[clamav-users] using clamav to detect unwanted data exfiltration programs (e.g., Dropbox)?

[James Ralston]

Has anyone experimented with using clamav to detect PUAs (potentially
unwanted executables) beyond what clamav already can detect? If so, do
you have any advice?

For legal reasons, we prohibit cloud-based file storage technologies
like Dropbox. On our Windows systems, we can prohibit Dropbox via
AppLocker, but for Linux, it's not so easy.

Since we regularly scan our systems with clamav anyway, creating
clamav signatures to detect Dropbox scripts and executables seems like
a reasonable approach.

Looking for the "dropbox_client_start" symbol seems like it will
detect the nautilus extension:

$ dd if=libnautilus-dropbox.so bs=1c skip=5412 count=22 2>/dev/null | od -a
0000000 nul   d   r   o   p   b   o   x   _   c   l   i   e   n   t   _
0000020   s   t   a   r   t nul
0000026

So, to create a signature out of that:

PUA.Elf.Dropbox.A:6:*:0064726f70626f785f636c69656e745f737461727400

For the /usr/bin/dropbox Python script, looking for the
opener.addheaders string followed closely by the
DropboxLinuxDownloader string seems like a good strategy:

$ tail -n +213 dropbox | head -4
def download_file_chunk(url, buf):
    opener = urllib2.build_opener()
    opener.addheaders = [('User-Agent', "DropboxLinuxDownloader/2015.10.28")]
    sock = opener.open(url)

PUA.Script.Dropbox.A:7:*:6f70656e65722e61646468656164657273{12-32}64726f70626f786c696e7578646f776e6c6f61646572

But while we can create one-off signatures for these
scripts/executables, it strikes me that it may make more sense to
create a new PUA category for them. E.g.:

    DataEx

    Data exfiltration tools, like cloud-based file storage
    technologies, can seamlessly move local data to cloud-based
    services. If local data is sensitive or restricted, this can be
    undesirable, or legally prohibited.

There will be more of these unwanted scripts/executables than just
Dropbox; that's just the example de jour.

Thoughts?