Changing the first byte of an MZ header for a PE executable is not a legitimate way of hiding your artifacts because no one will be able to run your hidden artifact for the exploit/malware to do anything.
On Sat, Nov 8, 2014 at 11:41 AM, Andrew Camilleri < [email protected]> wrote: > Hi Shawn! > > Many thanks for replying. I see what you are saying and I agree with you to > a certain extent. Here is my thinking process. My understanding is that the > job of an AV is to detect malware, and this usually involves pattern > matching. Yes you are right, the malware needs to run, but really that is a > different concern, the OS concern, whereas the concern of an AV is > detection/matching. It is a little alarming to me the fact that I can > easily hide a virus by simply changing a single byte; with the right > context (in our case perhaps through a trivial transformation down the > stack) a virus can come back to life. Do you see my point? Again I am no > expert in this, but McAffee seems to agree with what I am saying. Besides > separation of concerns, you can also argue for robustness; virus writers > have tried all sort of complex schemes to hide their artefacts and this > feels like a legitimate way of achieving that. > So if I understand correctly, ClamAV tries to guess the type of the file? > What happens if it can't tell what it is? > Sorry to drive this point further, I really appreciate all the hard work > people put in this project! But I really need to understand how this works > in detail.... > > regards, > > Andrew > > > > On 7 November 2014 18:41, Shawn Webb <[email protected]> wrote: > > > Hey Andrew, > > > > The reason why ClamAV failed to detect Zeus when you changed the first > byte > > is because of file magic. When you changed the first byte, you changed > the > > type of file ClamAV recognizes it as. In fact, if it's a PE file, then > > changing that first byte will cause Windows to not even execute the file. > > It could be that the 32nd byte carried no significance and therefore > ClamAV > > was still able to detect the file as Zeus. So, when you change random > data, > > you're changing the behavior of the applications that utilize that data, > > which is completely expected. > > > > Thanks, > > > > Shawn > > > > On Fri, Nov 7, 2014 at 12:11 PM, Andrew Camilleri < > > [email protected]> wrote: > > > > > Hi Brandon, > > > > > > Many thanks for your reply. I totally agree with you on EICAR, but this > > > should not happen with Zeus. EICAR was only included as a test case > i.e. > > to > > > make sure that static signatures are being checked... > > > > > > Andrew > > > > > > On 7 November 2014 17:06, Brandon Perry <[email protected]> > > wrote: > > > > > > > EICAR should only ever be detected as is. It is specially made for > > > testing > > > > AV, and AV has no use for detecting variations of it. > > > > > > > > On Fri, Nov 7, 2014 at 11:02 AM, Andrew Camilleri < > > > > [email protected]> wrote: > > > > > > > > > Hi! > > > > > > > > > > I am totally new to ClamAV, so please excuse my ignorance. > > > > > I am looking at how AV scanning is done in general, but also > > > specifically > > > > > in ClamAV. I came across this > > > > > < > > > > > > https://www.mail-archive.com/[email protected]/msg03096.html > > > > > > > > > post, so I got that bit covered and won't repeat questions. > > > > > I am working on a WAF and we will use ClamAV for scanning traffic. > I > > am > > > > > investigating the tolerance in correct classification with respect > to > > > > > changes in malware binaries. To conduct my experiments I picked up > > the > > > > > EICAR "virus" and an actual virus, Zeus, from here > > > > > <https://github.com/Visgean/Zeus>. I noticed that if I change a > > single > > > > > character in EICAR, ClamAV will fail to detect it; I assume that > this > > > is > > > > > due to a static signature (correct me if I am wrong) associated > with > > > this > > > > > test virus; this seems like a perfectly good result to me. Next > thing > > > was > > > > > to scan Zeus (after a simple git clone) and it picks up a few > trojans > > > > from > > > > > the ready built binaries. I then changed the first byte of > > client32.bin > > > > > (one of the files that was marked as a trojan) and scanned it. The > > > result > > > > > was the ClamAV did not recognize the trojan from this simple > change. > > I > > > > then > > > > > changed another byte, the 32nd one to be precise, and scanned it. > The > > > > > result was that ClamAV correctly classifies the binary as a > Trojan. I > > > > was a > > > > > little surprised that a change in the first byte would "hide" the > > > trojan > > > > > from scanning, especially since the first two bytes are completely > > > > useless > > > > > <http://en.wikipedia.org/wiki/Mark_Zbikowski> in terms of running > a > > > > > windows > > > > > binary. My only explanation is that with the change, the file fails > > > some > > > > > integrity check that ClamAV does, to make sure that the binary is > > > > runnable; > > > > > I am assuming that there isnt a static signature here, otherwise it > > > would > > > > > not have been picked up with any change. I also did this test with > > > > zsb.exe > > > > > in the repo and I got the same results. Finally I performed the > same > > > > tests > > > > > against McAffee and all these changes had no effect i.e. the > trojans > > > > where > > > > > always correctly classified. In the case of deltas to EICAR > however, > > > > McAfee > > > > > did not recognize the "virus". > > > > > Could you please help me to understand the meaning of these > results? > > > > Also, > > > > > is it possible to view the signature of a virus in the signature > > > > database? > > > > > I looked at the doc, but I couldn't find how to do this; but I may > > have > > > > > missed it and in that case sorry to ask this! > > > > > > > > > > Andrew > > > > > _______________________________________________ > > > > > http://lurker.clamav.net/list/clamav-devel.html > > > > > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > > > > > > > > > > > > > > > -- > > > > http://volatile-minds.blogspot.com -- blog > > > > http://www.volatileminds.net -- website > > > > _______________________________________________ > > > > http://lurker.clamav.net/list/clamav-devel.html > > > > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > _______________________________________________ > > > http://lurker.clamav.net/list/clamav-devel.html > > > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > > > > > http://www.clamav.net/contact.html#ml > > > > > _______________________________________________ > > http://lurker.clamav.net/list/clamav-devel.html > > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > http://www.clamav.net/contact.html#ml > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
