git-svn: trunk@2044
Tomasz Kojm authored on 2006/06/23 07:02:15... | ... |
@@ -16,5 +16,5 @@ |
16 | 16 |
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, |
17 | 17 |
# MA 02110-1301, USA. |
18 | 18 |
|
19 |
-EXTRA_DIST = clamdoc.pdf man clamav-mirror-howto.pdf signatures.pdf clamdoc.tex clam.eps html |
|
19 |
+EXTRA_DIST = html man clamdoc.pdf clamdoc.tex clamav-mirror-howto.pdf signatures.pdf signatures.tex clam.eps |
|
20 | 20 |
man_MANS = man/clamscan.1 man/freshclam.1 man/sigtool.1 man/clamd.8 man/clamd.conf.5 man/clamdscan.1 man/clamav-milter.8 man/freshclam.conf.5 |
... | ... |
@@ -188,7 +188,7 @@ target_alias = @target_alias@ |
188 | 188 |
target_cpu = @target_cpu@ |
189 | 189 |
target_os = @target_os@ |
190 | 190 |
target_vendor = @target_vendor@ |
191 |
-EXTRA_DIST = clamdoc.pdf man clamav-mirror-howto.pdf signatures.pdf clamdoc.tex clam.eps html |
|
191 |
+EXTRA_DIST = html man clamdoc.pdf clamdoc.tex clamav-mirror-howto.pdf signatures.pdf signatures.tex clam.eps |
|
192 | 192 |
man_MANS = man/clamscan.1 man/freshclam.1 man/sigtool.1 man/clamd.8 man/clamd.conf.5 man/clamdscan.1 man/clamav-milter.8 man/freshclam.conf.5 |
193 | 193 |
all: all-am |
194 | 194 |
|
196 | 196 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,280 @@ |
0 |
+\documentclass[a4paper,titlepage,12pt]{article} |
|
1 |
+\usepackage{amssymb} |
|
2 |
+\usepackage{pslatex} |
|
3 |
+\usepackage[dvips]{graphicx} |
|
4 |
+\usepackage{wrapfig} |
|
5 |
+\usepackage{url} |
|
6 |
+\date{} |
|
7 |
+ |
|
8 |
+\begin{document} |
|
9 |
+ |
|
10 |
+ \begin{center} |
|
11 |
+ \huge Creating signatures for ClamAV\\ |
|
12 |
+ \vspace{2cm} |
|
13 |
+ \end{center} |
|
14 |
+ |
|
15 |
+ \noindent |
|
16 |
+ \section{Introduction} |
|
17 |
+ CVD (ClamAV Virus Database) is a digitally signed tarball file that |
|
18 |
+ contains one or more databases. The header is a 512 bytes long string |
|
19 |
+ with colon separated fields: |
|
20 |
+ \begin{verbatim} |
|
21 |
+ClamAV-VDB:build time:version:number of signatures:functionality |
|
22 |
+level required:MD5 checksum:digital signature:builder name:build time (sec) |
|
23 |
+ \end{verbatim} |
|
24 |
+ \verb+sigtool --info+ displays detailed information about a CVD file: |
|
25 |
+ \begin{verbatim} |
|
26 |
+zolw@localhost:/usr/local/share/clamav$ sigtool -i main.cvd |
|
27 |
+Build time: 09 Jun 2006 22-19 +0200 |
|
28 |
+Version: 39 |
|
29 |
+# of signatures: 58116 |
|
30 |
+Functionality level: 8 |
|
31 |
+Builder: tkojm |
|
32 |
+MD5: a9a400e70dcbfe2c9e11d78416e1c0cc |
|
33 |
+Digital signature: 0s12V8OxLWO95fNNv+kTxj7CEWBW/1TKOGC7G4RelhogruBYw8dJeIX2+yhxex/XsLohxoEuXxC2CaFXiiTbrbvpK2USIxkpn53n6LYVV6jKgkP5sa08MdJE7cl29H1slfCrdaevBUZ1Z/UefkRnV6p3iQVpDPsBwqFRbrem33b |
|
34 |
+Verification OK. |
|
35 |
+ \end{verbatim} |
|
36 |
+ There are two CVD databases in ClamAV: \emph{main.cvd} and \emph{daily.cvd} |
|
37 |
+ for daily updates. |
|
38 |
+ |
|
39 |
+ \section{Signature format} |
|
40 |
+ |
|
41 |
+ \subsection{MD5} |
|
42 |
+ There's an easy way to create signatures for static malware using MD5 |
|
43 |
+ checksums. To create a signature for \verb+test.exe+ use the \verb+--md5+ |
|
44 |
+ option of sigtool: |
|
45 |
+ \begin{verbatim} |
|
46 |
+zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb |
|
47 |
+zolw@localhost:/tmp/test$ cat test.hdb |
|
48 |
+48c4533230e1ae1c118c741c0db19dfb:17387:test.exe |
|
49 |
+ \end{verbatim} |
|
50 |
+ That's it! The signature is ready to use: |
|
51 |
+ \begin{verbatim} |
|
52 |
+zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe |
|
53 |
+test.exe: test.exe FOUND |
|
54 |
+ |
|
55 |
+----------- SCAN SUMMARY ----------- |
|
56 |
+Known viruses: 1 |
|
57 |
+Scanned directories: 0 |
|
58 |
+Engine version: 0.88.2 |
|
59 |
+Scanned files: 1 |
|
60 |
+Infected files: 1 |
|
61 |
+Data scanned: 0.02 MB |
|
62 |
+Time: 0.024 sec (0 m 0 s) |
|
63 |
+ \end{verbatim} |
|
64 |
+ You can edit it to change the name (by default sigtool uses the file name). |
|
65 |
+ Remember that all MD5 signatures must be placed inside \verb+*.hdb+ files |
|
66 |
+ and you can include any number of signatures inside a single file. To get |
|
67 |
+ them automatically loaded every time clamscan/clamd starts just copy them |
|
68 |
+ to the local virus database directory. |
|
69 |
+ |
|
70 |
+ \subsection{Hexadecimal signatures} |
|
71 |
+ ClamAV keeps viral fragments in hexadecimal format. If you don't know how |
|
72 |
+ to get a proper signature please try the MD5 method or submit your sample |
|
73 |
+ at \url{http://www.clamav.net/sendvirus.html} |
|
74 |
+ |
|
75 |
+ \subsubsection{Hexadecimal format} |
|
76 |
+ You can use \verb+sigtool --hex-dump+ to convert arbitrary data into |
|
77 |
+ hexadecimal format: |
|
78 |
+ \begin{verbatim} |
|
79 |
+zolw@localhost:/tmp/test$ sigtool --hex-dump |
|
80 |
+How do I look in hex? |
|
81 |
+486f7720646f2049206c6f6f6b20696e206865783f0a |
|
82 |
+ \end{verbatim} |
|
83 |
+ |
|
84 |
+ \subsubsection{Wildcards} |
|
85 |
+ ClamAV supports the following extensions inside hex signatures: |
|
86 |
+ \begin{itemize} |
|
87 |
+ \item \verb+??+\\ |
|
88 |
+ Match any byte. |
|
89 |
+ \item \verb+*+\\ |
|
90 |
+ Match any number of bytes. |
|
91 |
+ \item \verb+{n}+\\ |
|
92 |
+ Match n bytes. |
|
93 |
+ \item \verb+{-n}+\\ |
|
94 |
+ Match n or less bytes. |
|
95 |
+ \item \verb+{n-}+\\ |
|
96 |
+ Match n or more bytes. |
|
97 |
+ \item \verb+(a|b)+\\ |
|
98 |
+ Match a and b (you can use more alternate characters). |
|
99 |
+ \end{itemize} |
|
100 |
+ |
|
101 |
+ \subsubsection{Basic signature format} |
|
102 |
+ The simplest signatures are of the format: |
|
103 |
+ \begin{verbatim} |
|
104 |
+MalwareName=HexSignature |
|
105 |
+ \end{verbatim} |
|
106 |
+ ClamAV will analyse a whole content of a file trying to match it. All |
|
107 |
+ signatures of this type must be placed in \verb+*.db+ files. |
|
108 |
+ |
|
109 |
+ \subsubsection{Extended signature format} |
|
110 |
+ Extended signature format allows on including additional information about |
|
111 |
+ target file type, virus offset and required engine version. |
|
112 |
+ The format is: |
|
113 |
+ \begin{verbatim} |
|
114 |
+MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]] |
|
115 |
+ \end{verbatim} |
|
116 |
+ where \verb+TargetType+ is one of the following decimal numbers describing |
|
117 |
+ the target file type: |
|
118 |
+ \begin{itemize} |
|
119 |
+ \item 0 = any file |
|
120 |
+ \item 1 = Portable Executable |
|
121 |
+ \item 2 = OLE2 component (e.g. VBA script) |
|
122 |
+ \item 3 = HTML (normalised) |
|
123 |
+ \item 4 = Mail file |
|
124 |
+ \item 5 = Graphics (to help catching exploits in JPEG files) |
|
125 |
+ \item 6 = ELF |
|
126 |
+ \end{itemize} |
|
127 |
+ And \verb+Offset+ is an asterisk or a decimal number \verb+n+ possibly |
|
128 |
+ combined with a special string: |
|
129 |
+ \begin{itemize} |
|
130 |
+ \item \verb+*+ = any |
|
131 |
+ \item \verb+n+ = absolute offset |
|
132 |
+ \item \verb+EOF-n+ = end of file minus \verb+n+ bytes |
|
133 |
+ \end{itemize} |
|
134 |
+ Signatures for Portable Executables files (target = 1) also support: |
|
135 |
+ \begin{itemize} |
|
136 |
+ \item \verb#EP+n# = entry point plus n bytes (\verb#EP+0# if you |
|
137 |
+ want to anchor to \verb+EP+) |
|
138 |
+ \item \verb#EP-n# = entry point minus n bytes |
|
139 |
+ \item \verb#Sx+n# = start of section's \verb+x+ (counted from 0) |
|
140 |
+ data plus \verb+n+ bytes |
|
141 |
+ \item \verb#Sx+n# = start of section's \verb+x+ data minus \verb+n+ bytes |
|
142 |
+ \item \verb#SL+n# = start of last section plus \verb+n+ bytes |
|
143 |
+ \item \verb#SL-n# = start of last section minux \verb+n+ bytes |
|
144 |
+ \end{itemize} |
|
145 |
+ All signatures in the extended format must be placed in \verb+*.ndb+ files. |
|
146 |
+ |
|
147 |
+ \subsection{Signatures based on archive metadata} |
|
148 |
+ In order to detect some malware which spreads inside of Zip or RAR archives |
|
149 |
+ (especially encrypted ones) you can try to create a signature describing |
|
150 |
+ a malicious archived file. The general format is: |
|
151 |
+\begin{verbatim} |
|
152 |
+virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth |
|
153 |
+\end{verbatim} |
|
154 |
+ \begin{itemize} |
|
155 |
+ \item Virus name |
|
156 |
+ \item Encryption flag (1 -- encrypted, 0 -- not encrypted) |
|
157 |
+ \item File name (* to ignore) |
|
158 |
+ \item Normal (uncompressed) size (* to ignore) |
|
159 |
+ \item Compressed size (* to ignore) |
|
160 |
+ \item CRC32 (* to ignore) |
|
161 |
+ \item Compression method (* to ignore) |
|
162 |
+ \item File position in archive (* to ignore) |
|
163 |
+ \item Maximum number of nested archives (* to ignore) |
|
164 |
+ \end{itemize} |
|
165 |
+ The database should have the extension \verb+.zmd+ or \verb+.rmd+ for |
|
166 |
+ Zip or RAR archive respectively. |
|
167 |
+ |
|
168 |
+ \subsection{Whitelist database} |
|
169 |
+ To whitelist a specific file use the MD5 signature format and place |
|
170 |
+ it in the database with the extension \verb+.fp+. |
|
171 |
+ |
|
172 |
+ \subsection{Signature names} |
|
173 |
+ ClamAV uses the following prefixes for particular malware: |
|
174 |
+ \begin{itemize} |
|
175 |
+ \item \emph{Worm} for Internet worms |
|
176 |
+ \item \emph{Trojan} for backdoor programs |
|
177 |
+ \item \emph{JS} for Java Script malware |
|
178 |
+ \item \emph{VBS} for VBS malware |
|
179 |
+ \item \emph{W97M}, \emph{W2000M} for Word macro viruses |
|
180 |
+ \item \emph{X97M}, \emph{X2000M} for Excel macro viruses |
|
181 |
+ \item \emph{O97M}, \emph{O2000M} for general Office macro viruses |
|
182 |
+ \item \emph{DoS} for Denial of Service attack software |
|
183 |
+ \item \emph{Exploit} for popular exploits |
|
184 |
+ \item \emph{VirTool} for virus construction kits |
|
185 |
+ \item \emph{Dialer} for dialers |
|
186 |
+ \item \emph{Joke} for hoaxes |
|
187 |
+ \end{itemize} |
|
188 |
+ |
|
189 |
+ \section{Special files} |
|
190 |
+ |
|
191 |
+ \subsection{HTML} |
|
192 |
+ ClamAV contains a special HTML normalisation code required to detect |
|
193 |
+ HTML exploits. Running \verb+sigtool --html-normalise+ on a HTML file |
|
194 |
+ should create the following files: |
|
195 |
+ \begin{itemize} |
|
196 |
+ \item comment.html - the whole file normalised |
|
197 |
+ \item nocomment.html - the file normalised, with all comments removed |
|
198 |
+ \item script.html - the parts of the file in \verb+<script>+ tags |
|
199 |
+ (lowercased) |
|
200 |
+ \end{itemize} |
|
201 |
+ The code automatically decodes JScript.encode parts and char ref's (e.g. |
|
202 |
+ \verb+f+). You need to create a signature against one of the created |
|
203 |
+ files. To eliminate potential false positive alerts you should use |
|
204 |
+ extended signature format with target type of 3. |
|
205 |
+ |
|
206 |
+ \subsection{Compressed Portable Executable files} |
|
207 |
+ If the file is compressed with UPX, FSG, Petite or other executable packer |
|
208 |
+ (supported by libclamav) run \verb+clamscan+ with |
|
209 |
+ \verb+--debug --leave-temps+. Example output on FSG compressed file: |
|
210 |
+ \begin{verbatim} |
|
211 |
+LibClamAV debug: UPX/FSG: empty section found - assuming compression |
|
212 |
+LibClamAV debug: FSG: found old EP @1554 |
|
213 |
+LibClamAV debug: FSG: Successfully decompressed |
|
214 |
+LibClamAV debug: UPX/FSG: Decompressed data saved in /tmp/clamav-4eba73ff4050a26 |
|
215 |
+ \end{verbatim} |
|
216 |
+ And create a signature for \verb+/tmp/clamav-4eba73ff4050a26+ |
|
217 |
+ |
|
218 |
+ \section{Building CVD files - ClamAV maintainers only} |
|
219 |
+ Run freshclam to check you're using the latest databases. Next enter |
|
220 |
+ some \textbf{empty} temporary directory and execute the following command: |
|
221 |
+ \begin{verbatim} |
|
222 |
+sigtool --unpack-current daily.cvd |
|
223 |
+ \end{verbatim} |
|
224 |
+ This will unpack all databases from the current \emph{daily.cvd} database. |
|
225 |
+ Add signatures to appropriate files and build the final CVD: |
|
226 |
+ \begin{verbatim} |
|
227 |
+sigtool --build daily.cvd --server SIGNING_SERVER |
|
228 |
+ \end{verbatim} |
|
229 |
+ where SIGNING\_SERVER is one of the ClamAV Signing Servers you have |
|
230 |
+ access to. This command will automatically generate binary database with |
|
231 |
+ a digital signature. |
|
232 |
+ \begin{verbatim} |
|
233 |
+LibClamAV debug: Loading databases from . |
|
234 |
+LibClamAV debug: Loading ./daily.db |
|
235 |
+LibClamAV debug: Loading ./daily.hdb |
|
236 |
+LibClamAV debug: Initializing trie. |
|
237 |
+Database properly parsed. |
|
238 |
+Signatures: 183 |
|
239 |
+COPYING |
|
240 |
+tar: main.db: Cannot stat: No such file or directory |
|
241 |
+tar: main.hdb: Cannot stat: No such file or directory |
|
242 |
+daily.db |
|
243 |
+daily.hdb |
|
244 |
+tar: Notes: Cannot stat: No such file or directory |
|
245 |
+tar: Error exit delayed from previous errors |
|
246 |
+Builder id: tkojm |
|
247 |
+Password: |
|
248 |
+Signature received (length = 171). |
|
249 |
+Database daily.cvd created. |
|
250 |
+ \end{verbatim} |
|
251 |
+ Don't worry about "No such file or directory" \emph{tar} errors. Finally, |
|
252 |
+ you should verify the new database with: |
|
253 |
+ \begin{verbatim} |
|
254 |
+zolw@localhost:/usr/local/share/clamav$ sigtool -i daily.cvd |
|
255 |
+Build time: 26 Aug 2004 22-41 +0200 |
|
256 |
+Version: 473 |
|
257 |
+# of signatures: 183 |
|
258 |
+Functionality level: 2 |
|
259 |
+Builder: tkojm |
|
260 |
+MD5: 0e89235392c1a1142dda0d022f218903 |
|
261 |
+Digital signature: bWBCx3KO7rkdOQo+zTIZXKhGNvmEz5n/fTUsCEVrdFwhWr2gf5MjsmO7nF/4BdRV/qwXEHJtp0i/2g6awhqUFaO73bbH5f+zmuHy8h0wqYv6jhlIdeA8uh6DGQYBj7azyS9O/0+bXEvU1SutpL3rW8ireFky6zXKv5BVbhnZj9j |
|
262 |
+Verification OK. |
|
263 |
+ \end{verbatim} |
|
264 |
+ Now you must update the main rsync server: |
|
265 |
+ {\small |
|
266 |
+ \begin{verbatim} |
|
267 |
+rsync -tcz --stats --progress -e ssh daily.cvd clamupload@rsync1.clamav.net:public_html/ |
|
268 |
+ssh rsync1.clamav.net -i ~/.ssh/id_rsa -l clamavdb sleep 1 |
|
269 |
+ \end{verbatim}} |
|
270 |
+ Please consult \cite{mirroring} for more information. After an update please |
|
271 |
+ send a summary to \url{clamav-virusdb@lists.clamav.net}. Thanks! |
|
272 |
+ |
|
273 |
+ \begin{thebibliography}{99} |
|
274 |
+ \bibitem{mirroring} |
|
275 |
+ Luca Gibelli, \emph{Mirroring the Virus Database}\\ |
|
276 |
+ \url{http://www.clamav.net/doc/mirrors} |
|
277 |
+ \end{thebibliography} |
|
278 |
+ |
|
279 |
+\end{document} |