[clamav-users] ClamAV - Emotet - Malware not detected

Wed Sep 16 13:14:47 UTC 2020

Hi all,

Well, i didn't look what kind of virus is emotet and i supposed it's 
spread trough executable file where the defenses presented should work.
For the emotet itself i am using the list provided by abuse.ch guys ( i 
suggest trough all the defenses they have) but those two might/should 
help:
https://feodotracker.abuse.ch/browse/ || 
https://feodotracker.abuse.ch/blocklist/
https://urlhaus.abuse.ch/browse/tag/emotet/  ( here you have also clamav 
file signature urlhaus.ndb )

Bonus: https://paste.cryptolaemus.com/

The idea is to build either trough clamav(here we talk about clamav) or 
spamassassin a way to defend yourself based in the input provided.

---
Best regards,
Iulian

On 2020-09-16 14:50, G.W. Haywood via clamav-users wrote:
> Hi there,
> 
> On Wed, 16 Sep 2020, Cyril AECK via lists.clamav.net wrote:
> 
>> Is there a reason why the Emotet detection rate is very low for 
>> ClamAV?
> 
> The macro in the attachment is heavily disguised.  See for example
> 
> https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/
> 
> It's very easy for the sender to change disguises in code.  Some code
> will even do it by itself, on the fly.  Using a grossly oversimplified
> example, I could write code like this:
> 
> void somefunc() { while(1) { something_new; } }
> int abc=1; if(abc==1) { somefunc(); }
> 
> but the same effect can be achieved with different names everywhere:
> 
> void otherfunc() { while(2) { something_old; } }
> int xyz=3; if(xyz==3) { otherfunc(); }
> 
> You really want to analyze the behaviour of the code but that's much
> harder to do than making simple string comparisons which look for
> words -- which is more or less all that signature matching does.  You
> need a signature for every disguise, which probably explains why there
> are at the moment just shy of sixty thousand signatures in the 'daily'
> database which have a name containing 'Emotet'.
> 
> On Wed, 16 Sep 2020, iulian stan via clamav-users wrote:
> 
>> If you are talking about compressed files you have multiple choice to 
>> do
>> this as well: 1) use complicated MTA rules to unzip/untar/unrar/etc 
>> the archive and
>> check if executable is inside. 2) use foxhole unoficial clamav 
>> signatures (might not cover all the
>> situations) 3) write your own signatures like this. Please check 
>> before the manual:
>> https://www.clamav.net/documents/extended-signature-format 
>> Archived_BAT:*:*:(?i)\.bat$:*:*:*:*:*:*
>> Archived_COM:*:*:(?i)\.com$:*:*:*:*:*:*
>> Archived_EXE:*:*:(?i)\.exe$:*:*:*:*:*:*
> 
> Unfortunately none of these suggestions is likely to succeed against
> the current Emotet threats.  The malicious email generally contains a
> disguised macro, not a Windows executable.  The macro downloads and
> runs a payload (maybe more than one), thus avoiding a scan or perhaps
> without even writing it to a file which ClamAV will be able to scan.
> 
> The foxhole signatures, the ClamAV official signatures and a couple of
> dozen other third-party signatures have all failed to detect threats
> in mail recevied here in the past few days.
> 
> But the messages were obvious as soon as they appeared in the greylist
> queue.  They posed as replies to mail abuse reports which we had sent,
> but the reports were sent many years ago.
> 
> Evidently our reports have been stolen from the poorly-secured systems
> at the providers to whom we were reporting abuse at the time.  A neat
> trick, but not nearly neat enough.  We don't run Windows boxes anyway. 
> :)
> 
> --
> 
> 73,
> Ged.
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml