[clamav-users] Match on raw .wsf file?

Kris Deugau kdeugau at vianet.ca
Tue Aug 30 16:36:52 EDT 2016


Is there a way to force matching on the raw file, or at least control
the normalization to some degree so that formatting and details in the
original code aren't lost?

I've been coming across .wsf files in .zip files, which are essentially
Javascript wrapped in a very thin wrapper:

<job><script language="JScript" width=100>
[insert nasty Javascript here]
</script></job>

However, signatures I've created based on the raw file never match, and
I finally figured out a few months ago that I'd have to use clamscan
--leave-temps to dig up the normalized text Clam was actually running
pattern matches against.

Unfortunately I've just discovered a flaw in this process, in that the
normalizing process is also stripping off some of the key JS-obfuscation.

I've posted the raw first ~8 lines of one of these files, and the
normalized version of that same chunk of text:

http://deepnet.cx/clamfrags/raw-wsf-01
http://deepnet.cx/clamfrags/norm-wsf-01

In this case, one of the key things I'd like to match on is the
"br"+"o"+"ken" strings in their broken form, but that information is
wiped away in the normalized version.

-kgd



More information about the clamav-users mailing list