[clamav-users] Problems with obfuscated code (php)

Fri, 31 Jan 2014 09:14:34 -0800 

Hi List,

I have a problem with obfuscated php-code of well-known shells.
I have prepared an example where clamav correctly detects the shell itself, but happily flags as OK all the obfuscated variations. You will find the files I'm talking about in the following zipfile (protected with password: infected) 
http://findhack.org/virus.zip

My de-obfuscation technique is actually pretty straight-forward,
- replace 'eval' 'print'
- execute
- wrap the output in php tags
- start over

Here's my clamscan-result of the files thus obtained:

$ clamscan *
0.php: OK
1.php: OK
2.php: OK
3.php: OK
4.php: PHP.Shell-38 FOUND
virus.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 3097756
Engine version: 0.97.8
Scanned directories: 0
Scanned files: 6
Infected files: 1
Data scanned: 0.45 MB
Data read: 0.29 MB (ratio 1.58:1)
Time: 5.242 sec (0 m 5 s)
Is there a way to detect the obfuscated versions without writing a pattern for every level of wrapping I might encounter? 

Thanks for your time


--
Torge Husfeldt

Senior Anti-Abuse Engineer
Zentrales Abuse-Department (1&1 GMX Web.de)

1&1 Internet AG | Brauerstraße 50 | 76135 Karlsruhe | Germany
Phone: +49 721 91374-4795 | Fax: +49 721 91374-2982
E-Mail: torge.husfe...@1und1.de | Web: www.1und1.de

Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 6484

Vorstand: Ralph Dommermuth, Frank Einhellinger, Robert Hoffmann, Andreas 
Hofmann, Markus Huhn, Hans-Henning Kettler, Uwe Lamnek, Jan Oetjen, Christian 
Würst
Aufsichtsratsvorsitzender: Michael Scheeren

Member of United Internet

Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte Informationen 
enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind oder diese E-Mail 
irrtümlich erhalten haben, unterrichten Sie bitte den Absender und vernichten 
Sie diese E-Mail. Anderen als dem bestimmungsgemäßen Adressaten ist untersagt, 
diese E-Mail zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise 
auch immer zu verwenden.

This E-Mail may contain confidential and/or privileged information. If you are 
not the intended recipient of this E-Mail, you are hereby notified that saving, 
distribution or use of the content of this E-Mail in any way is prohibited. If 
you have received this E-Mail in error, please notify the sender and delete the 
E-Mail.

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Reply via email to