[clamav-users] FilenameRegex and backreferences
kionez
kionez at anche.no
Fri Jul 7 10:00:18 UTC 2017
#include <kionez.h> // created 06/07/2017 14:53
Many thanks demonduck!!
[cut]
> I'll try to convert my rule into LDB!
after some RTFM i finally understand the LDB format, so I created my
first two rules to detect malware obfuscated script in wsf\hta files.
The attachment is a zip\rar archive, which contains a directory and a
script with the same name, i.e.:
SH6352633.rar --> SH6352633/SH6352633.hta
LG7569035.zip --> LG7569035/LG7569035.wsf
So, using the "file magic" 0:504B for ZIP and 0:5261 for RAR (taken from
https://en.wikipedia.org/wiki/List_of_file_signatures ) I could write
two rules:
ACD.BadFilenameLDB.01;Engine:81-255,Target:0;0&1;0:504B;2,200:0/(?P<name>[A-Z0-9_\-\.]{8,12})(/|\\)(?P=name)\.(wsf|hta)/e
ACD.BadFilenameLDB.02;Engine:81-255,Target:0;0&1;0:5261;2,200:0/(?P<name>[A-Z0-9_\-\.]{8,12})(/|\\)(?P=name)\.(wsf|hta)/e
I do not think it can generate too many false positives, for now it's in
testing :)
k.
More information about the clamav-users
mailing list