Re: [clamav-users] Keymarble Yara rule?

Tue, 14 Aug 2018 16:49:13 -0700 

Sorry, I wasn't clear. I meant the malware sample, not your dummy.

-Al-

On Tue, Aug 14, 2018 at 11:24 AM, Alessandro Vesely wrote:
> On Mon 13/Aug/2018 00:27:55 +0200 Al Varnell wrote:
> 
>> I don't quite understand why you think it might not detect it. 
>> 
>> Text strings are not required to have an even number of digits. The hex
>> equivalent to that string would be: {62 63 39 [...] 34 30}. As
>> long as the string appears in a file, it should match.
> 
> That's right.
> 
> I thought it is unlikely to find a 65 bytes binary sequence, so it looked 
> wrong to me.  Perhaps, that's a wrong conjecture, since a malware writer may 
> want to hard code crypto data in the executable.  The sequence doesn't seem 
> to be code.
> 
>> I'd have to have the actual sample file in order to say anything more about 
>> it.
> 
> I don't attach it, as it may appear to be a (broken) executable.  Using an 
> xxd[*] dump (instead of hd) solves the problem since xxd is reversible and 
> idempotent:
> 
> ~/tmp$ diff -s <(xxd -g 1 keymarble-dummy) <(xxd -g 1 keymarble-dummy|xxd 
> -r|xxd -g 1)
> Files /dev/fd/63 and /dev/fd/62 are identical
> 
> So you can copy the following to a file and revert to binary:
> 
> ~/tmp$ xxd -g 1 keymarble-dummy
> 00000000: 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d  MZthis is a dumm
> 00000010: 79 20 6b 65 79 6d 61 72 62 6c 65 20 66 69 6c 65  y keymarble file
> 00000020: 20 63 72 65 61 74 65 64 20 66 6f 72 20 6d 61 6b   created for mak
> 00000030: 69 6e 67 20 74 65 73 74 73 0a 00 00 40 00 00 00  ing tests...@...
> 00000040: 50 45 62 63 39 62 37 35 61 33 31 31 37 37 35 38  PEbc9b75a3117758
> 00000050: 37 32 34 35 33 30 35 63 64 34 31 38 62 38 64 66  7245305cd418b8df
> 00000060: 37 38 36 35 32 64 31 63 30 33 65 39 64 61 30 63  78652d1c03e9da0c
> 00000070: 66 63 39 31 30 64 36 64 33 38 65 65 34 31 39 31  fc910d6d38ee4191
> 00000080: 64 34 30 0a 00
> 
> Best
> Ale

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to