Hello Markus, Le vendredi 2 Septembre 2005 01:00, Markus Beck a écrit : > Hello Arnaud, > > On Thu, 1 Sep 2005 23:33:26 +0200 > > "Securiteinfo.com" <[EMAIL PROTECTED]> wrote: > > Well, to create a Clamav signature, you can read this first : > > http://www.clamav.net/doc/0.86.2/signatures.pdf > > So, would this be a good and working Signature (leaving anything about > codeexecution outside): > *49276d2074686520636f6f6c206e657720424c41424c412056697275732070726f6772 > 616d6d656420627920736f6d656f6e652e* if the programmer made a printf("I'm > the cool new BLABLA Virus programmed by someone."); ?
This signature will catch the malware, yes. But it is not really good, because if someone hack the malware and change something in the string, it will not be caught again. That's why a sagnature should be, if possible, based on the executable code of the malware. > What would be the target type for an ELF-Binary-Signature? Right now, there is no target type for Elf-Binary. I suggest you to use "Basic signature format". So in your example it should be : My_malware (Clam)=49276d2074686520636f6f6c206e657720424c41424c412056697275732070726f6772616d6d656420627920736f6d656f6e652e Put this in a ".db" file, for example mymalwares.db, and move this file in the signature's directory of Clamav (usually /usr/local/share/clamav). Run clamscan, and the malware should be detected now. -- Cordialement, Arnaud Jacques Consultant Sécurité Téléphone / Fax : +33-(0)3.44.39.76.46 Portable : +33-(0)6.24.40.95.03 E-mail : [EMAIL PROTECTED] Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois _______________________________ _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
