\documentclass[a4paper,titlepage,12pt]{article}
\usepackage{amssymb}
\usepackage{pslatex}
\usepackage[dvips]{graphicx}
\usepackage{wrapfig}
\usepackage{url}
\date{}
\begin{document}
\begin{center}
\huge Creating signatures for ClamAV\\
\vspace{2cm}
\end{center}
\noindent
\section{Introduction}
CVD (ClamAV Virus Database) is a digitally signed tarball file that
contains one or more databases. The header is a 512 bytes long string
with colon separated fields:
\begin{verbatim}
ClamAV-VDB:build time:version:number of signatures:functionality
level required:MD5 checksum:digital signature:builder name:build time (sec)
\end{verbatim}
\verb+sigtool --info+ displays detailed information about a CVD file:
\begin{verbatim}
zolw@localhost:/usr/local/share/clamav$ sigtool -i main.cvd
Build time: 09 Jun 2006 22-19 +0200
Version: 39
# of signatures: 58116
Functionality level: 8
Builder: tkojm
MD5: a9a400e70dcbfe2c9e11d78416e1c0cc
Digital signature: 0s12V8OxLWO95fNNv+kTxj7CEWBW/1TKOGC7G4RelhogruBYw8dJeIX2+yhxex/XsLohxoEuXxC2CaFXiiTbrbvpK2USIxkpn53n6LYVV6jKgkP5sa08MdJE7cl29H1slfCrdaevBUZ1Z/UefkRnV6p3iQVpDPsBwqFRbrem33b
Verification OK.
\end{verbatim}
There are two CVD databases in ClamAV: \emph{main.cvd} and \emph{daily.cvd}
for daily updates.
\section{Signature format}
\subsection{MD5}
There's an easy way to create signatures for static malware using MD5
checksums. To create a signature for \verb+test.exe+ use the \verb+--md5+
option of sigtool:
\begin{verbatim}
zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb
zolw@localhost:/tmp/test$ cat test.hdb
48c4533230e1ae1c118c741c0db19dfb:17387:test.exe
\end{verbatim}
That's it! The signature is ready to use:
\begin{verbatim}
zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe
test.exe: test.exe FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1
Scanned directories: 0
Engine version: 0.88.2
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Time: 0.024 sec (0 m 0 s)
\end{verbatim}
You can edit it to change the name (by default sigtool uses the file name).
Remember that all MD5 signatures must be placed inside \verb+*.hdb+ files
and you can include any number of signatures inside a single file. To get
them automatically loaded every time clamscan/clamd starts just copy them
to the local virus database directory.
\subsection{Hexadecimal signatures}
ClamAV keeps viral fragments in hexadecimal format. If you don't know how
to get a proper signature please try the MD5 method or submit your sample
at \url{http://www.clamav.net/sendvirus.html}
\subsubsection{Hexadecimal format}
You can use \verb+sigtool --hex-dump+ to convert arbitrary data into
hexadecimal format:
\begin{verbatim}
zolw@localhost:/tmp/test$ sigtool --hex-dump
How do I look in hex?
486f7720646f2049206c6f6f6b20696e206865783f0a
\end{verbatim}
\subsubsection{Wildcards}
ClamAV supports the following extensions inside hex signatures:
\begin{itemize}
\item \verb+??+\\
Match any byte.
\item \verb+*+\\
Match any number of bytes.
\item \verb+{n}+\\
Match n bytes.
\item \verb+{-n}+\\
Match n or less bytes.
\item \verb+{n-}+\\
Match n or more bytes.
\item \verb+(a|b)+\\
Match a and b (you can use more alternate characters).
\end{itemize}
\subsubsection{Basic signature format}
The simplest signatures are of the format:
\begin{verbatim}
MalwareName=HexSignature
\end{verbatim}
ClamAV will analyse a whole content of a file trying to match it. All
signatures of this type must be placed in \verb+*.db+ files.
\subsubsection{Extended signature format}
Extended signature format allows on including additional information about
target file type, virus offset and required engine version.
The format is:
\begin{verbatim}
MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]
\end{verbatim}
where \verb+TargetType+ is one of the following decimal numbers describing
the target file type:
\begin{itemize}
\item 0 = any file
\item 1 = Portable Executable
\item 2 = OLE2 component (e.g. VBA script)
\item 3 = HTML (normalised)
\item 4 = Mail file
\item 5 = Graphics (to help catching exploits in JPEG files)
\item 6 = ELF
\end{itemize}
And \verb+Offset+ is an asterisk or a decimal number \verb+n+ possibly
combined with a special string:
\begin{itemize}
\item \verb+*+ = any
\item \verb+n+ = absolute offset
\item \verb+EOF-n+ = end of file minus \verb+n+ bytes
\end{itemize}
Signatures for Portable Executables files (target = 1) also support:
\begin{itemize}
\item \verb#EP+n# = entry point plus n bytes (\verb#EP+0# if you
want to anchor to \verb+EP+)
\item \verb#EP-n# = entry point minus n bytes
\item \verb#Sx+n# = start of section's \verb+x+ (counted from 0)
data plus \verb+n+ bytes
\item \verb#Sx+n# = start of section's \verb+x+ data minus \verb+n+ bytes
\item \verb#SL+n# = start of last section plus \verb+n+ bytes
\item \verb#SL-n# = start of last section minux \verb+n+ bytes
\end{itemize}
All signatures in the extended format must be placed in \verb+*.ndb+ files.
\subsection{Signatures based on archive metadata}
In order to detect some malware which spreads inside of Zip or RAR archives
(especially encrypted ones) you can try to create a signature describing
a malicious archived file. The general format is:
\begin{verbatim}
virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth
\end{verbatim}
\begin{itemize}
\item Virus name
\item Encryption flag (1 -- encrypted, 0 -- not encrypted)
\item File name (* to ignore)
\item Normal (uncompressed) size (* to ignore)
\item Compressed size (* to ignore)
\item CRC32 (* to ignore)
\item Compression method (* to ignore)
\item File position in archive (* to ignore)
\item Maximum number of nested archives (* to ignore)
\end{itemize}
The database should have the extension \verb+.zmd+ or \verb+.rmd+ for
Zip or RAR archive respectively.
\subsection{Whitelist database}
To whitelist a specific file use the MD5 signature format and place
it in the database with the extension \verb+.fp+.
\subsection{Signature names}
ClamAV uses the following prefixes for particular malware:
\begin{itemize}
\item \emph{Worm} for Internet worms
\item \emph{Trojan} for backdoor programs
\item \emph{JS} for Java Script malware
\item \emph{VBS} for VBS malware
\item \emph{W97M}, \emph{W2000M} for Word macro viruses
\item \emph{X97M}, \emph{X2000M} for Excel macro viruses
\item \emph{O97M}, \emph{O2000M} for general Office macro viruses
\item \emph{DoS} for Denial of Service attack software
\item \emph{Exploit} for popular exploits
\item \emph{VirTool} for virus construction kits
\item \emph{Dialer} for dialers
\item \emph{Joke} for hoaxes
\end{itemize}
\section{Special files}
\subsection{HTML}
ClamAV contains a special HTML normalisation code required to detect
HTML exploits. Running \verb+sigtool --html-normalise+ on a HTML file
should create the following files:
\begin{itemize}
\item comment.html - the whole file normalised
\item nocomment.html - the file normalised, with all comments removed
\item script.html - the parts of the file in \verb+<script>+ tags
(lowercased)
\end{itemize}
The code automatically decodes JScript.encode parts and char ref's (e.g.
\verb+f+). You need to create a signature against one of the created
files. To eliminate potential false positive alerts you should use
extended signature format with target type of 3.
\subsection{Compressed Portable Executable files}
If the file is compressed with UPX, FSG, Petite or other executable packer
(supported by libclamav) run \verb+clamscan+ with
\verb+--debug --leave-temps+. Example output on FSG compressed file:
\begin{verbatim}
LibClamAV debug: UPX/FSG: empty section found - assuming compression
LibClamAV debug: FSG: found old EP @1554
LibClamAV debug: FSG: Successfully decompressed
LibClamAV debug: UPX/FSG: Decompressed data saved in /tmp/clamav-4eba73ff4050a26
\end{verbatim}
And create a signature for \verb+/tmp/clamav-4eba73ff4050a26+
\section{Building CVD files - ClamAV maintainers only}
Run freshclam to check you're using the latest databases. Next enter
some \textbf{empty} temporary directory and execute the following command:
\begin{verbatim}
sigtool --unpack-current daily.cvd
\end{verbatim}
This will unpack all databases from the current \emph{daily.cvd} database.
Add signatures to appropriate files and build the final CVD:
\begin{verbatim}
sigtool --build daily.cvd --server SIGNING_SERVER
\end{verbatim}
where SIGNING\_SERVER is one of the ClamAV Signing Servers you have
access to. This command will automatically generate binary database with
a digital signature.
\begin{verbatim}
LibClamAV debug: Loading databases from .
LibClamAV debug: Loading ./daily.db
LibClamAV debug: Loading ./daily.hdb
LibClamAV debug: Initializing trie.
Database properly parsed.
Signatures: 183
COPYING
tar: main.db: Cannot stat: No such file or directory
tar: main.hdb: Cannot stat: No such file or directory
daily.db
daily.hdb
tar: Notes: Cannot stat: No such file or directory
tar: Error exit delayed from previous errors
Builder id: tkojm
Password:
Signature received (length = 171).
Database daily.cvd created.
\end{verbatim}
Don't worry about "No such file or directory" \emph{tar} errors. Finally,
you should verify the new database with:
\begin{verbatim}
zolw@localhost:/usr/local/share/clamav$ sigtool -i daily.cvd
Build time: 26 Aug 2004 22-41 +0200
Version: 473
# of signatures: 183
Functionality level: 2
Builder: tkojm
MD5: 0e89235392c1a1142dda0d022f218903
Digital signature: bWBCx3KO7rkdOQo+zTIZXKhGNvmEz5n/fTUsCEVrdFwhWr2gf5MjsmO7nF/4BdRV/qwXEHJtp0i/2g6awhqUFaO73bbH5f+zmuHy8h0wqYv6jhlIdeA8uh6DGQYBj7azyS9O/0+bXEvU1SutpL3rW8ireFky6zXKv5BVbhnZj9j
Verification OK.
\end{verbatim}
Now you must update the main rsync server:
{\small
\begin{verbatim}
rsync -tcz --stats --progress -e ssh daily.cvd clamupload@rsync1.clamav.net:public_html/
ssh rsync1.clamav.net -i ~/.ssh/id_rsa -l clamavdb sleep 1
\end{verbatim}}
Please consult \cite{mirroring} for more information. After an update please
send a summary to \url{clamav-virusdb@lists.clamav.net}. Thanks!
\begin{thebibliography}{99}
\bibitem{mirroring}
Luca Gibelli, \emph{Mirroring the Virus Database}\\
\url{http://www.clamav.net/doc/mirrors}
\end{thebibliography}
\end{document}