[clamav-users] Detection in windows but not Linux

Kurt Fitzner kurt+clamav at va1der.ca
Mon Dec 14 03:32:39 UTC 2015 

 

To my embarrassment, the Windows/Linux detection issue was mostly of my
making. WinSCP does CR/LF translation of text files by default. The rest
you can now all guess. I transferred the malware from my Linux box using
a LF -> CR/LF translation mode by mistake. It is the CR/LF version that
is detected by ClamAV's PHP.Shell-83 signature. The LF version isn't.
Unfortunately, it's the LF version that will exist in the wild and on my
Linux box. 

Here is the VirusTotal report for the LF-only version: 

https://www.virustotal.com/en/file/9a4a084309f51684ca86a1a5fac5a5c0951d5e82a407308ad09b69c6dcaca32b/analysis/1450061292/


With 25 out of 54 voting the lf-only version off the island. 

Here is the VirusTotal report for the CR/LF version again: 

https://www.virustotal.com/en/file/6e709d5679eac7c8d844f849b0c6e95f4b3f8b716fbae4c27037b760754152bf/analysis/1450059899/
[4] 

ClamAV is unique in being the only one that detects on the CR/LF version
but not the LF-only version. The CR/LF detection list is otherwise a
subset of the LF-only list. Which is to be expected. 

I feel like that guy who forgot to type "binary" in old-style FTP before
transferring a compressed file. While I am a little embarrassed about
the initial mistake (and not catching it for so long), I suspect it also
happened to the person that originally submitted the malware for ClamAV.
And it may illuminate a similar issue for other signatures, if there
really are that many with CR/LF in them. 

I have submitted the LF-only version to the ClamAV DB team with an
explanation and a recommendation that the other signatures with CR/LF in
them be revisited. 

 Kurt 

On 2015-12-13 22:35, Kurt Fitzner wrote: 

> through. 15 out of 54 AV's surveyed find it stinky. Here's the link: 
> 
> Interestingly, whatever version of ClamAV they use also detects it. I
> suspect they are using Windows since most of the other engines they use
> are also Windows. I'm interested enough now to compile ClamAV in Cygwin
> for myself and see what's going on. 
> 
> Kurt. 
> 
> On 2015-12-13 22:22, Al Varnell wrote: 
> 
>> I didn't expect the test signature to be successful as my understanding of the way the scanner works requires an exact match to the ASCII string. My familiarity is with ClamXav for OS X which uses an unmatched version of the UNIX ClamAV engine and have no idea what ClamWin uses that might cause different results. Certainly appears that a bug report is in order for either ClamAV or Perhaps ClamWin. I understand you are certain that what you have is malware, but there is no guarantee that ClamAV signatures detect it, so this could currently be a false positive of that specific infection name. Try submitting it to http://www.virustotal.com [1] [1] to see what other scanners have to say. Let us know what the analysis link is.
>> 
>> As far as submitting to Cisco/ClamAV I think you should wait until we hear from them. They can always get it from VirusTotal, but they may have provisions to allow attachment to a bug report.
>> 
>> Sent from Janet's iPad
>> 
>> -Al-
>> 
>> On Dec 13, 2015, at 4:27 PM, Kurt Fitzner wrote: Just got home ans was able to test. Test signature from Steve fails to
>> detect on both Linux and Windows. Tested on Linux with 0.98.7 supplied
>> Debian binaries, and 0.99 binary compiled by myself. Tested in Windows
>> with ClamWin supplied binary. 
>> 
>> Should I submit my copy of the malware somewhere to aid with testing? 
>> 
>> Kurt 
>> 
>> On 2015-12-13 20:00, Al Varnell wrote: 
>> 
>> I would want to know the results of using the test signature on both systems first, and file a bug report if it turns out to be a ClamAV problem.
>> 
>> Sent from Janet's iPad
>> 
>> -Al-
>> 
>> On Dec 13, 2015, at 11:49 AM, Kurt Fitzner wrote: 
>> 
>> The question remains as to why the signature correctly leads to a match in Windows but not Linux. If carriage return linefeed handling differences between the two OSes are to blame, then I suggest a two pronged approach. Correct the signatures, AND patch clamav so that the signatures as written are processed the same way. Even if they are suboptimal signatures, I'd suggest they should be processed the same way on all platforms.
>> 
>> That's a lot of signatures that may not be working. Perhaps I'm stating the obvious, but if CR/LF are involved, it means these are likely scripts and such... just the kind of signatures that would be important to catch in Linux.
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq [2] [2]
> 
> http://www.clamav.net/contact.html#ml [3] [3]

 

Links:
------
[1] http://www.virustotal.com
[2] https://github.com/vrtadmin/clamav-faq
[3] http://www.clamav.net/contact.html#ml
[4]
https://www.virustotal.com/en/file/6e709d5679eac7c8d844f849b0c6e95f4b3f8b716fbae4c27037b760754152bf/analysis/1450059899/

More information about the clamav-users mailing list