[clamav-users] How to find string for a signature?

kristen R kristen at atmyhome.org
Sat Oct 21 05:55:06 UTC 2017 

On 10/20/17 8:04 PM, Al Varnell wrote:
> Are you certain that it is actually from CERT from the header information or is that just the "From: " address which can easily be faked? You can determine a lot from submitting the e-mail raw source to <https://www.spamcop.net>.

Yes, I would say this is legitimate. I looked the IP and header info
over and compared to previous mailings and the info is the same mail server.

Received: from mailer190175.service.govdelivery.com (208.42.190.175)
  by host.atmyhome with SMTP; 20 Oct 2017 19:10:22 -0800
Received-SPF: pass (host.atmyhome: SPF record at
spf.sp.service.govdelivery.com designates 208.42.190.175 as permitted
sender)
X-VirtualServer: B190C4, mailer190175.service.govdelivery.com, 172.25.0.175
X-VirtualServerGroup: B190C4
X-MailingID:
17159604::20171021.79734561::1001::MDB-PRD-BUL-20171021.79734561::kristen at atmyhome.org::52402_0
X-SMHeaderMap: mid="X-MailingID"
X-Destination-ID: kristen at atmyhome.org
X-SMFBL: a3Jpc3RlbkBhdG15aG9tZS5vcmc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
        d=ncas.us-cert.gov; s=15q3; i=@ncas.us-cert.gov;
h=Content-Transfer-Encoding:
        Content-Type:x-subscriber:X-Accountcode:Errors-To:Reply-To:
        MIME-Version:Message-ID:X-ReportingKey:Subject:Date:To:From;
        bh=5iBXVVsNmQWv/yeUKz2ksz1ew2E=; b=Ph28B61orDBhRTTyNY08Xa/SfZmWu
        VeWrac8XOaSPWdiXHfzPzInuwnLyHCvqn446d1vfMQ+l6PgUdOVRtWtoGCVlFN93
        j836cd9GLgpMq1DTgo1BowhTKN6N1oDWaORcyTNQubM2l3A6iFyhMLjaEfv/3M/x
        iGw6szqEyl5Eh/zfWpHCbQPz8IIDSc7LViHIOz62IUfslOnYSfA400enfrL9yqt6
        jiPwWKEjHsfvJbXi8QJ32sA/IyqcGVoSMgDijJTpSp1T1o+NL0HrpdLAWxxJAjkZ
        jfctIgx26uFyhctA2PxldPmMiKOfMdZK8AN/LAaiC2qhzhyK5E1LAw15Q==
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative;
        boundary="----=_NextPart_521_08BE_7C699BB4.5E61392A"
x-subscriber:
3.zvMgBIhjnwhEq7try0XvRHesb+KKQe5nt+vMrUeTBZy+pLuDPksXiQ7tpNeg9PJ70+TYjl958KrlvIMOI6korS2WSGwCPYPv3yyLGXX+vJue+Ug+Kk6Jm1Up3iaAXvglygDU3L6a1UjDFbxa00Q+KA==
X-Accountcode: USDHSUSCERT
Errors-To: messages at ncas.us-cert.gov
Reply-To: US-CERT at ncas.us-cert.gov
MIME-Version: 1.0
Message-ID: <17159604.52402 at ncas.us-cert.gov>
X-ReportingKey:
LJJJ2EWJK2HE4WJJ7C3JJJ::kristen at atmyhome.org::kristen at atmyhome.org
Subject:
=?US-ASCII?Q?TA17-293A:_Advanced_Persistent_Threat_Activity_Targe?=
=?US-ASCII?Q?ting_Energy_and_Other_Critical_Infrastructure_Sectors?=
Date: Fri, 20 Oct 2017 22:06:45 -0500
To: kristen at atmyhome.org
From: "=?US-ASCII?Q?US-CERT?=" <US-CERT at ncas.us-cert.gov>

> 
> Signature details:
> sigtool -fPUA.Win.Trojan.Xored-1|sigtool --decode-sigs
> VIRUS NAME: PUA.Win.Trojan.Xored-1
> TARGET TYPE: HTML
> OFFSET: *
> DECODED SIGNATURE:
> charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
> 
> I can't seem to find when the signature was added, but a Google search shows it being discussed as far back as April 2016. 
> 
> If, after examination, you still feel it's a False Positive, submit it (or the attachment) to <http://www.clamav.net/reports/fp> and return here with a hash value of whatever you submitted.
> 
> PUA indicates "Potentially Unwanted Application" which indicates non-malware and makes it more difficult to identify as a False Positive. Win makes it Windows Only.
> 
> -Al-
> 

Thanks Al. I went ahead and injected this quarantined message for
delivery as it is a big HTML email that can be difficult to read from a
BASH shell. It appears they are showing samples of code from some
Windows exploit, or something. I didn't review it that long. I bet the
samples they put in this email triggered clamd.

I will consider this discussion closed unless the list wishes to add to
the discussion.

Kristen

> On Fri, Oct 20, 2017 at 08:30 PM, kristen R wrote:
>> List,
>>
>> I just received an email from ncas.us-cert.gov that was caught by clamd
>> reporting PUA.Win.Trojan.Xored-1 signature. This email is from the US
>> Department of Homeland Security.
>>
>> I suppose this is a case of a false positive. How does one find the
>> string triggering this event that I might know and report this as a
>> false positive?
>>
>> Kristen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20171020/a959367a/attachment.sig>

More information about the clamav-users mailing list