Tuesday, September 9, 2008

Logical signatures in ClamAV 0.94

On September 1, 2008 Sourcefire released an engine update for ClamAV. This latest version offers new and updated features that allow researchers to write better signatures to detect malware. A quick overview of the changes in ClamAV 0.94 can be found here.

Up until ClamAV 0.93, the following formats have been used the most to write signatures to detect malware:
  • a full MD5 checksum of a file inside .hdb files in the following format: MD5:FileSize:MalwareName
  • a MD5 for a specific section of PE file stored in .mdb files in the following format: PESectionSize:MD5:MalwareName
  • a signature in a .ndb file using the following format: MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]
ClamAV 0.94 introdcues a key new feature: logical signatures. A logical signature employs Boolean operators to combine one of more .ndb-style signatures into a single one. The main benefit of this approach is that it allows for more flexible pattern matching. The format for these new logical signtures is:

SignatureName;TargetDescriptionBlock;LogicalExpression;Subsig0;Subsig1;Subsig2;...

Logical signatures should be stored in .ldb files.

Let us illustrate how logical signatures can be used by analyzing a mass-mailer worm. The code for this sample is in Visual Basic Script (VBS) and so is easily readable. Right away we can see that the worm can loosely be classified in the category "AV Killer" as well since it attempts to identify the presence of various AV tools in order to disable them.



After normalization, we can create 4 signatures to detect each attempt to disable AV tools as follows:

Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro (0): 66696c656578697374732028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
{-100}2e64656c65746566696c652028{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c

Antiviral Toolkit Pro (1): 66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028
{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f

AVPersonal (2): 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c

Trend PC-cillin 98 (3): 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{-100}2e64656c65746566696c652028
{-25}202620225c7472656e642070632d63696c6c696e

Another very important characteristic of this script is that this worm tries to use Outlook MAPI to send itself to the first 8000 contacts found in the address book.



A signature to detect this portion of the file could be (4):

666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464
{-100}696620{-10}203e20{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464{-150}2e73656e64

With ClamAV 0.94 and the addition of logical signatures, we write this highly flexible signature:

Worm.Godog;Target:0;((0|1|2|3)& (4));(0);(1);(2);(3);(4)

With a successful match, this signature will return the malware name "Worm.Godog". A match will occur when signature (4) is detected as well as either signature (0), (1), (2) or (3). The signature will look like the signature below in a .ldb file:

Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
{-100}2e64656c65746566696c652028{-25}
202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c;66696c6565786973747328
{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028
{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f;66696c656578697374732028
{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c;66696c656578697374732028
{-25}202620225c7472656e642070632d63696c6c696e{-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e;666f7220
{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20
{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464{-150}2e73656e64

In previous versions of ClamAV up to 0.93 included, one would have to write many signatures in order to match the flexibility of the signature above. In this malware sample, 3 different AV tools are disabled the worm tried to spread to the first 8,000 contacts of your Outlook address book. However, a variant could disable just one of the AV tools and still try to spread over the network. To detect the variant that just disables Kaspersky AV, a pre-0.94 signature would look like:

Worm.Godog:0:*:(0){-750}(4)

To detect the variant that just disables Antiviral Toolkit Pro, a pre-0.94 signature would look like:

Worm.Godog:0:*:(1){-700}(4)

More signatures can be written for the other cases.

This simple example shows how logical signatures can be very powerful in reducing the number of signatures written to detect variants within a malware famill. Logical signatures can also help detect malware samples that were previously tough to detect and reduce the number of false positive detections.
Add to Technorati Favorites Digg! This

No comments: