Hi Tomasz, hi List, On Fri, Aug 27, 2004 at 12:48:30AM +0200, Tomasz Kojm wrote: > On Thu, 26 Aug 2004 23:32:56 +0200 > Daniel Lord <[EMAIL PROTECTED]> wrote: > > just put something together to aid me in generating signatures > > for my database. Perhaps someone likes it. Just use your favorit > > hex editor (vim :%!xxd) and get a good offset value. > > > > ./siggen virus.exe 0FF337 > > > > you get a 300 character signature which you (probably) have to cut a > > bit and give it an appropriate name. > > Such a method may lead to false positives. The CVS version of ClamAV > allows users to create their own signatures for a static malware in a > very simple manner - by using MD5 hashes.
Nice to know. The problem with md5 is. If you get three versions of the same malware. Say a striped, an unstrippend, and an optimized version. (As happend with some rootkits currently postet on fulldisclosure) You need 3 md5 hashes to get all of these. If you know what your doing and not only saying ./siggen malware 0 then you can detect all three versions with only one good signature. You have to take care that the strings are uniq. This will be true if you find an offset where the "hacker" left his nick inside or some spezial filename or something else. But, you probably knew this allready :) As well this is described in you docs. See: http://www.clamav.net/doc/0.75/signatures.pdf My tool is _not_ ment to generate signatures automatically. But it's (at least I think so) usefull for formating and printing the signature you found by hand. It's just something to do the job of copying and reformating the found good signature. And yes for totally static one shot assembler generated malware md5 is probably the better joice. Also for unexperienced people this is perfectly true. The following are some signatures for the god.tgz file from the "Automated ssh scanning" fulldisclosure thread. Offset looked up by hand. And signature generated by siggen :) Linux.god.rk.tgz.sshsignatur.lo (Clam)=726F6F74406C6573736F6E732E6D656E636865792E636F6D7D957D9503FF46A0424A69C1523D5206E89DAC5EC2AD2CA37BFCA100503A10F077740A39B4197A3E277C45FC742CC6D5F15CCF5B5B95EEB205F37AB169B969B4DB63D068FC76AAC43BB6808D619220039C62396A4832920BC1BAE40CA9089FE180DA175B09D88954C5EB1A368C915C3D3F30CF24AF3F4091953B642D29A6E4EC9210EF12E4ED0200C64BBAE46EEBD28F595B67DBC0DED0B774E81C3E104E518C57E931B1B5C2A7EE9D76F03188B6AD444BBCC228F25C82B283F0D3BAE0290384E8DE81E79A21082A0200C6AFE04C3D377E3DB5A7B5A6019AB9DE0328653809DF90A5DC828E66861A8DD1B718B12A029303A7E3A4D8BE18CC08D9E81FB16B67C1885E8A45191ECB74F6B70200D26F3A0995D3E891 Linux.god.rk.tgz.sshd.installer.lo (Clam)=FF8B5DFCC9C3000003000000010002006D762068202F7573722F696E636C7564652F6963656B65792E68006D76206868202F7573722F696E636C7564652F696365636F6E662E68006D7620686868202F7573722F696E636C7564652F696365736565642E68006D762061766131202F7573722F62696E2F22736D6264202D44220022736D6264202D4422000000000000189504080000000000000000FFFFFFFF00000000FFFFFFFF000000003C9504080000000000000000DE820408EE820408FE8204080E830408 Linux.god.rk.tgz.sshd.lo (Clam)=726F6D20252E313030732E0032787675326F6C65326F6C65766B6F726A006100000000000000000000000000000000002B2D5B2055736572204C6F67696E20496E636F6D696E67205D2D2D2D2D2D2D2D2D2D2D2D202D2D2D202D2D2D202D202D0A0000000000000000000000000000007C20757365726E616D653A2025732070617373776F72643A202573257320686F73746E616D653A2025730A0000000000000000000000000000000000000000002B2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D202D2D2D2D2D202D2D2D202D2D202D2D202D0A0A006163636570746564006661696C656400000000000000000000000000000000000000000000000050617373776F72642061757468656E7469636174696F6E20666F7220 Linux.god.rk.tgz.ps.lo (Clam)=25387820257320257320257320253373200020202020200020202078780025356C750025326C752E2530326C75002533643A253032642000205C5F2000207C20200020202020000000000000000000007863616C6C6F633A20616C6C6F636174696F6E206572726F722C2073697A65203D2025640A00786D616C6C6F633A206D616C6C6F6328256429206661696C656400787265616C6C6F633A207265616C6C6F6328256429206661696C65640000000A000020202020202020202020200025732D4F2563202C202D2D736F72743A252D31352E3135732573000000000000000000000000000000000000000000000070733A206E6F207375636820736F7274206B6579202D2D2025632E2020506F73736962696C6974696573206172653A0A Linux.god.rk.tgz.ls.lo (Clam)=415220505552504F53452E0A0072002F6465762F7474796F66002E002F2F44495245442F2F002F2F53554244495245442F2F00504F5349584C595F434F525245435400434F4C554D4E530000000000000000000000000000000000000000000069676E6F72696E6720696E76616C696420776964746820696E20656E7669726F6E6D656E74207661726961626C6520434F4C554D4E533A2025730054414253495A4500000000000000000000000000000000000000000000000000000000000069676E6F72696E6720696E76616C6964207461622073697A6520696E20656E7669726F6E6D656E74207661726961626C652054414253495A453A202573000000616263646667696B6C6D6E6F707172737475773A78414243444647493A4C4E515253543A555831373800696E Linux.god.rk.tgz.sshdloader.lo (Clam)=FF8B5DFCC9C30000030000000100020022736D6264202D442200222873776170642922202600000000000000949404080000000000000000FFFFFFFF00000000FFFFFFFF00000000B89404080000000000000000DE820408EE820408FE8204080E8304080000000001000000100000000C000000988204080D0000003C840408040000002881040805000000C881040806000000588104080A000000700000000B0000001000000015000000000000000300000098940408020000002000000014000000110000001700000078820408110000007082040812000000080000001300000008000000FEFFFF6F50820408FFFFFF6F01000000F0FFFF6F4282040800000000000000000100000000009B004F130000080000006400000044830408010000006400000044830408 Linux.god.rk.tgz.eth0.sniffer.lo (Clam)=20534F434B5F5041434B455420736F636B65740063616E742067657420666C6167730063616E74207365742070726F6D697363756F7573206D6F6465000A2D2D2D2D2D205B4341504C454E2045786365656465645D0A000A2D2D2D2D2D205B54696D6564204F75745D0A000A2D2D2D2D2D205B5253545D0A000A2D2D2D2D2D205B46494E5D0A000A002573203D3E20002573205B25645D0A0025630065746830006174007463702E6C6F670063616E74206F70656E206C6F670A0045786974696E672E2E2E0A000000000000FFFFFFFF00000000FFFFFFFF00000000A89E04080000000000000000DE850408EE850408FE8504080E8604081E8604082E8604083E8604084E8604085E8604086E8604087E8604088E8604089E860408AE860408BE860408CE860408DE860408 Linux.god.rk.tgz.top.lo (Clam)=2050726F636573732049640050726F6365737320496400000000000072002F6465762F7474796F700020000A0000000057726F6E6720636F6E66696775726174696F6E206F7074696F6E2025630A00002F6574632F746F70726300720000484F4D4500484F4D45002F002E746F707263007200416263446748496A6B6C4D6E6F5450717273757A565945465758000A005445524D00565431303000746F703A20696F63746C2829206661696C65640063616E6E6F74207075742074747920696E746F20726177206D6F64650A00636D00636400636C00636500686F006D64006D72006D6500256600746F703A204261642064656C61792074696D6520602573270A00256600746F703A204261642064656C61792074696D6520602573270A002D642072657175697265732061 Linux.god.rk.tgz.netstat.lo (Clam)=2F6465762F7474796F610020000A000000000000000000000000000000F88E0408108F0408348F0408508F0408688F04082F70726F632F6E65742F74637000414620494E4554202874637029006E6574737461740000000000000000000000000000000000000000000000000025733A206E6F20737570706F727420666F722060257327206F6E20746869732073797374656D2E0A00257300000000000000000000000000000000000000000025643A20256C583A255820256C583A255820255820256C583A256C582025583A256C5820256C582025640A002573202D3E2025642061726773000000000000006E6574737461743A20756E737570706F7274656420616464726573732066616D696C7920256420210A0045535441424C49534845440053594E5F53454E5400 Sorry for the lines longer 80 char :). Befor you ask. Those binaries had been stripped. But the "a" binary (same thread) wasn't, also perfekly detected by clamav as Linux.RST.B. Would be nice to have someone else test those signatures for false positives. find / -type f -size -1000000 -exec clamscan -i --no-summary --stdout {} \; Greetings Daniel -- "Oh My God! They killed init! You Bastards!" --from a /. post ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
