[clamav-users] Keymarble Yara rule?
Al Varnell
alvarnell at mac.com
Tue Aug 14 23:48:07 UTC 2018
Sorry, I wasn't clear. I meant the malware sample, not your dummy.
-Al-
On Tue, Aug 14, 2018 at 11:24 AM, Alessandro Vesely wrote:
> On Mon 13/Aug/2018 00:27:55 +0200 Al Varnell wrote:
>
>> I don't quite understand why you think it might not detect it.
>>
>> Text strings are not required to have an even number of digits. The hex
>> equivalent to that string would be: {62 63 39 [...] 34 30}. As
>> long as the string appears in a file, it should match.
>
> That's right.
>
> I thought it is unlikely to find a 65 bytes binary sequence, so it looked wrong to me. Perhaps, that's a wrong conjecture, since a malware writer may want to hard code crypto data in the executable. The sequence doesn't seem to be code.
>
>> I'd have to have the actual sample file in order to say anything more about it.
>
> I don't attach it, as it may appear to be a (broken) executable. Using an xxd[*] dump (instead of hd) solves the problem since xxd is reversible and idempotent:
>
> ~/tmp$ diff -s <(xxd -g 1 keymarble-dummy) <(xxd -g 1 keymarble-dummy|xxd -r|xxd -g 1)
> Files /dev/fd/63 and /dev/fd/62 are identical
>
> So you can copy the following to a file and revert to binary:
>
> ~/tmp$ xxd -g 1 keymarble-dummy
> 00000000: 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d MZthis is a dumm
> 00000010: 79 20 6b 65 79 6d 61 72 62 6c 65 20 66 69 6c 65 y keymarble file
> 00000020: 20 63 72 65 61 74 65 64 20 66 6f 72 20 6d 61 6b created for mak
> 00000030: 69 6e 67 20 74 65 73 74 73 0a 00 00 40 00 00 00 ing tests... at ...
> 00000040: 50 45 62 63 39 62 37 35 61 33 31 31 37 37 35 38 PEbc9b75a3117758
> 00000050: 37 32 34 35 33 30 35 63 64 34 31 38 62 38 64 66 7245305cd418b8df
> 00000060: 37 38 36 35 32 64 31 63 30 33 65 39 64 61 30 63 78652d1c03e9da0c
> 00000070: 66 63 39 31 30 64 36 64 33 38 65 65 34 31 39 31 fc910d6d38ee4191
> 00000080: 64 34 30 0a 00
>
> Best
> Ale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180814/5fbc5dbf/attachment.htm>
More information about the clamav-users
mailing list