Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Signature generation problems

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


mbroekman at maileig

May 2, 2012, 1:29 PM

Post #1 of 3 (492 views)
Permalink
Signature generation problems

I'm having some issues creating a hex signature to match some PHP code
I've run across. I've pulled the snippet of the PHP code that I want to
match on and created the signature using sigtool --hex-dump, but when I
try testing against it, there are no matches. However, if I convert the
entire PHP file to hex using sigtool, I do find the snippet signature in
there.

grep "`awk -F: '{ print $4 }' new1.ndb`" footer.ndb



Similarly, I can take the signature, convert it back to ASCII and match
successfully against the original file:

grep "`awk -F: '{ print $4 }' new1.ndb | xxd -r -p`" footer.php



The hex signature is only 64 characters long so I know that I'm not
blowing through any buffers internally (which I've done before by
accident).



The signature I've generated is:

6966202821697373657428246576613166596c62616b4263565369722929207b



From the text:

if (!isset($eva1fYlbakBcVSir)) {





$ clamscan -d ./new1.ndb footer.php

footer.php: OK



----------- SCAN SUMMARY -----------

Known viruses: 1

Engine version: 0.97.3

Scanned directories: 0

Scanned files: 1

Infected files: 0

Data scanned: 0.01 MB

Data read: 0.01 MB (ratio 1.00:1)

Time: 0.010 sec (0 m 0 s)



Anyone have any ideas about this?



Thanks in advance



--Maarten



_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


azidouemba at sourcefire

May 2, 2012, 1:51 PM

Post #2 of 3 (472 views)
Permalink
Re: Signature generation problems [In reply to]

Could be a whitespace character issue. Try to see if ClamAV normalizes
your php script:

clamscan --debug --leave-temps --tempdir=yourtempdir yourphpscript.php

Go to yourtempdir and see if there is a file(s) there. Look for any
differences between it and your original file. Base your signature on
the file(s) from yourtempdir.

Hope that helps.

- Alain

On Wed, May 2, 2012 at 2:29 PM, Maarten Broekman <mbroekman [at] maileig> wrote:
> I'm having some issues creating a hex signature to match some PHP code
> I've run across.  I've pulled the snippet of the PHP code that I want to
> match on and created the signature using sigtool --hex-dump, but when I
> try testing against it, there are no matches.  However, if I convert the
> entire PHP file to hex using sigtool, I do find the snippet signature in
> there.
>
>                grep "`awk -F: '{ print $4 }' new1.ndb`" footer.ndb
>
>
>
> Similarly, I can take the signature, convert it back to ASCII and match
> successfully against the original file:
>
> grep "`awk -F: '{ print $4 }' new1.ndb  | xxd -r -p`" footer.php
>
>
>
> The hex signature is only 64 characters long so I know that I'm not
> blowing through any buffers internally (which I've done before by
> accident).
>
>
>
> The signature I've generated is:
>
> 6966202821697373657428246576613166596c62616b4263565369722929207b
>
>
>
> From the text:
>
> if (!isset($eva1fYlbakBcVSir)) {
>
>
>
>
>
> $ clamscan -d ./new1.ndb footer.php
>
> footer.php: OK
>
>
>
> ----------- SCAN SUMMARY -----------
>
> Known viruses: 1
>
> Engine version: 0.97.3
>
> Scanned directories: 0
>
> Scanned files: 1
>
> Infected files: 0
>
> Data scanned: 0.01 MB
>
> Data read: 0.01 MB (ratio 1.00:1)
>
> Time: 0.010 sec (0 m 0 s)
>
>
>
> Anyone have any ideas about this?
>
>
>
> Thanks in advance
>
>
>
> --Maarten
>
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


mbroekman at maileig

May 3, 2012, 6:48 AM

Post #3 of 3 (464 views)
Permalink
Re: Signature generation problems [In reply to]

> -----Original Message-----
> Could be a whitespace character issue. Try to see if ClamAV normalizes
> your php script:
>
> clamscan --debug --leave-temps --tempdir=yourtempdir yourphpscript.php
>
> Go to yourtempdir and see if there is a file(s) there. Look for any
> differences between it and your original file. Base your signature on
> the file(s) from yourtempdir.

That worked. Thanks.

--Maarten

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.