[clamav-users] Keymarble Yara rule?

[Al Varnell]

Here's the VirusTotal page on this file
<https://www.virustotal.com/#/file/e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09/detection <https://www.virustotal.com/#/file/e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09/detection>>
and it does show that ClamAV detects it as Win.Trojan.Agent-6641267-0 which was just added yesterday by daily - 24829 and is a MD5 hash:
[daily.hsb] 704d491c155aad996f16377a35732cb4:126976:Win.Trojan.Agent-6641267-0:73

so yes, ClamAV should catch it already.

-Al-

On Sat, Aug 11, 2018 at 04:04 AM, Alessandro Vesely wrote:
> Well, in this case ClamAV supports YARA enough to get:
> 
> ~/tmp$ clamscan -d keymarble.yara keymarble-dummy
> keymarble-dummy: YARA.rsa_modulus.UNOFFICIAL FOUND
> 
> ----------- SCAN SUMMARY -----------
> Known viruses: 1
> Engine version: 0.100.0
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.006 sec (0 m 0 s)
> 
> 
> The question is whether one should copy keymarble.yara to /var/lib/clamav/, on a production server where ClamAV is used to scan email. It is useless if ClamAV catches keymarble already.  It is also useless/harmful if $n is a bogus string.
> 
> More basic question:  Is ClamAV staff monitoring US-CERT's alerts, and updating ClamAV database on good rules?
> 
> I'd also appreciate generic opinions about US-CERT.  I'm not a careful analyst, so maybe I'm wrong, but it seems to me they are getting weaker and weaker, since about 2013, when they changed alert message format (introducing html and dropping pgp).  For example, last year's TA17-293A[*] would have blocked any file containing the string "icon.png"...
> 
> Best
> Ale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180811/4f371a90/attachment.htm>