Torge, You may find the ClamAV useful in doing this.
http://www.clamav.net/lang/en/download/sources/ On Fri, Jan 31, 2014 at 12:08 PM, Torge Husfeldt <torge.husfe...@1und1.de>wrote: > Hi List, > > I have a problem with obfuscated php-code of well-known shells. > I have prepared an example where clamav correctly detects the shell > itself, but happily flags as OK all the obfuscated variations. > You will find the files I'm talking about in the following zipfile > (protected with password: infected) > http://findhack.org/virus.zip > > My de-obfuscation technique is actually pretty straight-forward, > - replace 'eval' 'print' > - execute > - wrap the output in php tags > - start over > > Here's my clamscan-result of the files thus obtained: > >> $ clamscan * >> 0.php: OK >> 1.php: OK >> 2.php: OK >> 3.php: OK >> 4.php: PHP.Shell-38 FOUND >> virus.zip: OK >> >> ----------- SCAN SUMMARY ----------- >> Known viruses: 3097756 >> Engine version: 0.97.8 >> Scanned directories: 0 >> Scanned files: 6 >> Infected files: 1 >> Data scanned: 0.45 MB >> Data read: 0.29 MB (ratio 1.58:1) >> Time: 5.242 sec (0 m 5 s) >> > > Is there a way to detect the obfuscated versions without writing a pattern > for every level of wrapping I might encounter? > > Thanks for your time > > > -- > Torge Husfeldt > > Senior Anti-Abuse Engineer > Zentrales Abuse-Department (1&1 GMX Web.de) > > 1&1 Internet AG | Brauerstraße 50 | 76135 Karlsruhe | Germany > Phone: +49 721 91374-4795 | Fax: +49 721 91374-2982 > E-Mail: torge.husfe...@1und1.de | Web: www.1und1.de > > Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 6484 > > Vorstand: Ralph Dommermuth, Frank Einhellinger, Robert Hoffmann, Andreas > Hofmann, Markus Huhn, Hans-Henning Kettler, Uwe Lamnek, Jan Oetjen, > Christian Würst > Aufsichtsratsvorsitzender: Michael Scheeren > > Member of United Internet > > Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte > Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind > oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte den > Absender und vernichten Sie diese E-Mail. Anderen als dem > bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern, > weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. > > This E-Mail may contain confidential and/or privileged information. If you > are not the intended recipient of this E-Mail, you are hereby notified that > saving, distribution or use of the content of this E-Mail in any way is > prohibited. If you have received this E-Mail in error, please notify the > sender and delete the E-Mail. > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
