Clamav create signatures
Clamav can be used to create new signatures for malware files it does not recognize by default.
This will create a hex signature of the first 2048 bytes of a file: (this is a good method for most cases)
cat malwarefile.php | sigtool –hex-dump | head -c 2048 > signaturefile.ndb
The signature is saved to signaturefile.ndb. For clamav to recognize it we need to prepend some information to the hex string.
It needs to have this format:
PHP.Malware.0760:0:*:
The signature name should be unique. (PHP.Malware.0760, PHP.Malware.0761 etc.)
This command can be used to test the new signature:
clamscan -d signaturefile.ndb malwarefile.php
If successful, clamav should display "malwarefile.php" as infected. Own signatures will automatically be shown as "UNOFFICIAL".
If the infected file is a html file or mixed html/php file it needs to be "normalized" first. This can be done with this command:
sigtool --html-normalise malwarefile.html
This will split up the file in multiple parts. (notags.html, nocomment.html, javascript) Depending on the contents of the file a signature can be created for any of these parts. Usually it is best to use "nocomment.html". After we can do:
cat nocomment.html | sigtool –hex-dump | head -c 2048 > signaturefile.ndb
If signatures are created and working, they can be appended to the file /var/lib/clamav/hs_signatures.ndb which contains all signatures created by us.
This file is located at "bkp001.hr19:~/twi/malware/sigs"
cat signaturesfile.ndb >> hs_signatures.ndb
After that we distribute the signature file to all backup servers and change owner to "vscan":
dscpbackup hs_signatures.ndb []:/var/lib/clamav/. dsshbackup "chown vscan.vscan /var/lib/clamav/hs_signatures.ndb"
More information:
http://www.thehackademy.net/madchat/vxdevl/library/Creating%20signatures%20for%20ClamAV.pdf