@@ -1,3 +1,9 @@

+Tue Dec  2 22:00:10 EET 2008 (edwin)

+------------------------------------

+ * libclamav/dconf.c, libclamav/dconf.h, libclamav/pe.c,

+ libclamav/special.c, libclamav/special.h: Heuristic detection of

+ Trojan.Swizzor.Gen (bb #1310)

+

 Mon Dec  1 19:51:52 CET 2008 (tk)

 ---------------------------------

  * libclamav/matcher-ac.c: fix parsing of lsig modifiers

@@ -59,6 +59,7 @@ static struct dconf_module modules[] = {

     { "PE",	    "MD5SECT",	    PE_CONF_MD5SECT,	    1 },

     { "PE",	    "UPX",	    PE_CONF_UPX,	    1 },

     { "PE",	    "FSG",	    PE_CONF_FSG,	    1 },

+    { "PE",         "SWIZZOR",      PE_CONF_SWIZZOR,        1 },

     { "PE",	    "PETITE",	    PE_CONF_PETITE,	    1 },

     { "PE",	    "PESPIN",	    PE_CONF_PESPIN,	    1 },

@@ -48,7 +48,7 @@ struct cli_dconf {

 #define PE_CONF_MD5SECT	    0x10

 #define PE_CONF_UPX	    0x20

 #define PE_CONF_FSG	    0x40

-/*#define PE_CONF_REUSEME	    0x80 */

+#define PE_CONF_SWIZZOR     0x80

 #define PE_CONF_PETITE	    0x100

 #define PE_CONF_PESPIN	    0x200

 #define PE_CONF_YC	    0x400

@@ -21,7 +21,7 @@

 #if HAVE_CONFIG_H

 #include "clamav-config.h"

 #endif

-

+#define _XOPEN_SOURCE 500

 #include <stdio.h>

 #if HAVE_STRING_H

 #include <string.h>

@@ -56,6 +56,7 @@

 #include "matcher.h"

 #include "matcher-bm.h"

 #include "disasm.h"

+#include "special.h"

 #ifndef	O_BINARY

 #define	O_BINARY	0

@@ -316,6 +317,102 @@ static unsigned int cli_md5sect(int fd, struct cli_exe_section *s, unsigned char

     return 1;

 }

+static void cli_parseres_special(uint32_t base, uint32_t rva, int srcfd, struct cli_exe_section *exe_sections, uint16_t nsections, size_t fsize, uint32_t hdr_size, unsigned int level, uint32_t type, unsigned int *maxres, struct swizz_stats *stats) {

+    unsigned int err = 0, i;

+    uint8_t resdir[16];

+    uint8_t *entry, *oentry;

+    uint16_t named, unnamed;

+    uint32_t rawaddr = cli_rawaddr(rva, exe_sections, nsections, &err, fsize, hdr_size);

+    uint32_t entries;

+

+    if(level>2 || !*maxres) return;

+    *maxres-=1;

+    if(err || (pread(srcfd,resdir, sizeof(resdir), rawaddr) != sizeof(resdir)))

+	    return;

+    named = (uint16_t)cli_readint16(resdir+12);

+    unnamed = (uint16_t)cli_readint16(resdir+14);

+

+    entries = /*named+*/unnamed;

+    if (!entries)

+	    return;

+    oentry = entry = cli_malloc(entries*8);

+    rawaddr += named*8; /* skip named */

+    /* this is just used in a heuristic detection, so don't give error on failure */

+    if (!entry) {

+	    cli_dbgmsg("cli_parseres_special: failed to allocate memory for resource directory:%lu\n", (unsigned long)entries);

+	    return;

+    }

+    if (pread(srcfd, entry, entries*8, rawaddr+16) != entries*8) {

+	    cli_dbgmsg("cli_parseres_special: failed to read resource directory at:%lu\n", (unsigned long)rawaddr+16);

+	    free(oentry);

+	    return;

+    }

+    /*for (i=0; i<named; i++) {

+	uint32_t id, offs;

+	id = cli_readint32(entry);

+	offs = cli_readint32(entry+4);

+	if(offs>>31)

+	    cli_parseres( base, base + (offs&0x7fffffff), srcfd, exe_sections, nsections, fsize, hdr_size, level+1, type, maxres, stats);

+	entry+=8;

+    }*/

+    for (i=0; i<unnamed; i++) {

+	uint32_t id, offs;

+	id = cli_readint32(entry)&0x7fffffff;

+	if(level==0) {

+		switch(id) {

+			case 4: /* menu */

+			case 5: /* dialog */

+			case 6: /* string */

+			case 11:/* msgtable */

+				type = id;

+				break;

+			case 16:

+				/* 14: version */

+				stats->has_version = 1;

+				break;

+			case 24: /* manifest */

+				stats->has_manifest = 1;

+				break;

+			/* otherwise keep it 0, we don't want it */

+		}

+	} else if (!type) {

+		/* if we are not interested in this type, skip */

+		continue;

+	}

+	offs = cli_readint32(entry+4);

+	if(offs>>31)

+		cli_parseres_special(base, base + (offs&0x7fffffff), srcfd, exe_sections, nsections, fsize, hdr_size, level+1, type, maxres, stats);

+	else {

+		if (type == 4 || type == 5 || type == 6 || type ==11) {

+			offs = cli_readint32(entry+4);

+			rawaddr = cli_rawaddr(base + offs, exe_sections, nsections, &err, fsize, hdr_size);

+			if (!err && pread(srcfd, resdir, sizeof(resdir), rawaddr) == sizeof(resdir)) {

+				uint32_t isz = cli_readint32(resdir+4);

+				char *str;

+				rawaddr = cli_rawaddr(cli_readint32(resdir), exe_sections, nsections, &err, fsize, hdr_size);

+				if (err || !isz || rawaddr+isz >= fsize) {

+					cli_dbgmsg("cli_parseres_special: invalid resource table entry: %lu + %lu\n", 

+							(unsigned long)rawaddr, 

+							(unsigned long)isz);

+					continue;

+				}

+				str = cli_malloc(isz);

+				if (!str) {

+					cli_dbgmsg("cli_parseres_special: failed to allocate string mem: %lu\n", (unsigned long)isz);

+					continue;

+				}

+				if(pread(srcfd, str, isz, rawaddr) == isz) {

+					cli_detect_swizz_str(str, isz, stats, type);

+				}

+				free (str);

+			}

+		}

+	}

+	entry+=8;

+    }

+    free (oentry);

+}

+

 int cli_scanpe(int desc, cli_ctx *ctx)

 {

 	uint16_t e_magic; /* DOS signature ("MZ") */

@@ -344,6 +441,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	struct cli_exe_section *exe_sections;

 	struct cli_matcher *md5_sect;

 	char timestr[32];

+	struct pe_image_data_dir *dirs;

     if(!ctx) {

@@ -597,6 +695,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	cli_dbgmsg("SizeOfImage: 0x%x\n", EC32(optional_hdr32.SizeOfImage));

 	cli_dbgmsg("SizeOfHeaders: 0x%x\n", hdr_size);

 	cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr32.NumberOfRvaAndSizes));

+	dirs = optional_hdr32.DataDirectory;

     } else { /* PE+ */

         /* read the remaining part of the header */

@@ -628,6 +727,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	cli_dbgmsg("SizeOfImage: 0x%x\n", EC32(optional_hdr64.SizeOfImage));

 	cli_dbgmsg("SizeOfHeaders: 0x%x\n", hdr_size);

 	cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr64.NumberOfRvaAndSizes));

+	dirs = optional_hdr64.DataDirectory;

     }

@@ -1113,6 +1213,22 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	break;

     }

+    /* Trojan.Swizzor.Gen */

+    if (SCAN_ALGO && (DCONF & PE_CONF_SWIZZOR) && nsections > 1 && fsize > 64*1024 && fsize < 4*1024*1024) {

+	    int ret = CL_CLEAN;

+	    if(dirs[2].Size) {

+		    struct swizz_stats stats;

+		    unsigned int m = 10000;

+		    memset(&stats, 0, sizeof(stats));

+		    cli_parseres_special(EC32(dirs[2].VirtualAddress), EC32(dirs[2].VirtualAddress), desc, exe_sections, nsections, fsize, hdr_size, 0, 0, &m, &stats);

+		    if (cli_detect_swizz(&stats) == CL_VIRUS) {

+			    *ctx->virname = "Trojan.Swizzor.Gen";

+			    ret = CL_VIRUS;

+			    free(exe_sections);

+			    return ret;

+		    }

+	    }

+    }

     /* UPX, FSG, MEW support */

@@ -1,7 +1,7 @@

 /*

  *  Copyright (C) 2007-2008 Sourcefire, Inc.

  *

- *  Authors: Trog

+ *  Authors: Trog, Török Edvin

  *

  *  This program is free software; you can redistribute it and/or modify

  *  it under the terms of the GNU General Public License version 2 as

@@ -34,7 +34,7 @@

 #include <netinet/in.h>

 #endif

 #include <string.h>

-

+#include <ctype.h>

 #include "clamav.h"

 #include "others.h"

 #include "cltypes.h"

@@ -355,3 +355,97 @@ int cli_check_riff_exploit(int fd)

 	}

 	return retval;

 }

+

+static inline int swizz_j48(const uint16_t n[])

+{

+	cli_dbgmsg("swizz_j48: %u, %u, %u\n",n[0],n[1],n[2]);

+	/* rules based on J48 tree */

+	if (n[0] <= 951 || n[1] == 0)

+		return CL_CLEAN;

+	if (n[2] == 0) {

+		if (n[0] <= 984)

+			return CL_CLEAN;

+		if (n[1] <= 15)

+			return n[0] <= 1008 ? CL_CLEAN : CL_VIRUS;

+		return CL_CLEAN;

+	}

+	return n[2] <= 7 ? CL_VIRUS : CL_CLEAN;

+}

+

+void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob)

+{

+	unsigned char stri[4096];

+        uint32_t i, j = 0;

+	int bad = 0;

+	int lastalnum = 0;

+	uint8_t ngrams[17576];

+	uint16_t all=0;

+	uint16_t ngram_cnts[3];

+	uint16_t words = 0;

+	int ret;

+

+	for(i=0;i<len-1 && j < sizeof(stri)-2;i += 2) {

+		unsigned char c = str[i];

+		if (str[i+1] || !c) {

+			bad++;

+			continue;

+		}

+		if (!isalnum(c)) {

+			if (!lastalnum)

+				continue;

+			lastalnum = 0;

+			c = ' ';

+		} else {

+			lastalnum = 1;

+			if (isdigit(c))

+				continue;

+		}

+		stri[j++] = tolower(c);

+	}

+	stri[j++] = '\0';

+	if ((!blob && (bad >= 8)) || j < 4)

+		return;

+	memset(ngrams, 0, sizeof(ngrams));

+	memset(ngram_cnts, 0, sizeof(ngram_cnts));

+	for(i=0;i<j-2;i++) {

+		if (stri[i] != ' ' && stri[i+1] != ' ' && stri[i+2] != ' ') {

+			uint16_t idx = (stri[i] - 'a')*676 + (stri[i+1] - 'a')*26 + (stri[i+2] - 'a');

+			if (idx < sizeof(ngrams))

+				ngrams[idx]++;

+		} else if (stri[i] == ' ')

+			words++;

+	}

+	for(i=0;i<sizeof(ngrams);i++) {

+		uint8_t v = ngrams[i];

+		if (v > 3) v = 3;

+		if (v) {

+			ngram_cnts[v-1]++;

+			all++;

+		}

+	}

+	if (!all)

+		return;

+	cli_dbgmsg("cli_detect_swizz_str: %u, %u, %u\n",ngram_cnts[0],ngram_cnts[1],ngram_cnts[2]);

+	/* normalize */

+	for(i=0;i<sizeof(ngram_cnts)/sizeof(ngram_cnts[0]);i++) {

+		uint32_t v = ngram_cnts[i];

+		ngram_cnts[i] = (v<<10)/all;

+	}

+	ret = swizz_j48(ngram_cnts);

+	cli_dbgmsg("cli_detect_swizz_str: %s, %u words\n", ret == CL_VIRUS ? "suspicious" : "ok", words);

+	if (ret == CL_VIRUS)

+		stats->suspicious += j;

+	stats->total += j;

+}

+

+int cli_detect_swizz(struct swizz_stats *stats)

+{

+	cli_dbgmsg("cli_detect_swizz: %lu/%lu, version:%d, manifest: %d \n",

+			(unsigned long)stats->suspicious, (unsigned long)stats->total,

+			stats->has_version, stats->has_manifest);

+	/* not all have version/manifest */

+	if (stats->total > 128 && stats->suspicious > 3*stats->total/10) {

+		return CL_VIRUS;

+	}

+	return CL_CLEAN;

+}

@@ -22,9 +22,17 @@

 #define __SPECIAL_H

 #include "others.h"

+struct swizz_stats {

+	uint32_t total;

+	uint32_t suspicious;

+	int has_version;

+	int has_manifest;

+};

 int cli_check_mydoom_log(int desc, const char **virname);

 int cli_check_jpeg_exploit(int fd, cli_ctx *ctx);

 int cli_check_riff_exploit(int fd);

+void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob);

+int cli_detect_swizz(struct swizz_stats *stats);

 #endif