[Clamav-devel] ClamAV scanning

Brandon Perry bperry.volatile at gmail.com
Sat Nov 8 12:50:18 EST 2014


Changing the first byte of an MZ header for a PE executable is not a
legitimate way of hiding your artifacts because no one will be able to run
your hidden artifact for the exploit/malware to do anything.

On Sat, Nov 8, 2014 at 11:41 AM, Andrew Camilleri <
andrew.camilleri at gmail.com> wrote:

> Hi Shawn!
>
> Many thanks for replying. I see what you are saying and I agree with you to
> a certain extent. Here is my thinking process. My understanding is that the
> job of an AV is to detect malware, and this usually involves pattern
> matching. Yes you are right, the malware needs to run, but really that is a
> different concern, the OS concern, whereas the concern of an AV is
> detection/matching. It is a little alarming to me the fact that I can
> easily hide a virus by simply changing a single byte; with the right
> context (in our case perhaps through a trivial transformation down the
> stack) a virus can come back to life. Do you see my point? Again I am no
> expert in this, but McAffee seems to agree with what I am saying. Besides
> separation of concerns, you can also argue for robustness; virus writers
> have tried all sort of complex schemes to hide their artefacts and this
> feels like a legitimate way of achieving that.
> So if I understand correctly, ClamAV tries to guess the type of the file?
> What happens if it can't tell what it is?
> Sorry to drive this point further, I really appreciate all the hard work
> people put in this project! But I really need to understand how this works
> in detail....
>
> regards,
>
> Andrew
>
>
>
> On 7 November 2014 18:41, Shawn Webb <swebb at sourcefire.com> wrote:
>
> > Hey Andrew,
> >
> > The reason why ClamAV failed to detect Zeus when you changed the first
> byte
> > is because of file magic. When you changed the first byte, you changed
> the
> > type of file ClamAV recognizes it as. In fact, if it's a PE file, then
> > changing that first byte will cause Windows to not even execute the file.
> > It could be that the 32nd byte carried no significance and therefore
> ClamAV
> > was still able to detect the file as Zeus. So, when you change random
> data,
> > you're changing the behavior of the applications that utilize that data,
> > which is completely expected.
> >
> > Thanks,
> >
> > Shawn
> >
> > On Fri, Nov 7, 2014 at 12:11 PM, Andrew Camilleri <
> > andrew.camilleri at gmail.com> wrote:
> >
> > > Hi Brandon,
> > >
> > > Many thanks for your reply. I totally agree with you on EICAR, but this
> > > should not happen with Zeus. EICAR was only included as a test case
> i.e.
> > to
> > > make sure that static signatures are being checked...
> > >
> > > Andrew
> > >
> > > On 7 November 2014 17:06, Brandon Perry <bperry.volatile at gmail.com>
> > wrote:
> > >
> > > > EICAR should only ever be detected as is. It is specially made for
> > > testing
> > > > AV, and AV has no use for detecting variations of it.
> > > >
> > > > On Fri, Nov 7, 2014 at 11:02 AM, Andrew Camilleri <
> > > > andrew.camilleri at gmail.com> wrote:
> > > >
> > > > > Hi!
> > > > >
> > > > > I am totally new to ClamAV, so please excuse my ignorance.
> > > > > I am looking at how AV scanning is done in general, but also
> > > specifically
> > > > > in ClamAV. I came across this
> > > > > <
> > > >
> > https://www.mail-archive.com/clamav-devel@lists.clamav.net/msg03096.html
> > > >
> > > > > post, so I got that bit covered and won't repeat questions.
> > > > > I am working on a WAF and we will use ClamAV for scanning traffic.
> I
> > am
> > > > > investigating the tolerance in correct classification with respect
> to
> > > > > changes in malware binaries. To conduct my experiments I picked up
> > the
> > > > > EICAR "virus" and an actual virus, Zeus, from here
> > > > > <https://github.com/Visgean/Zeus>. I noticed that if I change a
> > single
> > > > > character in EICAR, ClamAV will fail to detect it; I assume that
> this
> > > is
> > > > > due to a static signature (correct me if I am wrong) associated
> with
> > > this
> > > > > test virus; this seems like a perfectly good result to me. Next
> thing
> > > was
> > > > > to scan Zeus (after a simple git clone) and it picks up a few
> trojans
> > > > from
> > > > > the ready built binaries. I then changed the first byte of
> > client32.bin
> > > > > (one of the files that was marked as a trojan) and scanned it. The
> > > result
> > > > > was the ClamAV did not recognize the trojan from this simple
> change.
> > I
> > > > then
> > > > > changed another byte, the 32nd one to be precise, and scanned it.
> The
> > > > > result was that ClamAV correctly classifies the binary as a
> Trojan. I
> > > > was a
> > > > > little surprised that a change in the first byte would "hide" the
> > > trojan
> > > > > from scanning, especially since the first two bytes are completely
> > > > useless
> > > > > <http://en.wikipedia.org/wiki/Mark_Zbikowski> in terms of running
> a
> > > > > windows
> > > > > binary. My only explanation is that with the change, the file fails
> > > some
> > > > > integrity check that ClamAV does, to make sure that the binary is
> > > > runnable;
> > > > > I am assuming that there isnt a static signature here, otherwise it
> > > would
> > > > > not have been picked up with any change. I also did this test with
> > > > zsb.exe
> > > > > in the repo and I got the same results. Finally I performed the
> same
> > > > tests
> > > > > against McAffee and all these changes had no effect i.e. the
> trojans
> > > > where
> > > > > always correctly classified. In the case of deltas to EICAR
> however,
> > > > McAfee
> > > > > did not recognize the "virus".
> > > > > Could you please help me to understand the meaning of these
> results?
> > > > Also,
> > > > > is it possible to view the signature of a virus in the signature
> > > > database?
> > > > > I looked at the doc, but I couldn't find how to do this; but I may
> > have
> > > > > missed it and in that case sorry to ask this!
> > > > >
> > > > > Andrew
> > > > > _______________________________________________
> > > > > http://lurker.clamav.net/list/clamav-devel.html
> > > > > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > http://volatile-minds.blogspot.com -- blog
> > > > http://www.volatileminds.net -- website
> > > > _______________________________________________
> > > > http://lurker.clamav.net/list/clamav-devel.html
> > > > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > _______________________________________________
> > > http://lurker.clamav.net/list/clamav-devel.html
> > > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website


More information about the clamav-devel mailing list