To my embarrassment, the Windows/Linux detection issue was mostly of my making. WinSCP does CR/LF translation of text files by default. The rest you can now all guess. I transferred the malware from my Linux box using a LF -> CR/LF translation mode by mistake. It is the CR/LF version that is detected by ClamAV's PHP.Shell-83 signature. The LF version isn't. Unfortunately, it's the LF version that will exist in the wild and on my Linux box.
Here is the VirusTotal report for the LF-only version: https://www.virustotal.com/en/file/9a4a084309f51684ca86a1a5fac5a5c0951d5e82a407308ad09b69c6dcaca32b/analysis/1450061292/ With 25 out of 54 voting the lf-only version off the island. Here is the VirusTotal report for the CR/LF version again: https://www.virustotal.com/en/file/6e709d5679eac7c8d844f849b0c6e95f4b3f8b716fbae4c27037b760754152bf/analysis/1450059899/ [4] ClamAV is unique in being the only one that detects on the CR/LF version but not the LF-only version. The CR/LF detection list is otherwise a subset of the LF-only list. Which is to be expected. I feel like that guy who forgot to type "binary" in old-style FTP before transferring a compressed file. While I am a little embarrassed about the initial mistake (and not catching it for so long), I suspect it also happened to the person that originally submitted the malware for ClamAV. And it may illuminate a similar issue for other signatures, if there really are that many with CR/LF in them. I have submitted the LF-only version to the ClamAV DB team with an explanation and a recommendation that the other signatures with CR/LF in them be revisited. Kurt On 2015-12-13 22:35, Kurt Fitzner wrote: > through. 15 out of 54 AV's surveyed find it stinky. Here's the link: > > Interestingly, whatever version of ClamAV they use also detects it. I > suspect they are using Windows since most of the other engines they use > are also Windows. I'm interested enough now to compile ClamAV in Cygwin > for myself and see what's going on. > > Kurt. > > On 2015-12-13 22:22, Al Varnell wrote: > >> I didn't expect the test signature to be successful as my understanding of >> the way the scanner works requires an exact match to the ASCII string. My >> familiarity is with ClamXav for OS X which uses an unmatched version of the >> UNIX ClamAV engine and have no idea what ClamWin uses that might cause >> different results. Certainly appears that a bug report is in order for >> either ClamAV or Perhaps ClamWin. I understand you are certain that what you >> have is malware, but there is no guarantee that ClamAV signatures detect it, >> so this could currently be a false positive of that specific infection name. >> Try submitting it to http://www.virustotal.com [1] [1] to see what other >> scanners have to say. Let us know what the analysis link is. >> >> As far as submitting to Cisco/ClamAV I think you should wait until we hear >> from them. They can always get it from VirusTotal, but they may have >> provisions to allow attachment to a bug report. >> >> Sent from Janet's iPad >> >> -Al- >> >> On Dec 13, 2015, at 4:27 PM, Kurt Fitzner wrote: Just got home ans was able >> to test. Test signature from Steve fails to >> detect on both Linux and Windows. Tested on Linux with 0.98.7 supplied >> Debian binaries, and 0.99 binary compiled by myself. Tested in Windows >> with ClamWin supplied binary. >> >> Should I submit my copy of the malware somewhere to aid with testing? >> >> Kurt >> >> On 2015-12-13 20:00, Al Varnell wrote: >> >> I would want to know the results of using the test signature on both systems >> first, and file a bug report if it turns out to be a ClamAV problem. >> >> Sent from Janet's iPad >> >> -Al- >> >> On Dec 13, 2015, at 11:49 AM, Kurt Fitzner wrote: >> >> The question remains as to why the signature correctly leads to a match in >> Windows but not Linux. If carriage return linefeed handling differences >> between the two OSes are to blame, then I suggest a two pronged approach. >> Correct the signatures, AND patch clamav so that the signatures as written >> are processed the same way. Even if they are suboptimal signatures, I'd >> suggest they should be processed the same way on all platforms. >> >> That's a lot of signatures that may not be working. Perhaps I'm stating the >> obvious, but if CR/LF are involved, it means these are likely scripts and >> such... just the kind of signatures that would be important to catch in >> Linux. > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq [2] [2] > > http://www.clamav.net/contact.html#ml [3] [3] Links: ------ [1] http://www.virustotal.com [2] https://github.com/vrtadmin/clamav-faq [3] http://www.clamav.net/contact.html#ml [4] https://www.virustotal.com/en/file/6e709d5679eac7c8d844f849b0c6e95f4b3f8b716fbae4c27037b760754152bf/analysis/1450059899/ _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
