-text-format.

now it is readable:

Am 08.09.2014 um 16:04 schrieb Hajo Locke:

Hello,

from time to time  i create some signatures from what i found in 
php-code of my users.
Now i found some malware that worries me. Its obfuscated php-code to 
execute all which was sent by POST (mostly spammails). If i unencrypt 
the code, so i always find the same malwarecode. But code how it can 
be found in php-page is always variable.


samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK

What should i do now? Is there a trick to find a signature which fits 
for all samples or i have to create a different signature for every 
sample?

What  is  your  view  on this  subject?

Thanks,
Hajo


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml