Clamav create signatures

Aktuelle Version vom 30. Oktober 2014, 14:26 Uhr

Clamav can be used to create new signatures for malware files it does not recognize by default.

This will create a hex signature of the first 2048 bytes of a file: (this is a good method for most cases)

cat malwarefile.php | sigtool –hex-dump | head -c 2048 > signaturefile.ndb

The signature is saved to signaturefile.ndb. For clamav to recognize it we need to prepend some information to the hex string. It needs to have this format:

PHP.Malware.0760:0:*:

The signature name should be unique. (PHP.Malware.0760, PHP.Malware.0761 etc.)

This command can be used to test the new signature:

clamscan -d signaturefile.ndb malwarefile.php

If successful, clamav should display "malwarefile.php" as infected. Own signatures will automatically be shown as "UNOFFICIAL".

If the infected file is a html file or mixed html/php file it needs to be "normalized" first. This can be done with this command:

sigtool --html-normalise malwarefile.html

This will split up the file in multiple parts. (notags.html, nocomment.html, javascript) Depending on the contents of the file a signature can be created for any of these parts. Usually it is best to use "nocomment.html". After we can do:

cat nocomment.html | sigtool –hex-dump | head -c 2048 > signaturefile.ndb

If signatures are created and working, they can be appended to the file /var/lib/clamav/hs_signatures.ndb which contains all signatures created by us.

This file is located at "bkp001.hr19:~/twi/malware/sigs"

cat signaturesfile.ndb >> hs_signatures.ndb

After that we distribute the signature file to all backup servers and change owner to "vscan":

dscpbackup hs_signatures.ndb []:/var/lib/clamav/.
dsshbackup "chown vscan.vscan /var/lib/clamav/hs_signatures.ndb"

More information: http://www.thehackademy.net/madchat/vxdevl/library/Creating%20signatures%20for%20ClamAV.pdf

http://blog.adamsweet.org/?p=250

http://www.clamav.net/doc/latest/phishsigs_howto.pdf