Hello,
again i have to create signatures for some difficult short files. Using
this files hacked CMS do what you want.
Examples are here:
http://pastebin.com/ruxdmpNz
Number of files seems infinite, there always are different names of
variables. Also length of variables and spaces between text differs from
file to file.
I did some testing. In most files there is a "strtoupper" or
"strtolower", "isset", "eval" and a lot of arrayelements, but at all not
very significant attributes to create a good signature.
Iam afraid to kill some non-malware userfiles.
I started like this:
testing_01:0:*:737472746f6c6f776572*5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}5d2e{-11}*6973736574{-35}6576616c
VIRUS NAME: testing_01
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
strtolower{WILDCARD_ANY_STRING}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}].{WILDCARD_ANY_STRING(LENGTH<=11)}{WILDCARD_ANY_STRING}isset{WILDCARD_ANY_STRING(LENGTH<=35)}eval
But clamscan always says:
LibClamAV Error: cli_ac_addsig: Signature for testing_01 is too short
LibClamAV Error: cli_parse_add(): Problem adding signature (1).
LibClamAV Error: cli_parseadd(): Problem adding signature (1b).
Why it is too short? Please help me creating a good set of signatures.
Thanks,
Hajo
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
