@@ -1,3 +1,7 @@

+Fri Jun 23 00:01:16 CEST 2006 (tk)

+----------------------------------

+  * docs/signatures.pdf: update

+

 Thu Jun 22 11:14:25 CEST 2006 (tk)

 ----------------------------------

   * sigtool/sigtool.c: create db.info file and include it in CVD

@@ -16,5 +16,5 @@

 #  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

 #  MA 02110-1301, USA.

-EXTRA_DIST = clamdoc.pdf man clamav-mirror-howto.pdf signatures.pdf clamdoc.tex clam.eps html

+EXTRA_DIST = html man clamdoc.pdf clamdoc.tex clamav-mirror-howto.pdf signatures.pdf signatures.tex clam.eps

 man_MANS = man/clamscan.1 man/freshclam.1 man/sigtool.1 man/clamd.8 man/clamd.conf.5 man/clamdscan.1 man/clamav-milter.8 man/freshclam.conf.5

@@ -188,7 +188,7 @@ target_alias = @target_alias@

 target_cpu = @target_cpu@

 target_os = @target_os@

 target_vendor = @target_vendor@

-EXTRA_DIST = clamdoc.pdf man clamav-mirror-howto.pdf signatures.pdf clamdoc.tex clam.eps html

+EXTRA_DIST = html man clamdoc.pdf clamdoc.tex clamav-mirror-howto.pdf signatures.pdf signatures.tex clam.eps

 man_MANS = man/clamscan.1 man/freshclam.1 man/sigtool.1 man/clamd.8 man/clamd.conf.5 man/clamdscan.1 man/clamav-milter.8 man/freshclam.conf.5

 all: all-am

Binary files a/clamav-devel/docs/signatures.pdf and b/clamav-devel/docs/signatures.pdf differ

new file mode 100644

@@ -0,0 +1,280 @@

+\documentclass[a4paper,titlepage,12pt]{article}

+\usepackage{amssymb}

+\usepackage{pslatex}

+\usepackage[dvips]{graphicx}

+\usepackage{wrapfig}

+\usepackage{url}

+\date{}

+

+\begin{document}

+

+    \begin{center}

+	\huge Creating signatures for ClamAV\\

+	\vspace{2cm}

+    \end{center}

+

+    \noindent

+    \section{Introduction}

+    CVD (ClamAV Virus Database) is a digitally signed tarball file that

+    contains one or more databases. The header is a 512 bytes long string

+    with colon separated fields:

+    \begin{verbatim}

+ClamAV-VDB:build time:version:number of signatures:functionality

+level required:MD5 checksum:digital signature:builder name:build time (sec)

+    \end{verbatim}

+    \verb+sigtool --info+ displays detailed information about a CVD file:

+    \begin{verbatim}

+zolw@localhost:/usr/local/share/clamav$ sigtool -i main.cvd

+Build time: 09 Jun 2006 22-19 +0200

+Version: 39

+# of signatures: 58116

+Functionality level: 8

+Builder: tkojm

+MD5: a9a400e70dcbfe2c9e11d78416e1c0cc

+Digital signature: 0s12V8OxLWO95fNNv+kTxj7CEWBW/1TKOGC7G4RelhogruBYw8dJeIX2+yhxex/XsLohxoEuXxC2CaFXiiTbrbvpK2USIxkpn53n6LYVV6jKgkP5sa08MdJE7cl29H1slfCrdaevBUZ1Z/UefkRnV6p3iQVpDPsBwqFRbrem33b

+Verification OK.

+    \end{verbatim}

+    There are two CVD databases in ClamAV: \emph{main.cvd} and \emph{daily.cvd}

+    for daily updates.

+

+    \section{Signature format}

+

+    \subsection{MD5}

+    There's an easy way to create signatures for static malware using MD5

+    checksums. To create a signature for \verb+test.exe+ use the \verb+--md5+

+    option of sigtool:

+    \begin{verbatim}

+zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb

+zolw@localhost:/tmp/test$ cat test.hdb 

+48c4533230e1ae1c118c741c0db19dfb:17387:test.exe

+    \end{verbatim}

+    That's it! The signature is ready to use:

+    \begin{verbatim}

+zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe 

+test.exe: test.exe FOUND

+

+----------- SCAN SUMMARY -----------

+Known viruses: 1

+Scanned directories: 0

+Engine version: 0.88.2

+Scanned files: 1

+Infected files: 1

+Data scanned: 0.02 MB

+Time: 0.024 sec (0 m 0 s)

+    \end{verbatim}

+    You can edit it to change the name (by default sigtool uses the file name).

+    Remember that all MD5 signatures must be placed inside \verb+*.hdb+ files

+    and you can include any number of signatures inside a single file. To get

+    them automatically loaded every time clamscan/clamd starts just copy them

+    to the local virus database directory.

+

+    \subsection{Hexadecimal signatures}

+    ClamAV keeps viral fragments in hexadecimal format. If you don't know how

+    to get a proper signature please try the MD5 method or submit your sample

+    at \url{http://www.clamav.net/sendvirus.html}

+

+    \subsubsection{Hexadecimal format}

+    You can use \verb+sigtool --hex-dump+ to convert arbitrary data into

+    hexadecimal format:

+    \begin{verbatim}

+zolw@localhost:/tmp/test$ sigtool --hex-dump

+How do I look in hex?

+486f7720646f2049206c6f6f6b20696e206865783f0a

+    \end{verbatim}

+

+    \subsubsection{Wildcards}

+    ClamAV supports the following extensions inside hex signatures:

+    \begin{itemize}

+	\item \verb+??+\\

+	Match any byte.

+	\item \verb+*+\\

+	Match any number of bytes.

+	\item \verb+{n}+\\

+	Match n bytes.

+	\item \verb+{-n}+\\

+	Match n or less bytes.

+	\item \verb+{n-}+\\

+	Match n or more bytes.

+	\item \verb+(a|b)+\\

+	Match a and b (you can use more alternate characters).

+    \end{itemize}

+

+    \subsubsection{Basic signature format}

+    The simplest signatures are of the format:

+    \begin{verbatim}

+MalwareName=HexSignature

+    \end{verbatim}

+    ClamAV will analyse a whole content of a file trying to match it. All

+    signatures of this type must be placed in \verb+*.db+ files.

+

+    \subsubsection{Extended signature format}

+    Extended signature format allows on including additional information about

+    target file type, virus offset and required engine version.

+    The format is:

+    \begin{verbatim}

+MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]

+    \end{verbatim}

+    where \verb+TargetType+ is one of the following decimal numbers describing

+    the target file type:

+    \begin{itemize}

+	\item 0 = any file

+	\item 1 = Portable Executable

+	\item 2 = OLE2 component (e.g. VBA script)

+	\item 3 = HTML (normalised)

+	\item 4 = Mail file

+	\item 5 = Graphics (to help catching exploits in JPEG files)

+	\item 6 = ELF

+    \end{itemize}

+    And	\verb+Offset+ is an asterisk or a decimal number \verb+n+ possibly

+    combined with a special string:

+    \begin{itemize}

+	\item \verb+*+ = any

+	\item \verb+n+ = absolute offset

+	\item \verb+EOF-n+ = end of file minus \verb+n+ bytes

+    \end{itemize}

+    Signatures for Portable Executables files (target = 1) also support:

+    \begin{itemize}

+	\item \verb#EP+n# = entry point plus n bytes (\verb#EP+0# if you

+	want to anchor to \verb+EP+)

+	\item \verb#EP-n# = entry point minus n bytes

+	\item \verb#Sx+n# = start of section's \verb+x+ (counted from 0)

+	data plus \verb+n+ bytes

+	\item \verb#Sx+n# = start of section's \verb+x+ data minus \verb+n+ bytes

+	\item \verb#SL+n# = start of last section plus \verb+n+ bytes

+	\item \verb#SL-n# = start of last section minux \verb+n+ bytes

+    \end{itemize}

+    All signatures in the extended format must be placed in \verb+*.ndb+ files.

+

+    \subsection{Signatures based on archive metadata}

+    In order to detect some malware which spreads inside of Zip or RAR archives

+    (especially encrypted ones) you can try to create a signature describing

+    a malicious archived file. The general format is:

+\begin{verbatim}

+virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth

+\end{verbatim}

+    \begin{itemize}

+	\item Virus name

+	\item Encryption flag (1 -- encrypted, 0 -- not encrypted)

+	\item File name (* to ignore)

+	\item Normal (uncompressed) size (* to ignore)

+	\item Compressed size (* to ignore)

+	\item CRC32 (* to ignore)

+	\item Compression method (* to ignore)

+	\item File position in archive (* to ignore)

+	\item Maximum number of nested archives (* to ignore)

+    \end{itemize}

+    The database should have the extension \verb+.zmd+ or \verb+.rmd+ for

+    Zip or RAR archive respectively.

+

+    \subsection{Whitelist database}

+    To whitelist a specific file use the MD5 signature format and place

+    it in the database with the extension \verb+.fp+.

+

+    \subsection{Signature names}

+    ClamAV uses the following prefixes for particular malware:

+    \begin{itemize}

+	\item \emph{Worm} for Internet worms

+	\item \emph{Trojan} for backdoor programs

+	\item \emph{JS} for Java Script malware

+	\item \emph{VBS} for VBS malware

+	\item \emph{W97M}, \emph{W2000M} for Word macro viruses

+	\item \emph{X97M}, \emph{X2000M} for Excel macro viruses

+	\item \emph{O97M}, \emph{O2000M} for general Office macro viruses

+	\item \emph{DoS} for Denial of Service attack software

+	\item \emph{Exploit} for popular exploits

+	\item \emph{VirTool} for virus construction kits

+	\item \emph{Dialer} for dialers

+	\item \emph{Joke} for hoaxes

+    \end{itemize}

+

+    \section{Special files}

+

+    \subsection{HTML}

+    ClamAV contains a special HTML normalisation code required to detect

+    HTML exploits. Running \verb+sigtool --html-normalise+ on a HTML file

+    should create the following files:

+    \begin{itemize}

+	\item comment.html - the whole file normalised

+	\item nocomment.html - the file normalised, with all comments removed

+	\item script.html - the parts of the file in \verb+<script>+ tags

+	      (lowercased)

+    \end{itemize}

+    The code automatically decodes JScript.encode parts and char ref's (e.g.

+    \verb+f+). You need to create a signature against one of the created

+    files. To eliminate potential false positive alerts you should use

+    extended signature format with target type of 3.

+

+    \subsection{Compressed Portable Executable files}

+    If the file is compressed with UPX, FSG, Petite or other executable packer

+    (supported by libclamav) run \verb+clamscan+ with

+    \verb+--debug --leave-temps+. Example output on FSG compressed file:

+    \begin{verbatim}

+LibClamAV debug: UPX/FSG: empty section found - assuming compression

+LibClamAV debug: FSG: found old EP @1554

+LibClamAV debug: FSG: Successfully decompressed

+LibClamAV debug: UPX/FSG: Decompressed data saved in /tmp/clamav-4eba73ff4050a26

+    \end{verbatim}

+    And create a signature for \verb+/tmp/clamav-4eba73ff4050a26+

+

+    \section{Building CVD files - ClamAV maintainers only}

+    Run freshclam to check you're using the latest databases. Next enter

+    some \textbf{empty} temporary directory and execute the following command:

+    \begin{verbatim}

+sigtool --unpack-current daily.cvd

+    \end{verbatim}

+    This will unpack all databases from the current \emph{daily.cvd} database.

+    Add signatures to appropriate files and build the final CVD:

+    \begin{verbatim}

+sigtool --build daily.cvd --server SIGNING_SERVER

+    \end{verbatim}

+    where SIGNING\_SERVER is one of the ClamAV Signing Servers you have

+    access to. This command will automatically generate binary database with

+    a digital signature.

+    \begin{verbatim}

+LibClamAV debug: Loading databases from .

+LibClamAV debug: Loading ./daily.db

+LibClamAV debug: Loading ./daily.hdb

+LibClamAV debug: Initializing trie.

+Database properly parsed.

+Signatures: 183

+COPYING

+tar: main.db: Cannot stat: No such file or directory

+tar: main.hdb: Cannot stat: No such file or directory

+daily.db

+daily.hdb

+tar: Notes: Cannot stat: No such file or directory

+tar: Error exit delayed from previous errors

+Builder id: tkojm

+Password:

+Signature received (length = 171).

+Database daily.cvd created.

+    \end{verbatim}

+    Don't worry about "No such file or directory" \emph{tar} errors. Finally,

+    you should verify the new database with:

+    \begin{verbatim}

+zolw@localhost:/usr/local/share/clamav$ sigtool -i daily.cvd 

+Build time: 26 Aug 2004 22-41 +0200

+Version: 473

+# of signatures: 183

+Functionality level: 2

+Builder: tkojm

+MD5: 0e89235392c1a1142dda0d022f218903

+Digital signature: bWBCx3KO7rkdOQo+zTIZXKhGNvmEz5n/fTUsCEVrdFwhWr2gf5MjsmO7nF/4BdRV/qwXEHJtp0i/2g6awhqUFaO73bbH5f+zmuHy8h0wqYv6jhlIdeA8uh6DGQYBj7azyS9O/0+bXEvU1SutpL3rW8ireFky6zXKv5BVbhnZj9j

+Verification OK.

+    \end{verbatim}

+    Now you must update the main rsync server:

+    {\small

+    \begin{verbatim}

+rsync -tcz --stats --progress -e ssh daily.cvd clamupload@rsync1.clamav.net:public_html/

+ssh rsync1.clamav.net -i ~/.ssh/id_rsa -l clamavdb sleep 1

+    \end{verbatim}}

+    Please consult \cite{mirroring} for more information. After an update please

+    send a summary to \url{clamav-virusdb@lists.clamav.net}. Thanks!

+

+    \begin{thebibliography}{99}

+	\bibitem{mirroring}

+	    Luca Gibelli, \emph{Mirroring the Virus Database}\\

+	    \url{http://www.clamav.net/doc/mirrors}

+    \end{thebibliography}

+

+\end{document}