[Clamav-devel] ClamAV scanning

andreisaygo at live.ie andreisaygo at live.ie
Sat Nov 8 20:58:46 EST 2014


Hi Andrew,

In order to run an executable file (PE) with a changed MZ, in most cases a malware needs either a dropper or an injector. The dropper will modify the magic bytes to their original values and then execute the file. An injector can just map the file in memory and execute the code directly. Like Brandon said, the file won't be able to run by itself.
However, if you really want to detect a malware even if the header is modified, I suggest to change the TargetType in the signature, from 1 (which means PE) to 0 (which means any file). Assuming that it's an extended signature that will match specific bytes in the code, then even if the header (MZ) is changed, the file will still be detected.

Hope that helps.

Regards,
Andrei


> Date: Sat, 8 Nov 2014 11:50:18 -0600
> From: bperry.volatile at gmail.com
> To: clamav-devel at lists.clamav.net
> Subject: Re: [Clamav-devel] ClamAV scanning
> 
> Changing the first byte of an MZ header for a PE executable is not a
> legitimate way of hiding your artifacts because no one will be able to run
> your hidden artifact for the exploit/malware to do anything.
> 
> On Sat, Nov 8, 2014 at 11:41 AM, Andrew Camilleri <
> andrew.camilleri at gmail.com> wrote:
> 
> > Hi Shawn!
> >
> > Many thanks for replying. I see what you are saying and I agree with you to
> > a certain extent. Here is my thinking process. My understanding is that the
> > job of an AV is to detect malware, and this usually involves pattern
> > matching. Yes you are right, the malware needs to run, but really that is a
> > different concern, the OS concern, whereas the concern of an AV is
> > detection/matching. It is a little alarming to me the fact that I can
> > easily hide a virus by simply changing a single byte; with the right
> > context (in our case perhaps through a trivial transformation down the
> > stack) a virus can come back to life. Do you see my point? Again I am no
> > expert in this, but McAffee seems to agree with what I am saying. Besides
> > separation of concerns, you can also argue for robustness; virus writers
> > have tried all sort of complex schemes to hide their artefacts and this
> > feels like a legitimate way of achieving that.
> > So if I understand correctly, ClamAV tries to guess the type of the file?
> > What happens if it can't tell what it is?
> > Sorry to drive this point further, I really appreciate all the hard work
> > people put in this project! But I really need to understand how this works
> > in detail....
> >
> > regards,
> >
> > Andrew
> >
> >
> >
> > On 7 November 2014 18:41, Shawn Webb <swebb at sourcefire.com> wrote:
> >
> > > Hey Andrew,
> > >
> > > The reason why ClamAV failed to detect Zeus when you changed the first
> > byte
> > > is because of file magic. When you changed the first byte, you changed
> > the
> > > type of file ClamAV recognizes it as. In fact, if it's a PE file, then
> > > changing that first byte will cause Windows to not even execute the file.
> > > It could be that the 32nd byte carried no significance and therefore
> > ClamAV
> > > was still able to detect the file as Zeus. So, when you change random
> > data,
> > > you're changing the behavior of the applications that utilize that data,
> > > which is completely expected.
> > >
> > > Thanks,
> > >
> > > Shawn
> > >
> > > On Fri, Nov 7, 2014 at 12:11 PM, Andrew Camilleri <
> > > andrew.camilleri at gmail.com> wrote:
> > >
> > > > Hi Brandon,
> > > >
> > > > Many thanks for your reply. I totally agree with you on EICAR, but this
> > > > should not happen with Zeus. EICAR was only included as a test case
> > i.e.
> > > to
> > > > make sure that static signatures are being checked...
> > > >
> > > > Andrew
> > > >
> > > > On 7 November 2014 17:06, Brandon Perry <bperry.volatile at gmail.com>
> > > wrote:
> > > >
> > > > > EICAR should only ever be detected as is. It is specially made for
> > > > testing
> > > > > AV, and AV has no use for detecting variations of it.
> > > > >
> > > > > On Fri, Nov 7, 2014 at 11:02 AM, Andrew Camilleri <
> > > > > andrew.camilleri at gmail.com> wrote:
> > > > >
> > > > > > Hi!
> > > > > >
> > > > > > I am totally new to ClamAV, so please excuse my ignorance.
> > > > > > I am looking at how AV scanning is done in general, but also
> > > > specifically
> > > > > > in ClamAV. I came across this
> > > > > > <
> > > > >
> > > https://www.mail-archive.com/clamav-devel@lists.clamav.net/msg03096.html
> > > > >
> > > > > > post, so I got that bit covered and won't repeat questions.
> > > > > > I am working on a WAF and we will use ClamAV for scanning traffic.
> > I
> > > am
> > > > > > investigating the tolerance in correct classification with respect
> > to
> > > > > > changes in malware binaries. To conduct my experiments I picked up
> > > the
> > > > > > EICAR "virus" and an actual virus, Zeus, from here
> > > > > > <https://github.com/Visgean/Zeus>. I noticed that if I change a
> > > single
> > > > > > character in EICAR, ClamAV will fail to detect it; I assume that
> > this
> > > > is
> > > > > > due to a static signature (correct me if I am wrong) associated
> > with
> > > > this
> > > > > > test virus; this seems like a perfectly good result to me. Next
> > thing
> > > > was
> > > > > > to scan Zeus (after a simple git clone) and it picks up a few
> > trojans
> > > > > from
> > > > > > the ready built binaries. I then changed the first byte of
> > > client32.bin
> > > > > > (one of the files that was marked as a trojan) and scanned it. The
> > > > result
> > > > > > was the ClamAV did not recognize the trojan from this simple
> > change.
> > > I
> > > > > then
> > > > > > changed another byte, the 32nd one to be precise, and scanned it.
> > The
> > > > > > result was that ClamAV correctly classifies the binary as a
> > Trojan. I
> > > > > was a
> > > > > > little surprised that a change in the first byte would "hide" the
> > > > trojan
> > > > > > from scanning, especially since the first two bytes are completely
> > > > > useless
> > > > > > <http://en.wikipedia.org/wiki/Mark_Zbikowski> in terms of running
> > a
> > > > > > windows
> > > > > > binary. My only explanation is that with the change, the file fails
> > > > some
> > > > > > integrity check that ClamAV does, to make sure that the binary is
> > > > > runnable;
> > > > > > I am assuming that there isnt a static signature here, otherwise it
> > > > would
> > > > > > not have been picked up with any change. I also did this test with
> > > > > zsb.exe
> > > > > > in the repo and I got the same results. Finally I performed the
> > same
> > > > > tests
> > > > > > against McAffee and all these changes had no effect i.e. the
> > trojans
> > > > > where
> > > > > > always correctly classified. In the case of deltas to EICAR
> > however,
> > > > > McAfee
> > > > > > did not recognize the "virus".
> > > > > > Could you please help me to understand the meaning of these
> > results?
> > > > > Also,
> > > > > > is it possible to view the signature of a virus in the signature
> > > > > database?
> > > > > > I looked at the doc, but I couldn't find how to do this; but I may
> > > have
> > > > > > missed it and in that case sorry to ask this!
> > > > > >
> > > > > > Andrew
> > > > > > _______________________________________________
> > > > > > http://lurker.clamav.net/list/clamav-devel.html
> > > > > > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> > > > > >
> > > > > > http://www.clamav.net/contact.html#ml
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > http://volatile-minds.blogspot.com -- blog
> > > > > http://www.volatileminds.net -- website
> > > > > _______________________________________________
> > > > > http://lurker.clamav.net/list/clamav-devel.html
> > > > > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > _______________________________________________
> > > > http://lurker.clamav.net/list/clamav-devel.html
> > > > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > _______________________________________________
> > > http://lurker.clamav.net/list/clamav-devel.html
> > > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > http://www.clamav.net/contact.html#ml
> >
> 
> 
> 
> -- 
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> 
> http://www.clamav.net/contact.html#ml
 		 	   		  


More information about the clamav-devel mailing list