[clamav-users] Match alternate bytes?
Kris Deugau
kdeugau at vianet.ca
Thu Oct 8 16:14:39 UTC 2015
I've been seeing Javscript malware on and off where (one layer of) the
Javascript obfuscation is done by taking the real code, sticking in
random characters every other character, wrapping it in one or more
strings, and then using string manipulation to pull out the original
characters and execute it.
ClamAV won't let you just create a pattern like so:
3d2766{1}75{1}6e{1}63{1}74{1}69{1}6f{1}6e{1}20{1}64{1}6c...
and I understand the reasoning, but in this case I really do need to
match every other character, because the alternates are random garbage.
I've also created local signatures based on the .zip filename list (a
bare .js in a .zip in a random email is almost certainly malware), but
I'd still like to have signatures for the Javascript itself.
I've just submitted one of several samples I have on hand (SHA256
2f5688b2e23b5b481f63a7f465086f7b19dfbf20e8ac16c0ae5bc56fefe72849), but
I'm more interested in how to build a signature that will match most
similar obfuscated JS.
-kgd
More information about the clamav-users
mailing list