[clamav-users] ICON_HASH signature for PE files

Micah Snyder (micasnyd) micasnyd at cisco.com
Fri Nov 9 15:52:48 UTC 2018


Steve, Irshad,

I put this together from just a little research reading the documentation, examining the `clamscan --debug` output, and examining existing signatures in `daily.idb` and `daily.ldb`. Someone call me out if the details aren't 100% correct. I'm relatively inexperienced with writing signatures.

---

1. Scan your PE file with `clamscan --debug`, and redirect the output to a file so you can analyze it.

eg:
clamscan --debug ~/Downloads/iexplore.exe &> iexplore.log

2. Search the log for `IDB SIGNATURE`.  There will probably be a bunch.

Example output from `iexplore.exe`:

LibClamAV debug: IDB SIGNATURE: ICON_NAME:GROUP1:GROUP2:20fe8160af66040ae550f010be00005fe00176760d0fff0000ff1503ff0008ef0f00ef0708ef00107f160f760e0b680b0211000036150737161735002e37
LibClamAV debug: cli_scanicon: Icongrp @e690 - 24x24x4 - (id=9b, rsvd=1, planes=16, palcnt=0, sz=1e8)
LibClamAV debug: parseicon: Bitmap - 24x24x4
LibClamAV debug: edge areas: 148@(16,12) 144@(10,9) 107@(10,16)
LibClamAV debug: noedge areas: 19@(0,0) 75@(13,0) 78@(0,6)
LibClamAV debug: color areas: 4072@(16,7) 3907@(3,7) 3793@(2,13)
LibClamAV debug: gray areas: 113@(0,0) 1470@(9,12) 2017@(9,4)
LibClamAV debug: bright areas: 255@(0,0) 255@(15,3) 255@(0,6)
LibClamAV debug: dark areas: 233@(11,0) 233@(5,6) 233@(0,12)
LibClamAV debug: color spread: 43,0,56 56%

3. Copy the "IDB SIGNATURE" content for the icons of interest into an `.idb` file.  Choose a unique ICON_NAME for each line in the `.idb` file.

The naming for `GROUP1` and `GROUP2` are a little arbitrary.  If you look in `daily.idb`, you'll note that `GROUP2` names appear to be used for related malware families, where `GROUP1` appear to be for file types.  For both group names, you may specify "UNUSED" if you don't plan to use it.

Example IDB sigs based on `clamscan` debug output scanning `iexplore.exe`:

```
iexplore-1:IEXPLORE:UNUSED:18f931008ea2040cdbe040605500005f20a056e80006ff0000ff1000ff0c06e90902ec0308f8000e6c08026001115e01090800001b09111c101137022a38
iexplore-2:IEXPLORE:UNUSED:20fe8160af66040ae550f010be00005fe00176760d0fff0000ff1503ff0008ef0f00ef0708ef00107f160f760e0b680b0211000036150737161735002e37
iexplore-3:IEXPLORE:UNUSED:18fe81007f430307ed1020d07100005be090c7e10904ff0000ff0f03ff0006e90b00e90506e9000c94100c900a096b0a101300004b0d004e00062b003838
iexplore-4:IEXPLORE:UNUSED:10f530204f530209f0906010fe000075f07037f40608ff0000ff0400ff0903df0701df0305e7000999070a88070369030a2800003f040043000422004144
```

4. Finally, you need to write a Logical Signature (`.ldb`) that triggers on the `IconGroup#` you chose above.

Example LDB sig:

```
iexplore-example-sig;Engine:51-255,IconGroup1:IEXPLORE,Target:1;(0);4D5A900003000000
```

The LDB signature will alert if any of the `.idb` signatures matching the group name trigger. As a disclaimer, the example signature above is pretty lousy, because the sub-signature `4D5A900003000000` would trigger on any PE file. Take a look at signatures in `daily.ldb` that make use of `IconGroup1` or `IconGroup2` for production quality examples.

Regards,
-Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Nov 9, 2018, at 6:45 AM, Irshad <meradumpemail at gmail.com<mailto:meradumpemail at gmail.com>> wrote:

Hi Steve
This does not solve the problem, I don't know how to calculate the fuzzy hash  of icon that is used in the signature.

On Nov 9, 2018 5:54 PM, "Steve Basford" <steveb_clamav at sanesecurity.com<mailto:steveb_clamav at sanesecurity.com>> wrote:

On Fri, November 9, 2018 9:00 am, Irshad wrote:
> Hi,
>

>
> My apologies, if I am missing something obvious. I spent around 3 hours

Hi Irshad

Not sure if this will help but there are a few icon based sigs I think in
the current daily.cvd

So unpack them and then grep for IconG, something like this:

sigtool --unpack-current=daily
grep "IconG" daily.ldb

You can then see some examples on how they are used.

--
Cheers,

Steve
Twitter: @sanesecurity

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20181109/46df1873/attachment.htm>


More information about the clamav-users mailing list