Sorry, I mistyped my previous reply, meant to say: You may find the ClamAV "bytecode compiler" useful in doing this.
http://www.clamav.net/lang/en/download/sources/ On Fri, Jan 31, 2014 at 2:53 PM, Steven Morgan <smor...@sourcefire.com>wrote: > Torge, > > You may find the ClamAV useful in doing this. > > http://www.clamav.net/lang/en/download/sources/ > > > On Fri, Jan 31, 2014 at 12:08 PM, Torge Husfeldt > <torge.husfe...@1und1.de>wrote: > >> Hi List, >> >> I have a problem with obfuscated php-code of well-known shells. >> I have prepared an example where clamav correctly detects the shell >> itself, but happily flags as OK all the obfuscated variations. >> You will find the files I'm talking about in the following zipfile >> (protected with password: infected) >> http://findhack.org/virus.zip >> >> My de-obfuscation technique is actually pretty straight-forward, >> - replace 'eval' 'print' >> - execute >> - wrap the output in php tags >> - start over >> >> Here's my clamscan-result of the files thus obtained: >> >>> $ clamscan * >>> 0.php: OK >>> 1.php: OK >>> 2.php: OK >>> 3.php: OK >>> 4.php: PHP.Shell-38 FOUND >>> virus.zip: OK >>> >>> ----------- SCAN SUMMARY ----------- >>> Known viruses: 3097756 >>> Engine version: 0.97.8 >>> Scanned directories: 0 >>> Scanned files: 6 >>> Infected files: 1 >>> Data scanned: 0.45 MB >>> Data read: 0.29 MB (ratio 1.58:1) >>> Time: 5.242 sec (0 m 5 s) >>> >> >> Is there a way to detect the obfuscated versions without writing a >> pattern for every level of wrapping I might encounter? >> >> Thanks for your time >> >> >> -- >> Torge Husfeldt >> >> Senior Anti-Abuse Engineer >> Zentrales Abuse-Department (1&1 GMX Web.de) >> >> 1&1 Internet AG | Brauerstraße 50 | 76135 Karlsruhe | Germany >> Phone: +49 721 91374-4795 | Fax: +49 721 91374-2982 >> E-Mail: torge.husfe...@1und1.de | Web: www.1und1.de >> >> Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 6484 >> >> Vorstand: Ralph Dommermuth, Frank Einhellinger, Robert Hoffmann, Andreas >> Hofmann, Markus Huhn, Hans-Henning Kettler, Uwe Lamnek, Jan Oetjen, >> Christian Würst >> Aufsichtsratsvorsitzender: Michael Scheeren >> >> Member of United Internet >> >> Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte >> Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind >> oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte den >> Absender und vernichten Sie diese E-Mail. Anderen als dem >> bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern, >> weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. >> >> This E-Mail may contain confidential and/or privileged information. If >> you are not the intended recipient of this E-Mail, you are hereby notified >> that saving, distribution or use of the content of this E-Mail in any way >> is prohibited. If you have received this E-Mail in error, please notify the >> sender and delete the E-Mail. >> >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> http://www.clamav.net/support/ml >> > > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
